036cecd9790ccc46a079b61f8f9da1a3aace1247d350816d187d2144551e04e1

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skyQQMsgNS.exe
Size

1.2MB
MD5

3ede974cea8eaba816377b0197963882
SHA1

e5319baa5361ef6039171e085f09b360959ec449
SHA256

e564dc1633b2a4f587e2e4fdbabb3709d02dc9fb5b6ddcbfc17187f8436d5d0a
SHA512

2165de327c496abb981ba8222ec4a85697e9f7c0b0ee46c2d2dd62319e417541949fc29a570e53761f6e3fb8bca8416006b93c0d7fb548e826a6e21a6e3fd53f
SSDEEP

24576:EtMkVOW6K2go1hi6iAK4PbDehk4HKyZ5rnpEr9oeBk/CZMaX:usvTKcL45/zpEV/ZMaX

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4992	skyQQMsgNS.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FED1242-3E89-4A67-ABD7-3B010227AF03}	skyQQMsgNS.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winbodun.dll	skyQQMsgNS.exe
File opened for modification	C:\Windows\SysWOW64\winexcl.dll	skyQQMsgNS.exe
File created	C:\Windows\SysWOW64\__db.winexcl.dll	skyQQMsgNS.exe
File opened for modification	C:\Windows\SysWOW64\__db.winexcl.dll	skyQQMsgNS.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skyQQMsgNS.exe

Modifies registry class 61 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib\Version = "1.0"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib\ = "{3270F631-C34F-4796-9445-8F5E30668828}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey.1\ = "Airey Class"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2D0D6F04-EF5C-4A52-AA29-A146A6466A9C}\ = "Love"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib\ = "{3270F631-C34F-4796-9445-8F5E30668828}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\InProcServer32\ = "C:\\Windows\\SysWow64\\winbodun.dll"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Love.DLL	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Love.DLL\AppID = "{2D0D6F04-EF5C-4A52-AA29-A146A6466A9C}"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\CLSID	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\InprocServer32\ = "C:\\Windows\\SysWow64\\winbodun.dll"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\ = "Love 1.0 ÀàÐÍ¿â"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\InProcServer32	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey.1\CLSID\ = "{1FED1242-3E89-4A67-ABD7-3B010227AF03}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\AppID = "{2D0D6F04-EF5C-4A52-AA29-A146A6466A9C}"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\0\win32	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\TypeLib\Version = "1.0"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\CLSID\ = "{1FED1242-3E89-4A67-ABD7-3B010227AF03}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\InprocServer32\ThreadingModel = "Apartment"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ = "IAirey"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ = "IAirey"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32\ = "{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\NumMethods\ = "7"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\CurVer	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\CurVer\ = "Love.Airey.1"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\Programmable	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\HELPDIR	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\NumMethods	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey\ = "Airey Class"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\ = "Airey Class"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\VersionIndependentProgID	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\VersionIndependentProgID\ = "Love.Airey"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\TypeLib\ = "{3270F631-C34F-4796-9445-8F5E30668828}"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\ProgID	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey.1\CLSID	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\ProgID\ = "Love.Airey.1"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\TypeLib	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\InProcServer32\ThreadingModel = "Both"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2D0D6F04-EF5C-4A52-AA29-A146A6466A9C}	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\FLAGS\ = "0"	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ = "PSFactoryBuffer"	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\FLAGS	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\winbodun.dll"	skyQQMsgNS.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\WOW6432Node\Interface	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Love.Airey.1	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FED1242-3E89-4A67-ABD7-3B010227AF03}\InprocServer32	skyQQMsgNS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3270F631-C34F-4796-9445-8F5E30668828}\1.0\0	skyQQMsgNS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70E1B0F2-0C85-4D5A-8ADC-255042D758C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	skyQQMsgNS.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\WOW6432Node\CLSID	skyQQMsgNS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4992	skyQQMsgNS.exe
4992	skyQQMsgNS.exe
4992	skyQQMsgNS.exe
4992	skyQQMsgNS.exe

C:\Users\Admin\AppData\Local\Temp\skyQQMsgNS.exe
"C:\Users\Admin\AppData\Local\Temp\skyQQMsgNS.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winbodun.dll

Filesize
104KB

MD5
ba7a79d3e9b932c85baae493a7bca016

SHA1
53d47b33a5c8e4da388bfcf6614d24cc7f8b93fd

SHA256
0dbd12e6a6cfd426ae862d785c3c2785b3fbcbac07e14820e382ad5166d34ef8

SHA512
0cbc2bb6b1de8a090e12d034ae5ec1ca00ce3567241a4443ec1e4c7239ed86cc487a89ed2c1558fb67df1863735252326de9c18eee4593894c6434c61ce5ae7b

Download Submit
C:\Windows\SysWOW64\winexcl.dll

Filesize
16KB

MD5
8ecd0db14b8104fa0ac2591ca3d6adae

SHA1
73509da1d50aba3e0e9836b915da60e411d714b1

SHA256
3b2e8945ed7984bf24c76bb8dcdae50c75011384860d12c6be344b04ddfc0b8f

SHA512
8a1cdab80319a91c68959035b63c93b9f36a4144810b2c42b8f31c6f23684c5d65f3bf0e79958e3ec7b3b29e45b8d8905395583364c1174ec2c10362b7e3aefe

Download Submit