Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MQNT.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.076698191150393
Filename:	MQNT.exe
Filesize:	5524480
MD5:	27f5aa99c8e512ca56c2a46fb0b7be6b
SHA1:	65a1336c182612c091ef925d52477639c7735d01
SHA256:	575d39610e80fff09fc08eb068983bd0524bd2ef9508607be2749620150ddc85
SHA512:	f8754cb9c4b2f3ad266376da59765153c61c48b712ea0dafa41775e1504e6254ba67d7ac65690576a49667feb5a31bc5fe800e198607edfa5cc430d3f612f7a4
SSDEEP:	98304:5q+ZcUWX+lbbEipLaUTEZ7ce0R252Pw8B4DuR/6JBAUZLc:5q+ZcUWX+/yV0R2YPxoaiJVA
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........D.}ID.}ID.}I+.vIM.}I+.wIB.}I?.qIA.}I..nIh.}I.. IF.}I..sIh.}ID.\|I..}I&.nI[.}IM..IE.}I..oIN.}Ir.vI..}Ir.wI..}I..vI*.}I..wIt.}

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries disk information (often used to detect virtual machines)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Writes ini files	System Summary	File and Directory Discovery
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\update.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\update.exe
Category:	dropped
Dump:	update.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\MQNT.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.344965617584001
Encrypted:	false
Ssdeep:	24576:YvtI2D6CEhvugYa3EZfup4jflORg0RBQI:YevLEZ7cRg0RJ
Size:	954368
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\Desktop\desktop.ini

Unicode text, UTF-16, little-endian text, with CRLF line terminators

modified

Details

File:	C:\Users\user\Desktop\desktop.ini
Category:	modified
Dump:	desktop.ini.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\MQNT.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.9822709529024487
Encrypted:	false
Ssdeep:	12:QZsiL5wmHOlDmo0qmWvclLwv2G4wmL66uCEuyLyn:QCGwv4o0BlLweTL66uuyW
Size:	422
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Reads ini files	System Summary	File and Directory Discovery
Writes ini files	System Summary	File and Directory Discovery

C:\Users\user\Documents\19CAD721B59B09B208B5A7E2F6387843.ico

MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel

dropped

Details

File:	C:\Users\user\Documents\19CAD721B59B09B208B5A7E2F6387843.ico
Category:	dropped
Dump:	19CAD721B59B09B208B5A7E2F6387843.ico.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\MQNT.exe
Type:	MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel
Entropy:	5.7039139970238075
Encrypted:	false
Ssdeep:	1536:vrpcQaRJlr5a3QEC2ADfYVmqpPZf++r7MJsEzlDtr66Evbag:vrpcQaGHVmOhf++razdtYp
Size:	67646
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\MQNT.exe

"C:\Users\user\Desktop\MQNT.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7032
Target ID:	0
Parent PID:	1028
Name:	MQNT.exe
Path:	C:\Users\user\Desktop\MQNT.exe
Commandline:	"C:\Users\user\Desktop\MQNT.exe"
Size:	5524480
MD5:	27F5AA99C8E512CA56C2A46FB0B7BE6B
Time:	07:23:59
Date:	16/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	5935104
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Yara detected aPLib compressed binary	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://47.92.98.180:88/MQNT/MQNT.exe

unknown

http://47.92.98.180:88/MQNT/GX_RZ.txt

unknown

http://www.eyuyan.com)DVarFileInfo$

unknown

https://api.ip.sb/ip

unknown

https://club.vip.qq.com/api/aggregation?g_tk=

unknown

http://whois.pconline.com.cn/ipJson.jsp?json=true

unknown

http://www.ip138.comUser-Agent:

unknown

https://club.vip.qq.com/api/aggregation?g_tk=content-type:

unknown

http://www.eyuyan.comservice

unknown

http://www.ibsensoftware.com/

unknown

https://cdid.c-ctrip.com/model-poc2/h

unknown

https://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api/index?ip=&type=0User-Agent:

unknown

https://ipinfo.io/json

unknown

https://ip.cn/api/index?ip=&type=0

unknown

https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip

unknown

http://www.eyuyan.com

unknown

http://ip-api.com/json/?lang=zh-CN

unknown

https://www.baidu.comDate:KB3140245/

unknown

http://47.92.98.180:88/MQNT/data.txt

unknown

http://q1.qlogo.cn/g?b=qq&nk=

unknown

https://www.uc.cn/ip

unknown

http://www.ip138.com

unknown

http://47.92.98.180:18081/myauth/web/getUserCount?skey=c0ecd8de-75e7-47a6-a22b-8adedbf78780&apikey=c

unknown

https://www.baidu.com

unknown

There are 14 hidden URLs, click here to show them.

Domains

Name

Malicious

www.wshifen.com

103.235.46.96

18.31.95.13.in-addr.arpa

unknown

www.baidu.com

unknown

Details

Name:	www.baidu.com
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

103.235.46.96

www.wshifen.com

Hong Kong

Details

IP:	103.235.46.96
TargetID:	0
Current Path:	C:\Users\user\Desktop\MQNT.exe
Country:	Hong Kong
Countrycode:	HKG
ASN number:	55967
ASN name:	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd
Private:	false
Domain:	www.wshifen.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer

GlobalAssocChangedCounter

Memdumps

Base Address

Regiontype

Protect

Malicious

6CD000

unkown

page readonly

6CD000

unkown

page readonly

326B000

heap

page read and write

CE2000

heap

page read and write

3283000

heap

page read and write

C91000

heap

page read and write

99F000

unkown

page read and write

C6F000

heap

page read and write

3388000

heap

page read and write

BC6000

heap

page read and write

C6D000

heap

page read and write

A0E000

stack

page read and write

401000

unkown

page execute read

923000

unkown

page read and write

C6F000

heap

page read and write

34A0000

trusted library allocation

page read and write

C91000

heap

page read and write

32BE000

heap

page read and write

32C8000

heap

page read and write

32C2000

heap

page read and write

3268000

heap

page read and write

32BE000

heap

page read and write

32C8000

heap

page read and write

915000

unkown

page write copy

2A3E000

stack

page read and write

326B000

heap

page read and write

9A1000

unkown

page readonly

328C000

heap

page read and write

32C8000

heap

page read and write

314E000

stack

page read and write

C25000

heap

page read and write

BFA000

heap

page read and write

2760000

remote allocation

page read and write

6190000

trusted library allocation

page read and write

93E000

unkown

page write copy

2DBF000

stack

page read and write

C2B000

heap

page read and write

C9E000

heap

page read and write

400000

unkown

page readonly

3289000

heap

page read and write

2B3D000

stack

page read and write

B70000

heap

page read and write

34A0000

trusted library allocation

page read and write

9B0000

heap

page read and write

32BE000

heap

page read and write

C8C000

heap

page read and write

BFE000

heap

page read and write

3289000

heap

page read and write

C81000

heap

page read and write

5E5000

unkown

page readonly

988000

unkown

page read and write

3265000

heap

page read and write

915000

unkown

page write copy

3260000

heap

page read and write

93A000

unkown

page read and write

92A000

unkown

page read and write

C27000

heap

page read and write

A4E000

stack

page read and write

328C000

heap

page read and write

327B000

heap

page read and write

3600000

heap

page read and write

9C0000

heap

page read and write

999000

unkown

page read and write

29FE000

stack

page read and write

2785000

heap

page read and write

328C000

heap

page read and write

C6D000

heap

page read and write

CA8000

heap

page read and write

CAC000

heap

page read and write

32E6000

heap

page read and write

BC0000

heap

page read and write

32C8000

heap

page read and write

C8C000

heap

page read and write

2740000

heap

page read and write

C6F000

heap

page read and write

5E5000

unkown

page readonly

2760000

remote allocation

page read and write

2744000

heap

page read and write

924000

unkown

page write copy

32C8000

heap

page read and write

C81000

heap

page read and write

3282000

heap

page read and write

C78000

heap

page read and write

C78000

heap

page read and write

94B000

unkown

page read and write

CE2000

heap

page read and write

95000

stack

page read and write

32BC000

heap

page read and write

3273000

heap

page read and write

CA8000

heap

page read and write

3250000

heap

page read and write

DEE000

stack

page read and write

C78000

heap

page read and write

CE2000

heap

page read and write

2B7E000

stack

page read and write

32BC000

heap

page read and write

C5B000

heap

page read and write

28FD000

stack

page read and write

A80000

heap

page read and write

EEF000

stack

page read and write

328C000

heap

page read and write

3289000

heap

page read and write

C9F000

heap

page read and write

93F000

unkown

page read and write

919000

unkown

page write copy

2CBE000

stack

page read and write

C6F000

heap

page read and write

19C000

stack

page read and write

CA3000

heap

page read and write

32BF000

heap

page read and write

32C9000

heap

page read and write

CE2000

heap

page read and write

3261000

heap

page read and write

3380000

heap

page read and write

92B000

unkown

page write copy

CE2000

heap

page read and write

400000

unkown

page readonly

2780000

heap

page read and write

3282000

heap

page read and write

3282000

heap

page read and write

9A1000

unkown

page readonly

A85000

heap

page read and write

C81000

heap

page read and write

2760000

remote allocation

page read and write

BF0000

heap

page read and write

917000

unkown

page read and write

C8C000

heap

page read and write

BCB000

heap

page read and write

401000

unkown

page execute read

328C000

heap

page read and write

324F000

stack

page read and write

C78000

heap

page read and write

C29000

heap

page read and write

32BC000

heap

page read and write

C8C000

heap

page read and write

2C7F000

stack

page read and write

B60000

heap

page read and write

CA1000

heap

page read and write

32BC000

heap

page read and write

C9D000

heap

page read and write

CA1000

heap

page read and write

C81000

heap

page read and write

93E000

unkown

page write copy

There are 133 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MQNT.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMQNT.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
MQNT.exe