7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838

Analysis

max time kernel
141s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
Size

12.2MB
MD5

313c6125ce2f610bdb867a161addcc81
SHA1

02185bfecc7f19658823978ff8d6083531c09bbd
SHA256

7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838
SHA512

52dd26576d45f48de92f37e87aa692cd26a1824fe17e554acdaf673914cbbaf6429bf38ef53fb2340c8d9afa4fc5ab4be8d84c2fc8006f58a1f6baff348dae43
SSDEEP

196608:MrvzibXtSA2UFrJ3Miv+364Hosu0VWY7g50N9TieHTwIHknYDToB5TICfWAyDjMJ:MKBSADJ63/cY7X2nboEfWARYQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2628	ÉÏºÅÆ÷12.28.exe
2596	QQ.exe

Loads dropped DLL 6 IoCs

pid	Process
2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
2628	ÉÏºÅÆ÷12.28.exe
2628	ÉÏºÅÆ÷12.28.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe	QQ.exe
File created	C:\Windows\SysWOW64\Base.dll	ÉÏºÅÆ÷12.28.exe
File created	C:\Windows\SysWOW64\TestLF.dll	ÉÏºÅÆ÷12.28.exe
File created	C:\Windows\SysWOW64\libeay32.dll	ÉÏºÅÆ÷12.28.exe
File created	C:\Windows\SysWOW64\svchost.exe	QQ.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2628	ÉÏºÅÆ÷12.28.exe
2596	QQ.exe
2596	QQ.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÉÏºÅÆ÷12.28.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2628	ÉÏºÅÆ÷12.28.exe
2628	ÉÏºÅÆ÷12.28.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	QQ.exe
Token: SeDebugPrivilege	2596	QQ.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
2628	ÉÏºÅÆ÷12.28.exe
2628	ÉÏºÅÆ÷12.28.exe
2628	ÉÏºÅÆ÷12.28.exe
2628	ÉÏºÅÆ÷12.28.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2628	2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	29
PID 2316 wrote to memory of 2628	2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	29
PID 2316 wrote to memory of 2628	2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	29
PID 2316 wrote to memory of 2628	2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	29
PID 2316 wrote to memory of 2596	2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	30
PID 2316 wrote to memory of 2596	2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	30
PID 2316 wrote to memory of 2596	2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	30
PID 2316 wrote to memory of 2596	2316	7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe	30

C:\Users\Admin\AppData\Local\Temp\7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe
"C:\Users\Admin\AppData\Local\Temp\7cf5b831c7e8b7612a1e6b1441ddc11ba0e900c9acfe56953874ceaa2d1fb838.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\ÉÏºÅÆ÷12.28.exe
  C:\Users\Admin\AppData\Local\Temp\ÉÏºÅÆ÷12.28.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\QQ.exe
  C:\Users\Admin\AppData\Local\Temp\QQ.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -auto
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Login.dll

Filesize
11.9MB

MD5
11b503094eb69c8a8285f6ed28af8ef1

SHA1
594e3c2d536bdcb5b936fe9494caf2893dbe9d07

SHA256
908fd02a45d2fa8da35010a998e3b77262a4b9ca8659df86344d414f3c66b040

SHA512
d4568977eb7f4c46118f99061dd8f9b43038d544895f36774988e09a5d9bfbafb3ff5a0e67728e6cea9c12e47928eff3143521f423eccbecd753e42acf188769

Download Submit
\Users\Admin\AppData\Local\Temp\QQ.exe

Filesize
1.0MB

MD5
da35f17e36bc4941d092f3e64104462b

SHA1
5c9e07329c96503382dc4247d5973e0c99080c58

SHA256
35a73589540316d2ccb4f637e5db2c13ee8c092432b2bf62a49527477ef2c949

SHA512
48f1d11f77260533432d58f33c701969524d7bb04b552830a8f8481eacf542202399bc2fe5dd8bc1a0354053114f8df7f7fc43c9a98260f176b5e8da9b7f0d60

Download Submit
\Users\Admin\AppData\Local\Temp\ÉÏºÅÆ÷12.28.exe

Filesize
10.4MB

MD5
752c8b7cdb212b24297ead70c84254da

SHA1
9de73123d26012e0ea9c94cb80418f52285e8ca2

SHA256
8001894be26eeb74852b6be647114294323d6ef737e4ec8458785b1f0f8636b6

SHA512
03c4f348d5df80cff02f4ac54b67c502c446286de25ee9c283fbf4908d596ddd14942834259666f50193c1fa68bd68fd1617be9d8eca69dbb403b1d1feb347de

Download Submit
\Users\Admin\Documents\CCStudio\HpSocket4C.dll

Filesize
2.8MB

MD5
4bc970a97300b1a725d44bba23d8697a

SHA1
6f1eb181153692814e038e2f851d0734646f78f8

SHA256
c9d8fb5311ae6018dc1ca72774cb7efeba5c115c827a5cfb795b3580499e323d

SHA512
03968ca876b7e584de0a1418cca1dd2036fd0b4744f86d69aee5691a42061e284f8d9577293ef3f656be332f7da5ca276f85c6393bd6d8eb7de181baec0285f8

Download Submit
memory/2316-7-0x0000000002CF0000-0x0000000004115000-memory.dmp

Filesize
20.1MB

Download
memory/2316-8791-0x0000000002CF0000-0x0000000004115000-memory.dmp

Filesize
20.1MB

Download
memory/2316-8789-0x0000000002CF0000-0x0000000004115000-memory.dmp

Filesize
20.1MB

Download
memory/2316-12-0x0000000002CF0000-0x0000000004115000-memory.dmp

Filesize
20.1MB

Download
memory/2316-21-0x0000000002CF0000-0x0000000002DF8000-memory.dmp

Filesize
1.0MB

Download
memory/2316-20-0x0000000002CF0000-0x0000000002DF8000-memory.dmp

Filesize
1.0MB

Download
memory/2596-866-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-856-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-890-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-888-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-886-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-884-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-882-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-880-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-878-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-876-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-874-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-872-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-870-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-868-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-894-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-864-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-862-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-860-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-858-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-892-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-854-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-852-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-850-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-848-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-846-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-844-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-842-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-840-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-838-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-836-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-834-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-833-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/2596-23-0x0000000077970000-0x00000000779B7000-memory.dmp

Filesize
284KB

Download
memory/2596-22-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2596-8779-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2628-8781-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2628-10-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/2628-8790-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/2628-11-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download