Overview

overview

10

Static

static

3

85ed987a1a...b0.exe

windows7-x64

10

85ed987a1a...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • submitted
    22/08/2024, 19:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    85ed987a1a9b21f1f74cdf4b06dd3ae3963da53d2a36fe25194b24756c63d7b0.exe

  • Size

    79KB

  • MD5

    e79e170cb8d348526bbd4528a8ca1c1b

  • SHA1

    05bab8cf82cc50ac29dbc91800a16a17174e7935

  • SHA256

    85ed987a1a9b21f1f74cdf4b06dd3ae3963da53d2a36fe25194b24756c63d7b0

  • SHA512

    da26bd3fd96e2f51e7ce6e7633f9d466839ce3c10f8c6ebd72200852d27f3b3a0ee3663b7b1fb21707d05d0869fc7d8015dee1af41c17ec16111f2c7440707e1

  • SSDEEP

    1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOhjzJG:GhfxHNIreQm+HiKjzJG

Score
10/10
qqpassdiscoverypersistencetrojan

Malware Config

Extracted

Family

qqpass

C2

http://www.zigui.org/article.php?id=103822

Attributes
  • url

    http://www.mxm9191.com/myrunner_up.exe

  • user_agent

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Signatures

  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85ed987a1a9b21f1f74cdf4b06dd3ae3963da53d2a36fe25194b24756c63d7b0.exe
    "C:\Users\Admin\AppData\Local\Temp\85ed987a1a9b21f1f74cdf4b06dd3ae3963da53d2a36fe25194b24756c63d7b0.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:5092

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\notepad¢¬.exe
          Filesize

          79KB

          MD5

          de6bd6c1d486bf5357413f6b4ba4d68b

          SHA1

          acc77abbe1b62b0925c3614d88f09c7546a49be9

          SHA256

          7fae968336a1a72596c5daba92749c9fe8ef42c31cc234fc84d6a2cac3d7f893

          SHA512

          6f4ddae4080ffec90d409cbfd354f09493348a43d9e89fda0579f476e7b36212436a048f3d0ae81b9e3c46909cefaf5b9118b7de238ca7ee5ecdb7fad01270e1

          Download Submit

        • C:\Windows\System\rundll32.exe
          Filesize

          74KB

          MD5

          19965f201b4b2d0b45a001a26c7d03e0

          SHA1

          cff8b9db4dc41ffb1efb8969c22d6d6c202c39a3

          SHA256

          bc0779a24ca9d11b6bb8925f0161eacfc2b93ca0765ab295c7af7f7c459a6a8b

          SHA512

          a5153b396a9752abf5eedffa3012dec6125cabe546b6800282396de74422b00d6a00bd74f3223388e075e23f8cc9195b030aa9b289cb69d48592d886d324df6d

          Download Submit

        • memory/1516-0-0x0000000000400000-0x0000000000415A00-memory.dmp

          Filesize

          86KB

          Download

        • memory/1516-13-0x0000000000400000-0x0000000000415A00-memory.dmp

          Filesize

          86KB

          Download

        • memory/5092-14-0x0000000000400000-0x0000000000415A00-memory.dmp

          Filesize

          86KB

          Download