30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72

General

Target

30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exe
Size

28KB
MD5

71f6171d29c04e7ba2aa8830ba4122de
SHA1

c4c2516d0b56d8bca9a51502486d2c4227b86f29
SHA256

30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72
SHA512

c4b90a91374935571de8f84a7bcc441c0a79efa8852a8821b834cea7870713ccd92358df593b9d1299522096a467083316c61b02dbf1d08842644ccc505d7463

Score

8^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

QQBrowser_Setup_10.5.3869_1100110740.exeQBPin.exeQBPin.exe

pid process

1540 QQBrowser_Setup_10.5.3869_1100110740.exe
2044 QBPin.exe
3340 QBPin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QBPin.exeQBPin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	QBPin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	QBPin.exe

Loads dropped DLL 1 IoCs

Processes:

QQBrowser_Setup_10.5.3869_1100110740.exe

pid process

1540 QQBrowser_Setup_10.5.3869_1100110740.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QQBrowser_Setup_10.5.3869_1100110740.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qbclipboard = "\"C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe\" --type=assistant --clipboard"	QQBrowser_Setup_10.5.3869_1100110740.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

QQBrowser_Setup_10.5.3869_1100110740.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQBrowser_Setup_10.5.3869_1100110740.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

QQBrowser_Setup_10.5.3869_1100110740.exe

description ioc process

File opened for modification \??\PhysicalDrive0 QQBrowser_Setup_10.5.3869_1100110740.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	QQBrowser_Setup_10.5.3869_1100110740.exe

Drops file in Program Files directory 64 IoCs

Processes:

QQBrowser_Setup_10.5.3869_1100110740.exe

description	ioc	process
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBClipboard.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\swiftshader\libGLESv2.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBSafe.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\driver\amd64\tsqbdrv.sys	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\extensions\account-helper.crx	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\F1Assistant.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\locales\zh-CN.pak	QQBrowser_Setup_10.5.3869_1100110740.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQBrowser\tmp_123abc456def789hij.tmp	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\chrome_100_percent.pak	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\HEICDecodeExtend.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\qb_clh.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\1.70.3741.400.manifest	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\TPGDecodeExtend.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\locales\qb\zh-CN.pak	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\qbroker\qbroker64.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll.sig	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\nsis_skin.gt	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\v8_context_snapshot.bin	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\data\compatibility.min.js	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\nacl_irt_x86_32.nexe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBDelayUpdate.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBDExtend.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\data\fancy.css	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\nacl64.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QQBrowserFix.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QRCode.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\tssafeedit.dat	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\DelayUpdate.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\frame_icudtl.dat	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\navi2.ico	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\navi.ico	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\BugReport.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\plugin\PerfTools.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\service\TsService.exe.new	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\uninst.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\data\pdf2htmlEX-64x64.png	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\FrameLoader.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\nacl_irt_x86_64.nexe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\pdf_config.json	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\driver\ScreenDef	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\extensions\QBFixerPlugin.crx	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\F1Frame.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\d3dcompiler_47.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\chrome_child.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QQBrowser.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\snapshot_blob.bin	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\data\pdf2htmlEX.min.js	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\extensions\pic_edit.crx	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\qb_200_percent.pak	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\QQBrowserConfig.dat	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\ModuleDll\{0508DF1F-2AB6-4fac-A99E-45BBBF24E1E6}.qrx	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\FrameLoader.dll.sig	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\natives_blob.bin	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\resources.pak	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\video.ico	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\Downloader.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\ExportFavHtml.dll	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\extensions\commenExtension.crx	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\extensions\live_box.crx	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\pcmgr_down.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQ\ExtraInfo.ini	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\locales\qb\en-US.pak	QQBrowser_Setup_10.5.3869_1100110740.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\10.5.3869.400.manifest	QQBrowser_Setup_10.5.3869_1100110740.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

QQBrowser_Setup_10.5.3869_1100110740.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserMachineCode	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserMachineCode\MachineGuid = "1B54FA9B19CA6A5E3638B70B1A3FE6D0"	QQBrowser_Setup_10.5.3869_1100110740.exe

Modifies registry class 43 IoCs

Processes:

QQBrowser_Setup_10.5.3869_1100110740.exeQBPin.exeQBPin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.heic	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.heic	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\shell\ = "open"	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Tencent.QQBrowser.Default\.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\shell\open\command	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe\" -- \"%1\""	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\shell\open\command	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.heic\shell	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\AppUserModelID = "Tencent.QQBrowser.Default"	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\Software\Classes\QQBrowser.Protocol	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default\.exe\shell\open\command	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	QBPin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	QBPin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\shell	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default\.exe\shell	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\ = "QQBrowser HTML Document"	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\DefaultIcon	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\ = "QQBrowser HTML Document"	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\DefaultIcon\ = "C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe,0"	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\URL Protocol	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\DefaultIcon\ = "C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe,0"	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.heic\ = "QQBrowser.heic"	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.heic\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe\" -- \"%1\""	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\URL Protocol	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\shell\ = "open"	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\shell	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\AppUserModelID = "Tencent.QQBrowser.Default"	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\ = "QQBrowser Protocol"	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default\.exe\shell\ = "open"	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default\.exe\shell\open	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\shell\open	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\DefaultIcon	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\shell\open	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe\" -- \"%1\""	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.heic\ = "C:\\Users\\Admin\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\AssocIcon\\general.ico"	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.heic\shell\open\command	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\Software\Classes\QQBrowser.File	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.heic\shell\open	QQBrowser_Setup_10.5.3869_1100110740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default\.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default\.exe\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe\" %*"	QQBrowser_Setup_10.5.3869_1100110740.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

QQBrowser_Setup_10.5.3869_1100110740.exe

pid	process
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
1540	QQBrowser_Setup_10.5.3869_1100110740.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exe

pid process

2632 30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exe

pid	process
2632	30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exeQQBrowser_Setup_10.5.3869_1100110740.exe

description	pid	process	target process
PID 2632 wrote to memory of 1540	2632	30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
PID 2632 wrote to memory of 1540	2632	30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
PID 2632 wrote to memory of 1540	2632	30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exe	QQBrowser_Setup_10.5.3869_1100110740.exe
PID 1540 wrote to memory of 2044	1540	QQBrowser_Setup_10.5.3869_1100110740.exe	QBPin.exe
PID 1540 wrote to memory of 2044	1540	QQBrowser_Setup_10.5.3869_1100110740.exe	QBPin.exe
PID 1540 wrote to memory of 3340	1540	QQBrowser_Setup_10.5.3869_1100110740.exe	QBPin.exe
PID 1540 wrote to memory of 3340	1540	QQBrowser_Setup_10.5.3869_1100110740.exe	QBPin.exe

C:\Users\Admin\AppData\Local\Temp\30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exe
"C:\Users\Admin\AppData\Local\Temp\30f056456e85b4375c34fbfca57a634b28fa3f8f7eb1c258392a83d799f89f72.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\QQBrowser_Setup_10.5.3869_1100110740.exe
C:\Users\Admin\AppData\Local\Temp/QQBrowser_Setup_10.5.3869_1100110740.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540

C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBPin.exe
"C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBPin.exe" pin "C:\Users\Admin\AppData\Local\Temp\14abe56d2c6\QQ浏览器.lnk"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2044

C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBPin.exe
"C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBPin.exe" pin_start "C:\Users\Admin\AppData\Local\Temp\14abe56d2c6\QQ浏览器.lnk"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:3340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\F1Assistant.dll
Filesize
5.3MB

MD5
09f90156bcb0f9686ffff2cde3860788

SHA1
e1fb137b7c81cd1f72322956757b729d8985ebbb

SHA256
fd35fef15f2145ac5247133b93a57ebe3f8caad04148d654bc5334833b827b87

SHA512
e2b0eb09ed6d3661a098e7a92069d51a4bc3aa1e69e69ede7d5e76f5be77d7edebd43d9a0917cab8494f5180bdd0b4dcaa23edfe56fa2ec4669d6032657fe5f1

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBPin.exe
Filesize
138KB

MD5
3126674c646133739fd0d7b8b7fe03c1

SHA1
ddcb79d99f637e540983d788840c0d1199261eb7

SHA256
f5f14299e79074e68ae72ad1e7d934850a6850758af605b7fd50aab549b83d99

SHA512
a6d4059ada182428c93c779f119097cc548e833f5db4ce1c04772d3155a8787b53919c346a9fe828b8eb01c4ecdb44c7df8bb99688387fa4d979d2a62caa693b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBPin.exe
Filesize
138KB

MD5
3126674c646133739fd0d7b8b7fe03c1

SHA1
ddcb79d99f637e540983d788840c0d1199261eb7

SHA256
f5f14299e79074e68ae72ad1e7d934850a6850758af605b7fd50aab549b83d99

SHA512
a6d4059ada182428c93c779f119097cc548e833f5db4ce1c04772d3155a8787b53919c346a9fe828b8eb01c4ecdb44c7df8bb99688387fa4d979d2a62caa693b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\10.5.3869.400\QBPin.exe
Filesize
138KB

MD5
3126674c646133739fd0d7b8b7fe03c1

SHA1
ddcb79d99f637e540983d788840c0d1199261eb7

SHA256
f5f14299e79074e68ae72ad1e7d934850a6850758af605b7fd50aab549b83d99

SHA512
a6d4059ada182428c93c779f119097cc548e833f5db4ce1c04772d3155a8787b53919c346a9fe828b8eb01c4ecdb44c7df8bb99688387fa4d979d2a62caa693b

Download Submit
C:\Users\Admin\AppData\Local\Temp\14abe56d2c6\QQ浏览器.lnk
Filesize
2KB

MD5
e2f8dbb41cf18fba74ee8575997c2e07

SHA1
f7b779ef6dbb860a280fc3d60aaa3f5bfcd888a3

SHA256
b1ccb7d3772db37ff60efa1ef83a5a034ef1cf9a33708503d7144804a702d576

SHA512
68f957bf830f1c9e7259f8aa9229cad34157abb41679138a85a61fb1502ba1d5f81fdc0ac476ee707f5ee3d32d1ebe2a96a300f1c61a8d5675cfadbda263f377

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQBrowser_Setup_10.5.3869_1100110740.exe
Filesize
78.9MB

MD5
282dc7b3c792de1cb65f59602f394e28

SHA1
0a6f0a6f22534ef90282ba94d6562ffd0780e5e5

SHA256
f439e5cb87d8c25913cbadb6a57b41b725ee526dedc24c1c26678bf5c4f1f078

SHA512
fcf2c1df37adaa6ae650964d541622a7c63f96937c691614773dff8a14b580c287dc4e751326966399ddc02d36fde0abb72e267bb1343f6aa4bf4c07e7f3b324

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQBrowser_Setup_10.5.3869_1100110740.exe
Filesize
78.9MB

MD5
282dc7b3c792de1cb65f59602f394e28

SHA1
0a6f0a6f22534ef90282ba94d6562ffd0780e5e5

SHA256
f439e5cb87d8c25913cbadb6a57b41b725ee526dedc24c1c26678bf5c4f1f078

SHA512
fcf2c1df37adaa6ae650964d541622a7c63f96937c691614773dff8a14b580c287dc4e751326966399ddc02d36fde0abb72e267bb1343f6aa4bf4c07e7f3b324

Download Submit
memory/1540-135-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-137-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/1540-132-0x0000000000000000-mapping.dmp

Download
memory/2044-138-0x0000000000000000-mapping.dmp

Download
memory/2044-141-0x00007FFE32330000-0x00007FFE32340000-memory.dmp

Filesize
64KB

Download
memory/3340-143-0x0000000000000000-mapping.dmp

Download

pid	process
1540	QQBrowser_Setup_10.5.3869_1100110740.exe
2044	QBPin.exe
3340	QBPin.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads