e06e7863d70d633589135d5f8801a19b09280d6bfb34cb3dec65d74ebebf6633

Analysis

max time kernel
115s
max time network
116s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-07-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_2_/MiniQQDL.exe
Size

201KB
MD5

3063dcc85aaf2789dc05d64349b04f60
SHA1

df0f098bb8d8f8fdc7794632a5f0746413cad50e
SHA256

ff00cb35393d600040be9c3bd363890e13188a257114c07dfe1f6f06e5f0d6f1
SHA512

7b9f56d348f420275a3788cf86fcb8ed5451a2c4b0961c51fa2144ad995c4ad66512ab34888065c8b1ac1b1c959183b86c0772e3c97507454a7a24beef2c9f32
SSDEEP

3072:4It9PPcuohxF7qGFAgAQb++ygfN9EVaN0+t9VPuFbwiiOvLhIVqj:4kcL5qr0vKVaC+rPaciiOVQqj

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2704	icacls.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid	TenioDL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd	TenioDL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 3582f1f346253240b7f2d9ad8c415b8b	TenioDL.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1640	MiniQQDL.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1640	MiniQQDL.exe
1640	MiniQQDL.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1640	MiniQQDL.exe
1640	MiniQQDL.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1640	MiniQQDL.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3056	1640	MiniQQDL.exe	30
PID 1640 wrote to memory of 3056	1640	MiniQQDL.exe	30
PID 1640 wrote to memory of 3056	1640	MiniQQDL.exe	30
PID 1640 wrote to memory of 3056	1640	MiniQQDL.exe	30
PID 3056 wrote to memory of 2704	3056	TenioDL.exe	31
PID 3056 wrote to memory of 2704	3056	TenioDL.exe	31
PID 3056 wrote to memory of 2704	3056	TenioDL.exe	31
PID 3056 wrote to memory of 2704	3056	TenioDL.exe	31

C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe
"C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\$_2_\TenioDL\TenioDL.exe
  C:\Users\Admin\AppData\Local\Temp\$_2_\TenioDL\TenioDL.exe
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low
    3⤵
    - Modifies file permissions
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Tencent\Config\p2p_common.ini

Filesize
94B

MD5
a50ca4fb2d56b8df3b0457ed8c65035c

SHA1
15f6d603dc865bf4c10df2fbd6344d4031656a7d

SHA256
45f78f7c121be11d7ffab6cc8bb83624838a77375a2097d8c7ddd21ebc1e71eb

SHA512
5a575be1898a6d1884424fb2e6bb8c244aa901450453d7fec8704600f32068efcab1d5e4bdbf02a0360d39adbc77b7230ff7b50aa937f38ccf6e9b67d4797748

Download Submit
memory/3056-0-0x00000000021D0000-0x000000000223D000-memory.dmp

Filesize
436KB

Download
memory/3056-3-0x00000000024C0000-0x0000000002508000-memory.dmp

Filesize
288KB

Download
memory/3056-4-0x0000000000560000-0x0000000000586000-memory.dmp

Filesize
152KB

Download
memory/3056-6-0x0000000002860000-0x00000000028CE000-memory.dmp

Filesize
440KB

Download