Overview
overview
6Static
static
3qqkeybord1/Deamon.exe
windows7-x64
1qqkeybord1/Deamon.exe
windows10-2004-x64
1qqkeybord1/Defend.exe
windows7-x64
1qqkeybord1/Defend.exe
windows10-2004-x64
1qqkeybord1/Hook.dll
windows7-x64
1qqkeybord1/Hook.dll
windows10-2004-x64
1qqkeybord1...py.exe
windows7-x64
6qqkeybord1...py.exe
windows10-2004-x64
6下载说明.html
windows7-x64
1下载说明.html
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 15:07
Static task
static1
Behavioral task
behavioral1
Sample
qqkeybord1/Deamon.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
qqkeybord1/Deamon.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
qqkeybord1/Defend.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
qqkeybord1/Defend.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
qqkeybord1/Hook.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
qqkeybord1/Hook.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
qqkeybord1/KeyboardSpy.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
qqkeybord1/KeyboardSpy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
下载说明.html
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
下载说明.html
Resource
win10v2004-20240508-en
General
-
Target
qqkeybord1/KeyboardSpy.exe
-
Size
1.0MB
-
MD5
1817697245fcdba7627772779bc55027
-
SHA1
8420edf2ef7d0a3ea26a2c0ebb8b41d3499f640d
-
SHA256
2c23b25ec67fad9c4552c32a4328ce01a00f66f9158d73904102209344a75156
-
SHA512
bad8eed7903ce322b516b9bcf0d358d3fbca64e37e3838b803e6fd59b1e6ab4cf2df6b1c40432b18fbedac5881adb1f18f043751a0e7667dedc4d9704e93cdc0
-
SSDEEP
24576:2V4SP46Xqzo5/ITt8o5tzDBt6iBlfuxNqVg0:8V5wTyeDzTCL0
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kbsdea = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qqkeybord1\\Deamon.exe" KeyboardSpy.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Pairsmsg.dll KeyboardSpy.exe File created C:\Windows\__db.Pairsmsg.dll KeyboardSpy.exe File opened for modification C:\Windows\__db.Pairsmsg.dll KeyboardSpy.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2192 KeyboardSpy.exe 2192 KeyboardSpy.exe 2784 Deamon.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2784 2192 KeyboardSpy.exe 28 PID 2192 wrote to memory of 2784 2192 KeyboardSpy.exe 28 PID 2192 wrote to memory of 2784 2192 KeyboardSpy.exe 28 PID 2192 wrote to memory of 2784 2192 KeyboardSpy.exe 28 PID 2784 wrote to memory of 2948 2784 Deamon.exe 29 PID 2784 wrote to memory of 2948 2784 Deamon.exe 29 PID 2784 wrote to memory of 2948 2784 Deamon.exe 29 PID 2784 wrote to memory of 2948 2784 Deamon.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\qqkeybord1\KeyboardSpy.exe"C:\Users\Admin\AppData\Local\Temp\qqkeybord1\KeyboardSpy.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\qqkeybord1\Deamon.exe"C:\Users\Admin\AppData\Local\Temp\qqkeybord1\Deamon.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\qqkeybord1\Defend.dll"C:\Users\Admin\AppData\Local\Temp\qqkeybord1\Defend.dll"3⤵PID:2948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5ec266b6d96acd3f8fdc7423abbb60331
SHA174452ee366f3e5849c4765e247e9059fa07effe0
SHA256dd30091a6746c9d6e48f05202c8db4a3219c01419650e4cdf52998f1f20394f2
SHA512302edddc382943aec49acdbe2e9ae69050874316a852eaabe978f6aa96cb866498016dd764e5118b2cf63434ed67fd7cb2c857b4c8274bfa6cdd95db9b753b58