fefd063e8ec50a51e9ab75e3802f054303a7dd5d4c8bbcd8c62acb754c6e0349

Analysis

max time kernel
140s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/qqczyqmp.dll
Size

389KB
MD5

d8501587386400aba2c801a4f3e127c2
SHA1

3cef1819fb9a52a298173009e018c2ba7f1ee41e
SHA256

25a74f75360856d9e9f432ca8fa52897a98f44cad23aca950a7615ca119b82f2
SHA512

474bea8585b0a183cc67874726fb55447d0efd2b1fb079f5e7942259516e64912d7f6fe725659503d420eb7320d13a1752aa5451ca720d46ef02518253287c01
SSDEEP

3072:1SDdLRf06+2TwskxrZdlCQehrX/kePXDhDjCigRpXf7E0lc:16LRfrzvK38Qex/hzVCigRpXzE0lc

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netscape = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Netscape\\qqczyqmp.dll,kdfjfslkdjfklfjsdlkfj"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426354800"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A841441-3AE2-11EF-9CD8-667598992E52} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2140	rundll32.exe
2176	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2140	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1900	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2176	rundll32.exe
1900	iexplore.exe
1900	iexplore.exe
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2140	2136	rundll32.exe	30
PID 2136 wrote to memory of 2140	2136	rundll32.exe	30
PID 2136 wrote to memory of 2140	2136	rundll32.exe	30
PID 2136 wrote to memory of 2140	2136	rundll32.exe	30
PID 2136 wrote to memory of 2140	2136	rundll32.exe	30
PID 2136 wrote to memory of 2140	2136	rundll32.exe	30
PID 2136 wrote to memory of 2140	2136	rundll32.exe	30
PID 2140 wrote to memory of 2176	2140	rundll32.exe	31
PID 2140 wrote to memory of 2176	2140	rundll32.exe	31
PID 2140 wrote to memory of 2176	2140	rundll32.exe	31
PID 2140 wrote to memory of 2176	2140	rundll32.exe	31
PID 2140 wrote to memory of 2176	2140	rundll32.exe	31
PID 2140 wrote to memory of 2176	2140	rundll32.exe	31
PID 2140 wrote to memory of 2176	2140	rundll32.exe	31
PID 1900 wrote to memory of 1568	1900	iexplore.exe	33
PID 1900 wrote to memory of 1568	1900	iexplore.exe	33
PID 1900 wrote to memory of 1568	1900	iexplore.exe	33
PID 1900 wrote to memory of 1568	1900	iexplore.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\qqczyqmp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\qqczyqmp.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Netscape\qqczyqmp.dll,kdfjfslkdjfklfjsdlkfj
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
89942445c5b3b33637d9b0deb8a5166f

SHA1
1df56a08edecb6bec6e59b8d6b8889fe3268e452

SHA256
5394e09bc84b043fcc6b11959141a9d0b4bd1aa8f38d1ed4ef98604083feae8b

SHA512
0a461a59b1af16c9e32522de4a1098f15b36ac655de5318331624636757a8b3f5dded8417ffc75a30c4f7f103c87b267800c3a5998392f36140e347136ecb40b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
01608b125566a856cd206dd74b362828

SHA1
0f791166ab7b160683b3deee22deaf9c10c2fba6

SHA256
734f9f637b776b67eb3abd848d551a419cf3ba14e4cff155e0768377be6b5cc1

SHA512
80b7a679ed7e677eb4ae4a6a5d8923afa7764cd1ad3adc5b877102049060a3a5e308cb941de0299b7b38993420ed8803b35ef40c86931b6761d7775d1140b9b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ff32c69d40e71c07990b0a9bc2321498

SHA1
76fd9ed2bfca3bf7e2f04a5af769b4ade5ab742f

SHA256
f63cf6584b0ee7dad6d6238a40d4cdad3c95e4b66d57cecaf7278176508b9aa1

SHA512
0991a1c48617261e724b00190c13e8c78a6f798b328f8fa93683a5b8a2140e30da53ca332cd80692a96033764a610d8dc9437d084234155628ece0b4525b203b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4db91c0ebd17553073f1c4067fb2b2da

SHA1
8fa6526c19ac6dfdabcfbcf13d8addfbf4151319

SHA256
e3806771aee69f06c6074edd46978bfa3c60a8ae502c2391e2139ce4089ed10d

SHA512
8de3d50ea1e552b8c508ae6143bbbae524efa687fb739b96ac0f4c73e4aa27cd276135d1ae9c0fe609e013bc826872bfb3338f20d257a0b778affa793da64638

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
13c8d07e386a6ce3bace0681e7654d25

SHA1
771a913ecfe04bdf3e2a8921cb69429558e8a11d

SHA256
dcbbff86f921d10e085b57b05fe0f60472cd5bfa2124df51e2ab82614085c503

SHA512
1dc69e29e11084c28faa392edbb91bfbc4e0a4227e6d7abd8f88de1cf692147c3c88ad961b097d6e568d0bd48d049ce0993c7be2e41b9862db0beb2036702890

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fc608447d6f345c3ab24dd39d1ca2d44

SHA1
7b6b98652fd97fc95f068cb84a71e887ce586a10

SHA256
c537d130b1abc7926eeb36881e18eaba9cb6094d894747c7fb95a8d9384d7bf4

SHA512
d8af12c1db59117257407511f0901aa7ec54cdf8798d3158ba0e3e73f2eb2ee26bc8218ea6de03c03234db66c309abdd1622f0a125d5fff4b20c35a0ac1679df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
542aaf8589c9080bc56e53929d3ec407

SHA1
ac97ab9552f20d24a633d45fdddfbd7181098d44

SHA256
7b36ecc7b67ad1724242166e183948b16586c36579a2c1927e2657f8d59754d8

SHA512
6f92eb51c12dcd2fe558c68f28eb8493928b50b9bba876ffd07fbf7c8867cb65f9591683b0988d86332f887bfa36ddcb052517befcba128d03da41c2b6c88277

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
bf645a44f20c497a4912c39fe06cdc49

SHA1
207560cc17e142689c94346a4191d2056d27a2ee

SHA256
fd4a3aad436d3ae6fc64ffb7577b57e2118704241ec18839209e5b5d875f396a

SHA512
80e14128e14791a9b957c54cd787bd6f4c625e1f98aa4216af05d247db916d94bac9e53e9bd663b16708896fed3cd6d35a3c9bf26670fe00b8af575c83d55e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
652a626dae01aeeb8361c73519ea9ac5

SHA1
bd437a7732c89c263e9d5b88195805bd7ec84c16

SHA256
59feeb3d111e19975ff3326f5c91ea424ac5c2401421d661c99dd88ab49b4ec3

SHA512
52f3a1e50ec059f9436cf9815d78a0935fc159a83510a66b503d6ee00c125a2b0952b1f4f947f08464d84ed14e0785a8e109e5e161bbbc9724b07c8764f0802c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD920.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9C1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2140-0-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2140-2-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2140-1-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2176-8-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2176-7-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download
memory/2176-3-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2176-4-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2176-5-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/2176-6-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download