1f9ba4adb9f568997316645d1210d582c433321eec50e0348561efc65277001e

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
Size

7.5MB
MD5

cb6502d347e66ad00df8d61f2bff373d
SHA1

36edfd1489b637c9605f7f3121d9953a0f0cee5c
SHA256

1f9ba4adb9f568997316645d1210d582c433321eec50e0348561efc65277001e
SHA512

7c29b49d159e57168af0a9d6247d1f13b291b54e47c29e49b4c0f95259c578f17505ec589541ade63f0b9dca79e9efe5b9838239291f2a0cc19d5da034641e81
SSDEEP

196608:FYE0SCI4rbECIwBbiL4c7RcXYP0a5Lp/3/PXCt40+isGsaNk:FYn/8ChhoFhPPXYtbjNk

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WeChat.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WeChat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WeChat.exe

Executes dropped EXE 1 IoCs

pid	Process
1308	WeChat.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	WeChat.exe

Loads dropped DLL 6 IoCs

pid	Process
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Ver = "fb5627d6"	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	WeChat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	WeChat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	WeChat.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2932	PING.EXE
1924	PING.EXE
780	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
1308	WeChat.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 780	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	30
PID 2816 wrote to memory of 780	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	30
PID 2816 wrote to memory of 780	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	30
PID 2816 wrote to memory of 780	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	30
PID 2816 wrote to memory of 1308	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	32
PID 2816 wrote to memory of 1308	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	32
PID 2816 wrote to memory of 1308	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	32
PID 2816 wrote to memory of 1308	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	32
PID 2816 wrote to memory of 2932	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	34
PID 2816 wrote to memory of 2932	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	34
PID 2816 wrote to memory of 2932	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	34
PID 2816 wrote to memory of 2932	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	34
PID 2816 wrote to memory of 1924	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	36
PID 2816 wrote to memory of 1924	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	36
PID 2816 wrote to memory of 1924	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	36
PID 2816 wrote to memory of 1924	2816	2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe	36

C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:780
- C:\Users\Admin\AppData\Roaming\MyMacro\WeChat.exe
  --host_id 3 --verify_key qMLwN1YSToWS --product "C:\Users\Admin\AppData\Local\Temp\2024-07-11_cb6502d347e66ad00df8d61f2bff373d_mafia.exe" --version 2014.05.17762
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1308
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:2932
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QMLog\20240711.log

Filesize
326B

MD5
eb2059ffc40174b7a60d674366ad555d

SHA1
aac530ed8d36818621659d8263fb3ff79b51ffb4

SHA256
633ccfb70c7f4e4ad074d09480f2a2ce561623838108cacf91f1b6c04d941443

SHA512
4e83fef69d148e47f9f083d0e33a80d9a96b1e29898bbfd3b113e101b3d6f4a73a837a0506e69222377b698f081496822608a02cdea3733089f99a0ea1554755

Download Submit
C:\Users\Admin\AppData\Local\Temp\mac6893.tmp

Filesize
1KB

MD5
6ec2d447ade6e6033723df51a0efafe5

SHA1
4611402ca0f2e58462b6efe8755f8088e8ea1cd8

SHA256
67589fd00c257ac03df01596b75695bf4ce7ca5a4404b3e45b7470c3dbea9bf0

SHA512
72848e8d31e04f29aff6a86ac6528e9095acf978cdb413155d7f0d62a74e3f9d125f2412453542e9825dbbe9dc6807bc2ed1066b15c9fcfd3a15e0fc537ece65

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\WeChat.exe

Filesize
7.2MB

MD5
c77fa3dc4aebbc21dd0f12258d28bc5c

SHA1
6cac34000d6eebe9b2947231199793daffb213fc

SHA256
9a0c9ba0e4dd1afe54e50f61b6c3d88b96d4b7dddabc275a149010c7e1ee0959

SHA512
7ae33680b4f067f31ed750ee7a2c4cb19ebee4135207d8539ba268f2bfbb1dda22086e8091129925fe2f98733bf0b59d710474d07dcdf444cf50c8022107f815

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

Filesize
59KB

MD5
b35416c2b3e818894df95608b76934f7

SHA1
bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

SHA256
8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

SHA512
92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

Filesize
303KB

MD5
014c01cd6522778e1e15be0e696dfe0c

SHA1
c908376fcc4525ec5c4b35d289ef1361ea5cb2d9

SHA256
259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46

SHA512
3b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9

Download Submit
memory/1308-82-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-100-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-105-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-58-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-78-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-104-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-81-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-103-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-83-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-84-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-93-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-94-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-95-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-102-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1308-101-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/2816-54-0x0000000005510000-0x0000000005C41000-memory.dmp

Filesize
7.2MB

Download
memory/2816-57-0x0000000005510000-0x0000000005C41000-memory.dmp

Filesize
7.2MB

Download
memory/2816-80-0x0000000005510000-0x0000000005C41000-memory.dmp

Filesize
7.2MB

Download
memory/2816-56-0x0000000005510000-0x0000000005C41000-memory.dmp

Filesize
7.2MB

Download