036cecd9790ccc46a079b61f8f9da1a3aace1247d350816d187d2144551e04e1

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skyQQMsgNS.exe
Size

1.2MB
MD5

3ede974cea8eaba816377b0197963882
SHA1

e5319baa5361ef6039171e085f09b360959ec449
SHA256

e564dc1633b2a4f587e2e4fdbabb3709d02dc9fb5b6ddcbfc17187f8436d5d0a
SHA512

2165de327c496abb981ba8222ec4a85697e9f7c0b0ee46c2d2dd62319e417541949fc29a570e53761f6e3fb8bca8416006b93c0d7fb548e826a6e21a6e3fd53f
SSDEEP

24576:EtMkVOW6K2go1hi6iAK4PbDehk4HKyZ5rnpEr9oeBk/CZMaX:usvTKcL45/zpEV/ZMaX

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2080	skyQQMsgNS.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1FED1242-3E89-4A67-ABD7-3B010227AF03}	skyQQMsgNS.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\__db.winexcl.dll	skyQQMsgNS.exe
File opened for modification	C:\Windows\SysWOW64\winbodun.dll	skyQQMsgNS.exe
File opened for modification	C:\Windows\SysWOW64\winexcl.dll	skyQQMsgNS.exe
File created	C:\Windows\SysWOW64\__db.winexcl.dll	skyQQMsgNS.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skyQQMsgNS.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	skyQQMsgNS.exe

Modifies registry class 61 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\Programmable	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ = "IAirey"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\ProgID	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\ = "Love 1.0 ÀàÐÍ¿â"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Love.DLL	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\InprocServer32	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\winbodun.dll"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib\Version = "1.0"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32\ = "{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey.1\ = "Airey Class"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\CLSID	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\VersionIndependentProgID\ = "Love.Airey"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\AppID = "{2D0D6F04-EF5C-4A52-AA29-A146A6466A9C}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ = "IAirey"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\InProcServer32\ThreadingModel = "Both"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\NumMethods	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\HELPDIR	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\CurVer\ = "Love.Airey.1"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\InprocServer32\ = "C:\\Windows\\SysWow64\\winbodun.dll"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\TypeLib	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey.1	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\0	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Love.DLL\AppID = "{2D0D6F04-EF5C-4A52-AA29-A146A6466A9C}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\CLSID\ = "{1FED1242-3E89-4A67-ABD7-3B010227AF03}"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2D0D6F04-EF5C-4A52-AA29-A146A6466A9C}	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\TypeLib\ = "{3270F631-C34F-4796-9445-8F5E30668828}"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\0\win32	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\NumMethods\ = "7"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2D0D6F04-EF5C-4A52-AA29-A146A6466A9C}\ = "Love"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\InProcServer32	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ = "PSFactoryBuffer"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey.1\CLSID	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\CurVer	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\FLAGS\ = "0"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib\ = "{3270F631-C34F-4796-9445-8F5E30668828}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib\ = "{3270F631-C34F-4796-9445-8F5E30668828}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey.1\CLSID\ = "{1FED1242-3E89-4A67-ABD7-3B010227AF03}"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\ = "Airey Class"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\ProgID\ = "Love.Airey.1"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\winbodun.dll"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\ = "Airey Class"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\VersionIndependentProgID	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\InprocServer32\ThreadingModel = "Apartment"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\FLAGS	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib\Version = "1.0"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	skyQQMsgNS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2080	skyQQMsgNS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2080	skyQQMsgNS.exe
2080	skyQQMsgNS.exe
2080	skyQQMsgNS.exe
2080	skyQQMsgNS.exe

C:\Users\Admin\AppData\Local\Temp\skyQQMsgNS.exe
"C:\Users\Admin\AppData\Local\Temp\skyQQMsgNS.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winexcl.dll

Filesize
16KB

MD5
1149724a866db2b61e54001a19e501ca

SHA1
6cac493435281eacaf91014de367fe64d3674d93

SHA256
bfab89efafd8c209fdb97d24e2bcebec4c8a285cccf4ebf2b26bd25697f3e632

SHA512
fd482db3167a8b2d4963e7e8a30ca551e1a9569671848ae5c285b7f59dd21d0b06347eb7898be9441e4d3a7c71063d98cec6be7c4b6e4da49b563bd9727f045e

Download Submit
\Windows\SysWOW64\winbodun.dll

Filesize
104KB

MD5
ba7a79d3e9b932c85baae493a7bca016

SHA1
53d47b33a5c8e4da388bfcf6614d24cc7f8b93fd

SHA256
0dbd12e6a6cfd426ae862d785c3c2785b3fbcbac07e14820e382ad5166d34ef8

SHA512
0cbc2bb6b1de8a090e12d034ae5ec1ca00ce3567241a4443ec1e4c7239ed86cc487a89ed2c1558fb67df1863735252326de9c18eee4593894c6434c61ce5ae7b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads