50bab97dd6ce903465751affe72871e43d611c043a5b613b56f0bcea27dd9b45

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qvodkunbang.exe
Size

737KB
MD5

1009304614108cc969ca448183c54c03
SHA1

7df4d9658542c11e40dc390e4dba49554b1084d0
SHA256

c5e0e2aad81ed8920984572ea30110c1d341d5a0628213607d396d741526b26f
SHA512

05c24315a05f8dae782f33b0b70235dba50f7ee607a3e3f23e2174745db892971843cb62916124983db43ef80268e6558098126f636768ef1edda8dc892c1e5f
SSDEEP

12288:gmJxN6cHP8YB5z+V4M1YT8VEIjTJW/y0llDWnG+vs/GMhx1Of4Arr8TqY:gmJxN6cHP8U5z8fBVEsE/y6pqGiaGMhb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

BaiduP2PService.exesr.exeBaiduP2PService.exe

pid process

2440 BaiduP2PService.exe
2940 sr.exe
3036 BaiduP2PService.exe

pid	process
2440	BaiduP2PService.exe
2940	sr.exe
3036	BaiduP2PService.exe

Loads dropped DLL 14 IoCs

Processes:

qvodkunbang.exeBaiduP2PService.exeBaiduP2PService.exe

pid	process
3352	qvodkunbang.exe
3352	qvodkunbang.exe
3352	qvodkunbang.exe
2440	BaiduP2PService.exe
2440	BaiduP2PService.exe
2440	BaiduP2PService.exe
2440	BaiduP2PService.exe
2440	BaiduP2PService.exe
3036	BaiduP2PService.exe
3036	BaiduP2PService.exe
3036	BaiduP2PService.exe
3036	BaiduP2PService.exe
3036	BaiduP2PService.exe
3036	BaiduP2PService.exe

Drops file in Program Files directory 8 IoCs

Processes:

qvodkunbang.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Browser\config.ini	qvodkunbang.exe
File opened for modification	C:\Program Files (x86)\tools\isWrite\	qvodkunbang.exe
File opened for modification	C:\Program Files (x86)\tools\	qvodkunbang.exe
File created	C:\Program Files (x86)\tools\BaiduP2PService.exe	qvodkunbang.exe
File created	C:\Program Files (x86)\tools\P2PBase.dll	qvodkunbang.exe
File created	C:\Program Files (x86)\tools\P2PStatReport.dll	qvodkunbang.exe
File created	C:\Program Files (x86)\tools\P2SBase.dll	qvodkunbang.exe
File created	C:\Program Files (x86)\tools\sr.exe	qvodkunbang.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

qvodkunbang.exeBaiduP2PService.exesr.exeBaiduP2PService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qvodkunbang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BaiduP2PService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BaiduP2PService.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

BaiduP2PService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}\AppPath = "C:\\Program Files (x86)\\tools"	BaiduP2PService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}\AppName = "BaiduP2PService.exe"	BaiduP2PService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}\Policy = "3"	BaiduP2PService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}	BaiduP2PService.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

qvodkunbang.exe

pid process

3352 qvodkunbang.exe
3352 qvodkunbang.exe
3352 qvodkunbang.exe
3352 qvodkunbang.exe
3352 qvodkunbang.exe
3352 qvodkunbang.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

qvodkunbang.exe

description pid process

Token: SeDebugPrivilege 3352 qvodkunbang.exe
Token: SeDebugPrivilege 3352 qvodkunbang.exe
Token: SeDebugPrivilege 3352 qvodkunbang.exe

description	pid	process
Token: SeDebugPrivilege	3352	qvodkunbang.exe
Token: SeDebugPrivilege	3352	qvodkunbang.exe
Token: SeDebugPrivilege	3352	qvodkunbang.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

qvodkunbang.exe

description	pid	process	target process
PID 3352 wrote to memory of 2440	3352	qvodkunbang.exe	BaiduP2PService.exe
PID 3352 wrote to memory of 2440	3352	qvodkunbang.exe	BaiduP2PService.exe
PID 3352 wrote to memory of 2440	3352	qvodkunbang.exe	BaiduP2PService.exe
PID 3352 wrote to memory of 2940	3352	qvodkunbang.exe	sr.exe
PID 3352 wrote to memory of 2940	3352	qvodkunbang.exe	sr.exe
PID 3352 wrote to memory of 2940	3352	qvodkunbang.exe	sr.exe
PID 3352 wrote to memory of 3036	3352	qvodkunbang.exe	BaiduP2PService.exe
PID 3352 wrote to memory of 3036	3352	qvodkunbang.exe	BaiduP2PService.exe
PID 3352 wrote to memory of 3036	3352	qvodkunbang.exe	BaiduP2PService.exe

C:\Users\Admin\AppData\Local\Temp\qvodkunbang.exe
"C:\Users\Admin\AppData\Local\Temp\qvodkunbang.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Program Files (x86)\tools\BaiduP2PService.exe
  "C:\Program Files (x86)\tools\BaiduP2PService.exe" init
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:2440
- C:\Program Files (x86)\tools\sr.exe
  "C:\Program Files (x86)\tools\sr.exe" "http://conf.a101.cc/tool/install.txt" "C:\ProgramData\Baidu\BaiduPlayer\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Program Files (x86)\tools\BaiduP2PService.exe
  "C:\Program Files (x86)\tools\BaiduP2PService.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\tools\BaiduP2PService.exe

Filesize
508KB

MD5
012a8879efa6f8dbc3c6ba58a659fefb

SHA1
d2a2dac321ff5a78de52e926044ba362f4004cde

SHA256
774839fe17e1ff94e45a21e6c1ac3c884e8fa0a3cb5ef24e9b8ae503d70dfa66

SHA512
b0f060cd5231f255083e2437026488d5fa3493e97cebb83a4638680551299db1a01862ca433d52efa8ecff80aa6ba5982cdd015a9f5081364b80ee92b79b78ba

Download Submit
C:\Program Files (x86)\tools\P2PBase.dll

Filesize
496KB

MD5
a86a90ba120c455ac0e3655f146d5a0f

SHA1
277c55191fbbadf888626df4fba279591632a406

SHA256
577790026b949f666546299cd1dd002bc76447b86feed056cfe8c903a8039c43

SHA512
a1d1d9386575187a81867db036c59ce76cede87a981fec7462283ccc0f76e0e8c8a85c6e66fd74a4305b6f402c224db9c1525e22015a4400d0bbedd1c72a9d47

Download Submit
C:\Program Files (x86)\tools\P2PStatReport.dll

Filesize
364KB

MD5
3b14cae0ea1d045bb5b196017913edb3

SHA1
7ca456595148f2d5e71444a612f2351c4cd8a20d

SHA256
a2aeac1855ccb0bab911ddbfd7c79e86834020dc3c260a335249d41aff594982

SHA512
6c475600f041c229f8fb330e201f658db58f1a46f016731e64cf65cee64242876c7b71aef671532f41106cc35de9963b599eb39b63e1d980ef911392fbf0a200

Download Submit
C:\Program Files (x86)\tools\P2SBase.dll

Filesize
512KB

MD5
894ab861e608eacbac24280ab234368f

SHA1
e283ef8757f04b0252ec5dce22e6e8094bed7737

SHA256
687df23126f0da0348f8c5165b11b72982636177c6f53f5fe827c3f036fd83bb

SHA512
26a78e26a60bfd48e93b1e61ede2cc2a7c9c9cb61bdd729f86b2692fed0eb4fedc72953ca83bc3fc945a0cc21d3d3232e73a03be39ea5755ddcc0dbd8ef3bed3

Download Submit
C:\Program Files (x86)\tools\sr.exe

Filesize
154KB

MD5
83bcf3ad82ce65d2bd0fdd364fe32cb5

SHA1
32c5080bbf51dd22bed7f594a92f753a25eef73c

SHA256
5635105c90c618c8db7a11cc031dbfb91aba92b0b8c960d6fb02f1fb4ff9758d

SHA512
852c6176bd92c2fa4d8177764bcf8e6c9acb06cea488972376e6d6acb4e01c02f306f9b73ca36663f1c82b0443049e0898a0d6638a0760f957eade50a6ba8e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPlayer\P2PCfg.ini

Filesize
189B

MD5
19f21808f4cbe1ff7d4796130e12c3a8

SHA1
6255a4e66a2738ecfa55eb60cd207dbc22227780

SHA256
6ed365bfc6d441a49f066bcee0514f1f457f4ad621fd254469e214ca2b66eece

SHA512
e80e9e74640f6ef245d57f010813916c95975d860d62ce70299b5fb98c04bd4f042ea78c28ec96721703aa0c00b0461387b6045e1d8fc5331382f725c5a7c482

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB6EE.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB6EE.tmp\nsTools.dll

Filesize
262KB

MD5
69fcb9ae215b1397ae1f9751da7016d0

SHA1
da3816591f15fcdae48910fb632ee5d2f8c09d4d

SHA256
ba5b2e57997aae2ce636a76e8ffc536498bf3882d61648f30c169cc17fd1f342

SHA512
f9c6aa7b420b1e18ab7e7351f4d228e5b2fd047fc70e170b037efda0bca4b5ff146f6457f477aeaecf829e42d3c730530483c240e0b1de98aef217c2bcc56689

Download Submit
memory/2440-30-0x0000000000A50000-0x0000000000AD4000-memory.dmp

Filesize
528KB

Download
memory/2440-33-0x0000000000AE0000-0x0000000000B3D000-memory.dmp

Filesize
372KB

Download
memory/3036-48-0x0000000000980000-0x0000000000A04000-memory.dmp

Filesize
528KB

Download
memory/3036-52-0x0000000000500000-0x000000000055D000-memory.dmp

Filesize
372KB

Download
memory/3352-16-0x0000000002390000-0x00000000023D8000-memory.dmp

Filesize
288KB

Download