Malware Analysis Report

2024-09-23 11:42

Sample ID 240614-mt72wa1djk
Target QQPCDownload_home_310053.exe
SHA256 5d258ae7860613154764a3919f0f5684e6fe12e1780c1b0b8e8f6699141fe15d
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

5d258ae7860613154764a3919f0f5684e6fe12e1780c1b0b8e8f6699141fe15d

Threat Level: Shows suspicious behavior

The file QQPCDownload_home_310053.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 10:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 10:46

Reported

2024-06-14 10:48

Platform

win10v2004-20240611-ja

Max time kernel

69s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QQPCDownload_home_310053.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\QQPCDownload_home_310053.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QQPCDownload_home_310053.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QQPCDownload_home_310053.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\QQPCDownload_home_310053.exe

"C:\Users\Admin\AppData\Local\Temp\QQPCDownload_home_310053.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
HK 43.135.106.117:80 c.gj.qq.com tcp
HK 43.135.106.117:80 c.gj.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 oth.eve.mdt.qq.com udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 117.106.135.43.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
US 8.8.8.8:53 68.47.33.101.in-addr.arpa udp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
US 8.8.8.8:53 dlied6.qq.com udp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
CN 122.189.171.73:80 dlied6.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 211.93.212.206:80 dlied6.qq.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
CN 115.56.90.107:80 dlied6.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 dlied6.qq.com udp
CN 42.56.64.52:80 dlied6.qq.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e5785ca\QQPCDownload.dll

MD5 a97f113cb88c3918e3a4ea0543751401
SHA1 91f0de97f4620bce05a99975424208091b3a4317
SHA256 953ab05b69f8ea4691f7caa0d50cd52026a1e3345e1a09ee1733727ce4f0c245
SHA512 348bf533bf9709943ccb297a66a774415425d30b288b6fd4823939023c3bb73662b5caef34e200e1c3c8aea1392b6b5a2519a963a894658f52108e1b6259e2b1

C:\ProgramData\Tencent\DeskUpdate\Guid.db

MD5 0c273a998ee7615055a54e317be89062
SHA1 cdf3c696a41bb85812630a914383780fec793f34
SHA256 10acb48eb5c15e988488a9c407c94d2075a025859bc49377166ff46ad6eeccdc
SHA512 4965221a1046c77baebfa04e98161568cf459511abbf3194045b08c420c3b2af1fbc97d261224414446a34f119b57abb8fcbacda48215d52e9f7afa253ca1316

C:\ProgramData\Tencent\DeskUpdate\GuidInfo.db

MD5 339a7a14eaf6ae4f9652c7b88c3e7840
SHA1 0b13abb60df0e0e1706910bc611a468b57de8a13
SHA256 fc6f35df9bfa4a73c06e2a2381b9d1ad8c436d6fc326fa7385bbe85c6cc295b0
SHA512 754c01389b39f7f07b21224e42924513a52b8a802c7ede9ccd8d477b10d1f5fac28f4f41b2814a7c599ef510bec404994d412a69760159edc724338bf6c65268

C:\ProgramData\Tencent\DeskUpdate\GuidList.db

MD5 771128b35b5ab854d65c44d8e59c787b
SHA1 968935174947870bb688767beefd5852a7649c85
SHA256 83319b3aa9a803a4e40551ceca3f2f0bb33eceae12a73897192324d5d4fc6558
SHA512 a585dbfd31958f9e90796a7efca8d6e1ca69a147ced7dd25a26697e11ac656a97571977dbe232cb70e6318dcf9314c120aa4ba0c48830f3d268413b19529ef91

C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db

MD5 be7909fa9c6495334c1b74cbf312af04
SHA1 ffdf7ecccbe38ca64b538aa28040dca63483a240
SHA256 392cf36d3de808c26a7c508fcb68f651e3f49412ce00727cd7b78e27bb41565c
SHA512 5b7a25f67e61d976ac407fa4546bf223bd0fb6f44e0c87f6d8055387f2a86539f9ce94985d0331e732b047d30fdc59aa299a8df51008fe63a1ab97a071e4b7a5

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e5785ca\beacon_sdk.dll

MD5 1658e561f8015e8b64a633230b22261c
SHA1 36c85376d8d3f1f68240fbd535a46af55efe3207
SHA256 a262e12e2dbe40b76b0cb84151aa02b5042ca0acd36e9482eb80638455a1951e
SHA512 414de291710d59d12f30dc786326b682b5f3415409cf89969c8999da424006df20b13782a93cdba6d644d200885afe9f208176b3c8cfa37846d5994d731d2296