Overview

overview

10

Static

static

10

8647111d14...93.exe

windows7-x64

10

8647111d14...93.exe

windows10-2004-x64

10

8647111d14...93.exe

windows10-ltsc_2021-x64

10

8647111d14...93.exe

windows11-21h2-x64

10

8647111d14...93.exe

android-13-x64

8647111d14...93.exe

android-13-x64

8647111d14...93.exe

macos-10.15-amd64

8647111d14...93.exe

ubuntu-18.04-amd64

8647111d14...93.exe

debian-9-armhf

8647111d14...93.exe

debian-9-mips

8647111d14...93.exe

debian-9-mipsel

Resubmissions

28/03/2025, 07:30

250328-jbs88avnz6 10

28/03/2025, 07:13

250328-h19f3aszft 10

Analysis

  • max time kernel
    119s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8647111d149ae2fc3ba2394bc9db08ab1146fafa507de56b0e4eef4ceee30893.exe

  • Size

    78KB

  • MD5

    f7c6a8950ab6783ce81f61fafb6feaf1

  • SHA1

    457fa5c2676d5dcb0cdb0ec8426ab2e26e9092a7

  • SHA256

    8647111d149ae2fc3ba2394bc9db08ab1146fafa507de56b0e4eef4ceee30893

  • SHA512

    d09cb9217e1095f8927a8b42c57b7d87af42a447ece581ad3c02c94884e703cd69777b5e93893e3b06878b493a9e3f080d8e042829fbc5cde42cd73d35121acf

  • SSDEEP

    1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOzOnc:GhfxHNIreQm+HiGOnc

Score
10/10
qqpassdiscoverypersistencetrojan

Malware Config

Extracted

Family

qqpass

C2

http://www.zigui.org/article.php?id=103822

Attributes
  • url

    http://www.mxm9191.com/myrunner_up.exe

  • user_agent

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Signatures

  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8647111d149ae2fc3ba2394bc9db08ab1146fafa507de56b0e4eef4ceee30893.exe
    C:\Users\Admin\AppData\Local\Temp\8647111d149ae2fc3ba2394bc9db08ab1146fafa507de56b0e4eef4ceee30893.exe bcdedit /c set shutdown /r readonly /f force /t 2
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:6124
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:5772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    85KB

    MD5

    444ff8f3769dc62d0e9a0d9cce0a763e

    SHA1

    70953dcedcb741ee872cd2cecd90bee0488323bf

    SHA256

    c1b7f74d533ef73c37d68b054472849372e77eb77e345a6219b04102f7cb850b

    SHA512

    c53f0d0889d1285ec18cadb05c0368cab11d0249d54724bb7d9e80e16ad86ab0905f3ff7476f1c042370bbe3c12fb230db6aa41d75a2b7cb49a512f0a03bda88

    Download Submit

  • C:\Windows\System\rundll32.exe
    Filesize

    79KB

    MD5

    8f89503d78af7c0b190cff0325df5f12

    SHA1

    59c4b6f12dd51156663e175e295f45f3c559b1ec

    SHA256

    36d067d63f72339bfd2977f16ea9ea07805f8c50a8fd9787b7c50da8a8968cef

    SHA512

    679af3f77eb1c6d7eb73787cde3ffc07dd617063a5daafab74249f5e12be54f945e6441d9edcce76ece617f64152645a69edf7b2809015f7fd7c9f994825107f

    Download Submit

  • memory/5772-14-0x0000000000400000-0x0000000000415A00-memory.dmp

    Filesize

    86KB

    Download

  • memory/6124-0-0x0000000000400000-0x0000000000415A00-memory.dmp

    Filesize

    86KB

    Download

  • memory/6124-13-0x0000000000400000-0x0000000000415A00-memory.dmp

    Filesize

    86KB

    Download