e06e7863d70d633589135d5f8801a19b09280d6bfb34cb3dec65d74ebebf6633

Analysis

max time kernel
118s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f88e738a3ed1ad2aaab07b474da5910N.exe
Size

1.4MB
MD5

3f88e738a3ed1ad2aaab07b474da5910
SHA1

76c34461c171634f56ffb1335fead35d9f5878f2
SHA256

e06e7863d70d633589135d5f8801a19b09280d6bfb34cb3dec65d74ebebf6633
SHA512

bf5ba94b2f4253323f8484c899914c56847276cdd332ea0e46fc8cc08666337182a8ccc181b0528a865657cfc3414bfffabbfec795da48c5a4c9e01c4c54afd5
SSDEEP

24576:pmJJvwT8n4ZytMAgrvqGM0Vv0EnTd242/qZTIFHUe30/UeqxjYdnwAyRTnFlGl8n:pcAJZyNMz0YyqZ0FHXpRDGkDk8

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	TenioDL.exe

Executes dropped EXE 2 IoCs

pid	Process
3580	MiniQQDL.exe
2028	TenioDL.exe

Loads dropped DLL 12 IoCs

pid	Process
4688	3f88e738a3ed1ad2aaab07b474da5910N.exe
3580	MiniQQDL.exe
2028	TenioDL.exe
2028	TenioDL.exe
2028	TenioDL.exe
2028	TenioDL.exe
2028	TenioDL.exe
2028	TenioDL.exe
2028	TenioDL.exe
2028	TenioDL.exe
2028	TenioDL.exe
2028	TenioDL.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4716	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid	TenioDL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd	TenioDL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 53920fd0b6c54b41b8bd4a4dbe9d216e	TenioDL.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3580	MiniQQDL.exe
3580	MiniQQDL.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3580	MiniQQDL.exe
3580	MiniQQDL.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3580	MiniQQDL.exe
3580	MiniQQDL.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3580	MiniQQDL.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3580	4688	3f88e738a3ed1ad2aaab07b474da5910N.exe	86
PID 4688 wrote to memory of 3580	4688	3f88e738a3ed1ad2aaab07b474da5910N.exe	86
PID 4688 wrote to memory of 3580	4688	3f88e738a3ed1ad2aaab07b474da5910N.exe	86
PID 3580 wrote to memory of 2028	3580	MiniQQDL.exe	87
PID 3580 wrote to memory of 2028	3580	MiniQQDL.exe	87
PID 3580 wrote to memory of 2028	3580	MiniQQDL.exe	87
PID 2028 wrote to memory of 4716	2028	TenioDL.exe	88
PID 2028 wrote to memory of 4716	2028	TenioDL.exe	88
PID 2028 wrote to memory of 4716	2028	TenioDL.exe	88

C:\Users\Admin\AppData\Local\Temp\3f88e738a3ed1ad2aaab07b474da5910N.exe
"C:\Users\Admin\AppData\Local\Temp\3f88e738a3ed1ad2aaab07b474da5910N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\MiniQQDL.exe
  "C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\MiniQQDL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\TenioDL.exe
    C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\TenioDL.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low
      4⤵
      Modifies file permissions
      PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\MiniQQDL.exe

Filesize
201KB

MD5
3063dcc85aaf2789dc05d64349b04f60

SHA1
df0f098bb8d8f8fdc7794632a5f0746413cad50e

SHA256
ff00cb35393d600040be9c3bd363890e13188a257114c07dfe1f6f06e5f0d6f1

SHA512
7b9f56d348f420275a3788cf86fcb8ed5451a2c4b0961c51fa2144ad995c4ad66512ab34888065c8b1ac1b1c959183b86c0772e3c97507454a7a24beef2c9f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\ATL80.DLL

Filesize
94KB

MD5
3c7def3cbbca6284867aa4621d5d8a54

SHA1
4bd9852f1f063b9fd1e1829b756d381e14609fa7

SHA256
db18738202dcda842dce505ecd0b858d7b4c55886cac29827305f0dc3839143a

SHA512
1f9e89114a579bbb0c175d5fb587d58a923a0f556361b2f6c5ae3ffeb139539733e46edb3df1627fa630d5bc80cdf5ff311ca75754ca306345569cd48f51f2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\TenioDL.dll

Filesize
261KB

MD5
a162db275914a5c7adcebf845af9fd07

SHA1
92b24aa4047876c0b7109ad5b0b595de3369fdc2

SHA256
923f5a90bc36564cb8f8b4107e3f0a46b797d9fa737e8533c8b9acc183c78162

SHA512
e4190800e07cb71b812e3e74d0a83a13fd5b3c5d764cb4c6deb49100a7040f48c55d518809c9d4ae20564b7ba2419a02c0ab716d3ac540e141f6ef440a267da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\TenioDL.exe

Filesize
333KB

MD5
ce472064b917fdd429b07d10880c487f

SHA1
0c092116d67a5447f1f632c4e0e65a3b516a892c

SHA256
bdf2209a2cb6a7b9c3a0be4a7a0abdf988f446a4232973c6204ee2e4a2ed632a

SHA512
2b158fc4498e3756c17c8b44d2fc2464d62c639b6d425e72301c0f9b6f359a67e011d647c8de698c9e794cef0e65cb9efda34b63ed060611d97b0eadbf3c88d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\p2papi.dll

Filesize
437KB

MD5
5120752765a11e1a4d71e6c9d6f2a720

SHA1
18cdb039a788e64be485d8c242a9eb2761e87826

SHA256
f23545448f055dee379dee42ed95c9b7b6d7d8a1558814ec44544c0eda2f3797

SHA512
fd53007a369f3fd49b2ae6fdfeacb78253bcbae1015dd6770232be3e8c9f3634928129084bead359cf6befb6473d371e798de0a8d09b19f2697e5a83ee3b6af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\p2papp.dll

Filesize
169KB

MD5
1fe9e12c790cba0013e96c7f7b805366

SHA1
296aff428041ee5718dd2cefea89144077063b1c

SHA256
69c24cca97afaf85d8b77ea1b8c4b56a3dae255973aeafd00c588c438f5c0fb6

SHA512
4f63aa0041cb0de5dc96efeff1eeec6ab0f7d1418f8af0d78a12c3ef3892257211a860008ba17abd435c08cef542d1c93650522f7673406dc1d1f84b613d9251

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\p2pcore.dll

Filesize
445KB

MD5
0b85695db97bc8fd031032d92a087292

SHA1
7b3a60eb255292b565912d7661cc1d7cc9dedc20

SHA256
e4df17519d39d292d36e785786198e84d1f0b9b6ce868ce374bb28c82507b397

SHA512
1ff3af7e2d0d62a5ed94104b9c59529103a59619fc623206f20be56fb916f33b30f81e8a1ec306b7d920440343f5f5827f8d9de56a61765fb2b4f0b52a5c89f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\p2pdata.dll

Filesize
293KB

MD5
0a8116b1e43842e3c80283f92995d40b

SHA1
ea38ce4eb1e6f80ff3e94afa87ac8ae7e5133018

SHA256
5a6d5c77bd731243ae23161bf9717fd93a505d944a32233595e55a16507d82a8

SHA512
294dd800fb7e2c7e9721369cb02293fdd4da33a7ce4cb97801a70f80f229a195400a0c143d3ca4b815f7e990a755c0fc85998a82c81913857d843ec6dc3a2fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\TenioDL\p2phttp.dll

Filesize
153KB

MD5
14d39f3db649d39bea3e14db860e6d9f

SHA1
20f134b305dee5415263f9b9a8963e4759740146

SHA256
397f93340bc59f3c00f7054c58ec63b8b0b4512b0a5c4c8b658699357fbc6296

SHA512
69a6028bf7e74e4c1d4916593b7ff1c3173ea98e0d9ce52087f9bc276c8fddb1e8c8c245a2a6aa0c7e44ba5e7112483f8419407b5a45b5e33ba52490a3dcd436

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\config.ini

Filesize
647B

MD5
94e85d001b55f08ed0e89aee2e636e82

SHA1
c9fbf8794cc01cf9c1f9a33ed92b6751164ea75e

SHA256
6864609c02395d61e208144f09d6e1325f9edd6184687ad6487e401096d7df99

SHA512
3ab36e1109f941e4bbf3c51bd24539182fb02e8ddbf545f3f63f50b834b5e6c36973b3d6457869a45c717111e588c40d07a65e420a597c4eada4f05eeb466529

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\image\button.png

Filesize
6KB

MD5
e35560a715fd55c83d246cb3556c3c49

SHA1
a48176ce8689963be39cfa6eee51256ff58cc0cd

SHA256
74b11cb2c1c7d8ca3baef8f629a375c7af8e94cc16fd77ef11d7422b8a9904ef

SHA512
952993cc0b9a11b26a39c4d92cca43d4a7c20b13e7bf139bf03afc00e7c7dccd6f618468911a8300f339448e883ad26db89b3cf52744c2f9b83f83d11dbeb06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\image\close.png

Filesize
4KB

MD5
ac0f5bb78a550ac7e446c3544492d118

SHA1
f652929b9010025f091ca9a0869089a18f9bbcc4

SHA256
34db1440511c77de95edbcaf04334ecd2a2352a5e9e4569fdac409a7d2674ea3

SHA512
ddc6e1771a2c748691f18aca31a1f62f3bb4e9993af03836a3cde19f794fa691a98c169f8f9dd8c3dfa6b9fca78560bba79f59d6ade2d82a9a642fd4ec37dfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\image\loading.png

Filesize
3KB

MD5
88923333c0ef4fdbc840003cf6626aee

SHA1
b86ed0c442e2e4d01d8920f9249fdc51aa15286d

SHA256
919bf7c5a8737725c1b16dc6db58cedd61a0f0f7fefecea5ac5c8b75b5e43597

SHA512
de632f170c0bfef70e60665dfd47beedbc9e60785e804284194e7b430992b8a79e45be9bbeef4fcbced61a8481f9489e65bcc3f024267eb5b2e5fde876d8ea1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\image\mainbnd.png

Filesize
13KB

MD5
e86244f39e2c6b789e21778d621d796a

SHA1
33ff76380f8b3f625d048eefba4a05f9d828076d

SHA256
88c4ceab88a931b23de388c75b4cf0a211ef6bdd9a95b76935af085a0c0a7ed8

SHA512
4c56299c7a4a5716330e7a0edacff63080d35874c66edbf9c10430f668365a4cd6352ebd08bad504332f0e1a9dc84cb7bcc16f58b8737b329dac214a04ab26fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\image\mainwnd.jpg

Filesize
100KB

MD5
95af720512b20102e57839a67d367f6a

SHA1
6c22a4da214c611f26790ed906c7f6d0099591e1

SHA256
3f0ce42e7e1b0858dd7c6f098b2a59df62b80946627c461bba25066ea5cc795c

SHA512
4f624b6827ce0f5dd66bf43352c9f408d97572cc8ed234e9abb43767e20ee84f96210df2ad61c3ce95650ecdaa3c51703f5f77b5429f54a9deab9b24d18dd8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\image\min.png

Filesize
4KB

MD5
5573c48b37b1b63f4e9ebc37d3a80cf0

SHA1
fc7d5c12256b6d82d13c52d09b0bc02d223212ef

SHA256
fddb4c77720fe8cd73a8b5386a40ddbe133e2f8df39a2156fbd41e17c94e005f

SHA512
e9850d2b356442e9f0e80848d3356d5e53a9ec061aef9e9781157dd81a6e0303436acbd40c6a443e8861234a3b42e356ab5c839648f7a16a29ae25cec342022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\dnf1300957820\xzqdl.ico

Filesize
4KB

MD5
388bd11a405549c1f6af20a51b30ce73

SHA1
4b3f36f1db9386b1b27f06c35a0e6f46b684e1e8

SHA256
b9a22f72ed280d076f57b109acdc2911d6e4377eb8833f4e738ddfa5b6770aae

SHA512
0a917009dedd461674e9833a6bbdc964071f9776aca52c68bb2d9c7bb07c7f45b931fbfb11b0b81bf053c57ac422375aa91b99a97a41b6eda2d8b0572650469f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5BAF.tmp\ProcDll.dll

Filesize
63KB

MD5
ca5fe462579bce3707666a8c656105df

SHA1
5dea6f63e173da570590608a8a4c6e9ac523a6df

SHA256
6c4b8dd9e61c62cdb8e53e9cfb18aa1a980180fb9156371c47745e4292a9d2d8

SHA512
83f1939441186a83b4adf1e0f38a3d3947b8c6aa51839eab1ae496e154eb2742b2b07be37e97bfea68e24fffd7b7740f503aec5f718b6a037889f11bddf955a8

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\Config\p2p_common.ini

Filesize
94B

MD5
579b5ef75d34bc61c3ac389989e6309b

SHA1
5077e7ba7e11831fbf06a9399468daa9a2934891

SHA256
4a88f0b958441561122d1fd404daf34f5decd02383dd450941ae2db1925dbd75

SHA512
091c43a636dd89d16fc9ce8360ec6611290b87ec4667ce34779bc55ace949807ca7d76fa309f36c2f4777f93c85001b09ee45ea28d947425580ffa1f8af5d0c1

Download Submit
memory/2028-58-0x00000000024C0000-0x000000000252D000-memory.dmp

Filesize
436KB

Download
memory/2028-65-0x00000000029C0000-0x0000000002A08000-memory.dmp

Filesize
288KB

Download
memory/2028-70-0x0000000002CB0000-0x0000000002CD6000-memory.dmp

Filesize
152KB

Download
memory/2028-75-0x0000000002ED0000-0x0000000002F3E000-memory.dmp

Filesize
440KB

Download