Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 07:49
Static task
static1
Behavioral task
behavioral1
Sample
hxqqhmyxcjq/QQ号码QQ邮箱采集器2.7.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
hxqqhmyxcjq/QQ号码QQ邮箱采集器2.7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
hxqqhmyxcjq/绿软基地.url
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
hxqqhmyxcjq/绿软基地.url
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
hxqqhmyxcjq/补丁.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
hxqqhmyxcjq/补丁.exe
Resource
win10v2004-20240508-en
General
-
Target
hxqqhmyxcjq/QQ号码QQ邮箱采集器2.7.exe
-
Size
3.5MB
-
MD5
f92ae88af0de356cd3417054088de8a8
-
SHA1
e38fefecf811ee31a23d36384b67b2c08ae4e144
-
SHA256
302822a2662879cead468d43b941114e4e990c8711485a09481a26519951c63f
-
SHA512
f12a90fb21d4dd6efde8a8ccd53764e19cdfa157edbc5f7d0aee5c02cafeca9642abcde0614a2172b7df857ac4bc0f415e62a78f0558cacc24cb1d0746f24883
-
SSDEEP
49152:nUg2pR89slkNwmX4N2hbYiPTUQmJTaPAEp+s8KuqGaX0ToIBAUZLYbQ:U1puWq5X4NuEmGJBAUZL
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
QQ号码QQ邮箱采集器2.7.exepid process 1252 QQ号码QQ邮箱采集器2.7.exe -
Processes:
resource yara_rule behavioral1/memory/1252-4-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-5-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-3-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-32-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-44-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-47-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-42-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-40-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-38-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-34-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-28-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-26-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-24-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-20-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-16-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-14-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-12-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-8-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/1252-6-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
QQ号码QQ邮箱采集器2.7.exedescription ioc process File opened for modification \??\PhysicalDrive0 QQ号码QQ邮箱采集器2.7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
QQ号码QQ邮箱采集器2.7.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch QQ号码QQ邮箱采集器2.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" QQ号码QQ邮箱采集器2.7.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main QQ号码QQ邮箱采集器2.7.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
QQ号码QQ邮箱采集器2.7.exepid process 1252 QQ号码QQ邮箱采集器2.7.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
Processes:
QQ号码QQ邮箱采集器2.7.exepid process 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
QQ号码QQ邮箱采集器2.7.exedescription pid process Token: SeDebugPrivilege 1252 QQ号码QQ邮箱采集器2.7.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
QQ号码QQ邮箱采集器2.7.exepid process 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe 1252 QQ号码QQ邮箱采集器2.7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
QQ号码QQ邮箱采集器2.7.exedescription pid process target process PID 1252 wrote to memory of 368 1252 QQ号码QQ邮箱采集器2.7.exe wininit.exe PID 1252 wrote to memory of 368 1252 QQ号码QQ邮箱采集器2.7.exe wininit.exe PID 1252 wrote to memory of 368 1252 QQ号码QQ邮箱采集器2.7.exe wininit.exe PID 1252 wrote to memory of 368 1252 QQ号码QQ邮箱采集器2.7.exe wininit.exe PID 1252 wrote to memory of 368 1252 QQ号码QQ邮箱采集器2.7.exe wininit.exe PID 1252 wrote to memory of 368 1252 QQ号码QQ邮箱采集器2.7.exe wininit.exe PID 1252 wrote to memory of 384 1252 QQ号码QQ邮箱采集器2.7.exe csrss.exe PID 1252 wrote to memory of 384 1252 QQ号码QQ邮箱采集器2.7.exe csrss.exe PID 1252 wrote to memory of 384 1252 QQ号码QQ邮箱采集器2.7.exe csrss.exe PID 1252 wrote to memory of 384 1252 QQ号码QQ邮箱采集器2.7.exe csrss.exe PID 1252 wrote to memory of 384 1252 QQ号码QQ邮箱采集器2.7.exe csrss.exe PID 1252 wrote to memory of 384 1252 QQ号码QQ邮箱采集器2.7.exe csrss.exe PID 1252 wrote to memory of 420 1252 QQ号码QQ邮箱采集器2.7.exe winlogon.exe PID 1252 wrote to memory of 420 1252 QQ号码QQ邮箱采集器2.7.exe winlogon.exe PID 1252 wrote to memory of 420 1252 QQ号码QQ邮箱采集器2.7.exe winlogon.exe PID 1252 wrote to memory of 420 1252 QQ号码QQ邮箱采集器2.7.exe winlogon.exe PID 1252 wrote to memory of 420 1252 QQ号码QQ邮箱采集器2.7.exe winlogon.exe PID 1252 wrote to memory of 420 1252 QQ号码QQ邮箱采集器2.7.exe winlogon.exe PID 1252 wrote to memory of 464 1252 QQ号码QQ邮箱采集器2.7.exe services.exe PID 1252 wrote to memory of 464 1252 QQ号码QQ邮箱采集器2.7.exe services.exe PID 1252 wrote to memory of 464 1252 QQ号码QQ邮箱采集器2.7.exe services.exe PID 1252 wrote to memory of 464 1252 QQ号码QQ邮箱采集器2.7.exe services.exe PID 1252 wrote to memory of 464 1252 QQ号码QQ邮箱采集器2.7.exe services.exe PID 1252 wrote to memory of 464 1252 QQ号码QQ邮箱采集器2.7.exe services.exe PID 1252 wrote to memory of 480 1252 QQ号码QQ邮箱采集器2.7.exe lsass.exe PID 1252 wrote to memory of 480 1252 QQ号码QQ邮箱采集器2.7.exe lsass.exe PID 1252 wrote to memory of 480 1252 QQ号码QQ邮箱采集器2.7.exe lsass.exe PID 1252 wrote to memory of 480 1252 QQ号码QQ邮箱采集器2.7.exe lsass.exe PID 1252 wrote to memory of 480 1252 QQ号码QQ邮箱采集器2.7.exe lsass.exe PID 1252 wrote to memory of 480 1252 QQ号码QQ邮箱采集器2.7.exe lsass.exe PID 1252 wrote to memory of 488 1252 QQ号码QQ邮箱采集器2.7.exe lsm.exe PID 1252 wrote to memory of 488 1252 QQ号码QQ邮箱采集器2.7.exe lsm.exe PID 1252 wrote to memory of 488 1252 QQ号码QQ邮箱采集器2.7.exe lsm.exe PID 1252 wrote to memory of 488 1252 QQ号码QQ邮箱采集器2.7.exe lsm.exe PID 1252 wrote to memory of 488 1252 QQ号码QQ邮箱采集器2.7.exe lsm.exe PID 1252 wrote to memory of 488 1252 QQ号码QQ邮箱采集器2.7.exe lsm.exe PID 1252 wrote to memory of 596 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 596 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 596 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 596 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 596 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 596 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 676 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 676 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 676 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 676 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 676 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 676 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 760 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 760 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 760 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 760 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 760 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 760 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 820 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 820 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 820 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 820 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 820 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 820 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 848 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 848 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 848 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe PID 1252 wrote to memory of 848 1252 QQ号码QQ邮箱采集器2.7.exe svchost.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe"C:\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\QQ号码QQ邮箱采集器2.7.exe"2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\hxqqhmyxcjq\CrackCaptchaAPI.dllFilesize
1.3MB
MD59a4965011a94705227f62df0776f2ab6
SHA1fe91972e1c993731cdacc7429c4f4760672adcf7
SHA256a9ea79e9c5017616ca9085351ef166f35882ad5a201b92c4839ffdf1169e4113
SHA512e74bc303d99a2151dd00b8f4da0aabd70b37fe46a74702034a5a0ab3da7cad9ad0b7d69b960a10d0876ad5b660e1b868c8956e8d05321f7120f480baee34378a
-
memory/1252-30-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-6-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-4-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-5-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-3-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-32-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-44-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-47-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-42-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-40-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-38-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-36-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-76-0x0000000000400000-0x00000000007D6000-memory.dmpFilesize
3.8MB
-
memory/1252-1-0x0000000077E80000-0x0000000077E81000-memory.dmpFilesize
4KB
-
memory/1252-20-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-26-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-24-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-22-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-28-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-18-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-16-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-14-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-12-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-10-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-8-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/1252-0-0x0000000000400000-0x00000000007D6000-memory.dmpFilesize
3.8MB
-
memory/1252-2-0x0000000077E7F000-0x0000000077E80000-memory.dmpFilesize
4KB
-
memory/1252-34-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB