Overview
overview
7Static
static
35052cf2d1f...18.exe
windows7-x64
75052cf2d1f...18.exe
windows10-2004-x64
7$_2_/Downl...PS.dll
windows7-x64
3$_2_/Downl...PS.dll
windows10-2004-x64
3$_2_/Extract.dll
windows7-x64
3$_2_/Extract.dll
windows10-2004-x64
3$_2_/MiniQQDL.exe
windows7-x64
7$_2_/MiniQQDL.exe
windows10-2004-x64
7$_2_/TNProxy.dll
windows7-x64
3$_2_/TNProxy.dll
windows10-2004-x64
3$_2_/Tencentdl.exe
windows7-x64
3$_2_/Tencentdl.exe
windows10-2004-x64
3$_2_/dlcore.dll
windows7-x64
3$_2_/dlcore.dll
windows10-2004-x64
3$_2_/predown.dll
windows7-x64
3$_2_/predown.dll
windows10-2004-x64
3Analysis
-
max time kernel
101s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$_2_/DownloadProxyPS.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$_2_/DownloadProxyPS.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$_2_/Extract.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$_2_/Extract.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$_2_/MiniQQDL.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
$_2_/MiniQQDL.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$_2_/TNProxy.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$_2_/TNProxy.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$_2_/Tencentdl.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$_2_/Tencentdl.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$_2_/dlcore.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$_2_/dlcore.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$_2_/predown.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$_2_/predown.dll
Resource
win10v2004-20241007-en
General
-
Target
$_2_/MiniQQDL.exe
-
Size
829KB
-
MD5
b45f4840234e8aa94d0d75c47cc052ff
-
SHA1
9fd12d040d7033c0b5b81d4c3ce97145bf504cc4
-
SHA256
e510b8ef6baba2229fe2c7a88865b8f9cb4609a8d504ca74ca93420fe4eef700
-
SHA512
08322f3fdf76d52544e8c0ccf88e127f23237fb9d0de3002c6231cea2d5e97342068617d2b4695ccf858ab148436255a965a5daa28e2d3a99f51767a5f306ff8
-
SSDEEP
12288:glICZQTSccqulHGOgo4i1qOns54kkA1+0uJUQJAMGai+tZQ8L:yLbm2dE8JdAMrNtZLL
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2868 tencentdl.exe 2296 tencentdl.exe 2708 tencentdl.exe -
Loads dropped DLL 14 IoCs
pid Process 2028 tencentdl.exe 2028 tencentdl.exe 2800 tencentdl.exe 2800 tencentdl.exe 2920 regsvr32.exe 2800 tencentdl.exe 2800 tencentdl.exe 2296 tencentdl.exe 2296 tencentdl.exe 2296 tencentdl.exe 2612 regsvr32.exe 2296 tencentdl.exe 2268 MiniQQDL.exe 2296 tencentdl.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: MiniQQDL.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MiniQQDL.exe File opened for modification \??\PhysicalDrive0 tencentdl.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll tencentdl.exe File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll tencentdl.exe File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll tencentdl.exe File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe tencentdl.exe File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe tencentdl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MiniQQDL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81} tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\DownloadProxyPS.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\ = "Downloader Class" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32 tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe\"" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\ = "Downloader Class" tencentdl.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24} tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" tencentdl.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\Programmable tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods\ = "6" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" tencentdl.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = d93bff35b3206b4dadba76af1d45f394 tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24} tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" tencentdl.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ = "Downloader Class" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID\ = "DownloadProxy.Downloader.1" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe\"" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CurVer tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID\ = "DownloadProxy.Downloader" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\Programmable tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS\ = "0" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\ = "DownloadProxy 1.0 Type Library" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" tencentdl.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2268 MiniQQDL.exe 2268 MiniQQDL.exe 2296 tencentdl.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2268 MiniQQDL.exe 2268 MiniQQDL.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2268 MiniQQDL.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2028 2268 MiniQQDL.exe 29 PID 2268 wrote to memory of 2028 2268 MiniQQDL.exe 29 PID 2268 wrote to memory of 2028 2268 MiniQQDL.exe 29 PID 2268 wrote to memory of 2028 2268 MiniQQDL.exe 29 PID 2028 wrote to memory of 2868 2028 tencentdl.exe 30 PID 2028 wrote to memory of 2868 2028 tencentdl.exe 30 PID 2028 wrote to memory of 2868 2028 tencentdl.exe 30 PID 2028 wrote to memory of 2868 2028 tencentdl.exe 30 PID 2268 wrote to memory of 2800 2268 MiniQQDL.exe 31 PID 2268 wrote to memory of 2800 2268 MiniQQDL.exe 31 PID 2268 wrote to memory of 2800 2268 MiniQQDL.exe 31 PID 2268 wrote to memory of 2800 2268 MiniQQDL.exe 31 PID 2868 wrote to memory of 2920 2868 tencentdl.exe 32 PID 2868 wrote to memory of 2920 2868 tencentdl.exe 32 PID 2868 wrote to memory of 2920 2868 tencentdl.exe 32 PID 2868 wrote to memory of 2920 2868 tencentdl.exe 32 PID 2868 wrote to memory of 2920 2868 tencentdl.exe 32 PID 2868 wrote to memory of 2920 2868 tencentdl.exe 32 PID 2868 wrote to memory of 2920 2868 tencentdl.exe 32 PID 2800 wrote to memory of 2708 2800 tencentdl.exe 34 PID 2800 wrote to memory of 2708 2800 tencentdl.exe 34 PID 2800 wrote to memory of 2708 2800 tencentdl.exe 34 PID 2800 wrote to memory of 2708 2800 tencentdl.exe 34 PID 2708 wrote to memory of 2612 2708 tencentdl.exe 35 PID 2708 wrote to memory of 2612 2708 tencentdl.exe 35 PID 2708 wrote to memory of 2612 2708 tencentdl.exe 35 PID 2708 wrote to memory of 2612 2708 tencentdl.exe 35 PID 2708 wrote to memory of 2612 2708 tencentdl.exe 35 PID 2708 wrote to memory of 2612 2708 tencentdl.exe 35 PID 2708 wrote to memory of 2612 2708 tencentdl.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe"C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe"C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe" -install2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2920
-
-
-
-
C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe"C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe" -install2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2612
-
-
-
-
C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD54ceb4641a90de4feee34ba5f949d41ba
SHA1cb060db236d9938f97b5e4e2d1b1c663071a2bd7
SHA2562a075c11148c3f04163b9ffdaa05d4b46bc55c96b2fe50d0a39cc377139c2b26
SHA512932960a503817683c3d7c66695732ec6dc59887b0eaa8d53c4e26e1de6fd6c4e9291a4afe25d898c9b02dfe4cd976414f66b715b861e7974e765bff587fa2d27
-
Filesize
821KB
MD5b8f64b0b53e039cbeba7d60c81710bd8
SHA1a9be269daa7f404a23fcaf002be7ee13697ef8e0
SHA25654e0b845eff52823a951ff4b38c6728a381613a0603ce82d4d5c34aa6402f7cc
SHA5129b5c5818fc0a11c8dc80b3befd3459a031f411fc5ddba43f7c0737f20ce6b265599790b64897aed448ccff766c98c5f8d0837495a8eecca36777be390f49ec05
-
Filesize
1.7MB
MD582ce23aad749aee959820533c0676cb2
SHA13aa526a4ed51491b01a5419713d1582a426b7efc
SHA256a2fd92c7fc26bf2851aaefcc5f0bafd75511794ad0c781e1a715df812f7bd2ab
SHA512c91f5165059677071a1e2949244dd1ce4e2c5ce58fe38298f1707ff4b6de6981d7c45f8fd5a189a91d154b0c4af25dbaae4e7a51f107dee77f2f51f0150d2707
-
Filesize
358KB
MD59da51d4506bd094fbfc7d337338fc872
SHA11b5799ef6b66ac9471842f17570813e7c42cdb27
SHA256f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501
SHA51207dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044
-
Filesize
377KB
MD5858fc685a5bff591985394f9cdf9e289
SHA15970a28aab399d005885b9c6b79eafd606640fab
SHA2563404212366a3aed4155e5d73d901e769a7005cadde5169a8d9677ab5a0585dcf
SHA512620491b27ff281ad42f947fb9dbef3256624fe8d298740d6b9942627525a2d44525cbb9065d2ffa2efb0ab3478b8a33148fc9b0b4c531106cc8e421e2c59f0d0