Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28/03/2025, 07:23
General
-
Target
cd2b256127192a645cb0ee2f575bc480261bee0f5777b07fdf8fa23c6896cf48.exe
-
Size
75KB
-
MD5
35aa48c51f67634ab9a05028ddacd91a
-
SHA1
41eda72d9456025eb0f881daac43f4b920fda1bd
-
SHA256
cd2b256127192a645cb0ee2f575bc480261bee0f5777b07fdf8fa23c6896cf48
-
SHA512
5e3433d76ae896da6a91b66a49d15026620261eaab93acf498a0ea913eb5461bf44d7afae81dcebc878e04810da86fd3dea90d82eebbebfa75d3df7e1f1d3d4a
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOWWJ:GhfxHNIreQm+HidWJ
Malware Config
Extracted
qqpass
http://www.zigui.org/article.php?id=103822
-
url
http://www.mxm9191.com/myrunner_up.exe
-
user_agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Signatures
-
QQpass
QQpass is a trojan written in C++..
-
Qqpass family
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies system executable filetype association 2 TTPs 5 IoCs
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd2b256127192a645cb0ee2f575bc480261bee0f5777b07fdf8fa23c6896cf48.exeC:\Users\Admin\AppData\Local\Temp\cd2b256127192a645cb0ee2f575bc480261bee0f5777b07fdf8fa23c6896cf48.exe bcdedit /c set shutdown /r readonly /f force /t 21⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5cbe99cac92cca509db334ad1d56db908
SHA18144911cce1767bf531df8bb4b2357449cadddf6
SHA256dbea519b748fecde0b1a812322f16e0d40e8b4d5b250a4593bd0665496911978
SHA512938df44ffe31fb1cd1d09814cf019c490c96840d5fcbd9139c2778d7083f752a2cc0201d85cff7ebbb939c8a1156750edf67010289b0ccbe5538520be9697f38
-
Filesize
73KB
MD5b14042145636ab5bb86095be8c7a2576
SHA1ef87ea6503f8535214037ece35c58925b59f2817
SHA2565a9784159c245a3f3fa1fc13cdc62c53d216461bf7a66e0a77c86ac50034e3f2
SHA5126f4d5e53c000854733441f34426b1c7408fd85dd9d52964b7d4a88fa00c664298c486c2ca2338f48c855998c58b3547423795a4024fb7ad25f6e613e705ed8c0
-
Filesize
86KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
86KB
-
Filesize
8KB
-
Filesize
86KB
-
Filesize
86KB