plugx | 3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe
Size

373KB
MD5

b4cd8916abf1efcb87ba2cc570a9cf4a
SHA1

6457cd064d7587ce486be350e57530619397fa14
SHA256

3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776
SHA512

861c8d458c4d9c9cc9257be247c65311e78f86bc6bc088b5a918350d1c89502d0135245d69990ec40f416da8b2601fdf75687e0fb218c67b401790e95471d6fc
SSDEEP

6144:F94YVuWi4ySWFLl0XO5tbmTpLDrTARIN8CpgfqzyaZ1XZgVhrMnAgYSsq79L/3I:X4YV1i400itbmTaJfQ7/AgYSj7ZA

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1076-75-0x0000000000290000-0x00000000002BD000-memory.dmp	family_plugx
behavioral1/memory/1184-88-0x0000000000290000-0x00000000002BD000-memory.dmp	family_plugx
behavioral1/memory/1076-89-0x0000000000290000-0x00000000002BD000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 3 IoCs

Processes:

1.exeQQBrowserUpdateService.exeQQBrowserUpdateService.exe

pid process

904 1.exe
1076 QQBrowserUpdateService.exe
1832 QQBrowserUpdateService.exe

pid	process
904	1.exe
1076	QQBrowserUpdateService.exe
1832	QQBrowserUpdateService.exe

Loads dropped DLL 6 IoCs

Processes:

3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe1.exeQQBrowserUpdateService.exeQQBrowserUpdateService.exe

pid	process
1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe
1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe
1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe
904	1.exe
1076	QQBrowserUpdateService.exe
1832	QQBrowserUpdateService.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEQQBrowserUpdateService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30004300440045003700320041004200460042003000310044004100330036000000	QQBrowserUpdateService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1128 WINWORD.EXE

pid	process
1128	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

QQBrowserUpdateService.exemsiexec.exe

pid	process
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1184	msiexec.exe
1184	msiexec.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1076	QQBrowserUpdateService.exe
1076	QQBrowserUpdateService.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe
1184	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

QQBrowserUpdateService.exe

pid process

1076 QQBrowserUpdateService.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

QQBrowserUpdateService.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1076	QQBrowserUpdateService.exe
Token: SeTcbPrivilege	1076	QQBrowserUpdateService.exe
Token: SeDebugPrivilege	1184	msiexec.exe
Token: SeTcbPrivilege	1184	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1128 WINWORD.EXE
1128 WINWORD.EXE

pid	process
1128	WINWORD.EXE
1128	WINWORD.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe1.exeQQBrowserUpdateService.exeWINWORD.EXE

description	pid	process	target process
PID 1108 wrote to memory of 904	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	1.exe
PID 1108 wrote to memory of 904	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	1.exe
PID 1108 wrote to memory of 904	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	1.exe
PID 1108 wrote to memory of 904	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	1.exe
PID 1108 wrote to memory of 904	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	1.exe
PID 1108 wrote to memory of 904	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	1.exe
PID 1108 wrote to memory of 904	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	1.exe
PID 904 wrote to memory of 1076	904	1.exe	QQBrowserUpdateService.exe
PID 904 wrote to memory of 1076	904	1.exe	QQBrowserUpdateService.exe
PID 904 wrote to memory of 1076	904	1.exe	QQBrowserUpdateService.exe
PID 904 wrote to memory of 1076	904	1.exe	QQBrowserUpdateService.exe
PID 904 wrote to memory of 1076	904	1.exe	QQBrowserUpdateService.exe
PID 904 wrote to memory of 1076	904	1.exe	QQBrowserUpdateService.exe
PID 904 wrote to memory of 1076	904	1.exe	QQBrowserUpdateService.exe
PID 1108 wrote to memory of 1128	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	WINWORD.EXE
PID 1108 wrote to memory of 1128	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	WINWORD.EXE
PID 1108 wrote to memory of 1128	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	WINWORD.EXE
PID 1108 wrote to memory of 1128	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	WINWORD.EXE
PID 1108 wrote to memory of 1128	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	WINWORD.EXE
PID 1108 wrote to memory of 1128	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	WINWORD.EXE
PID 1108 wrote to memory of 1128	1108	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	WINWORD.EXE
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1076 wrote to memory of 1184	1076	QQBrowserUpdateService.exe	msiexec.exe
PID 1128 wrote to memory of 1012	1128	WINWORD.EXE	splwow64.exe
PID 1128 wrote to memory of 1012	1128	WINWORD.EXE	splwow64.exe
PID 1128 wrote to memory of 1012	1128	WINWORD.EXE	splwow64.exe
PID 1128 wrote to memory of 1012	1128	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe
"C:\Users\Admin\AppData\Local\Temp\3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe
C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1076
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1012

C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe
"C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe" 100 1076
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe
Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\ProgramData\QQBrowser\pdh.dll
Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.doc
Filesize
93KB

MD5
076f70b8fcf18d1097b6b51191f162b5

SHA1
c7d23e0e312c3218aed1a395968dcaae1553f48a

SHA256
58c951e77bfedc6bf3d23b668a5c2a6cb9fc67345fa8beb03131ad8ceaa395b0

SHA512
216486d011b975e996148d534e6d52b5725b74b756a950be7df59d302da11af50c0dd9faf4fd0a4cddfe9841e22059488090a89e041adea4361ecb3d1cf84b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
345KB

MD5
f2c80f4b9dbeba020472c40780f99021

SHA1
164528466dab3d164163026e11f366fb3933c92c

SHA256
638a99989ab3f476de62e9eb667207a155c1ee219f9720e342f84b254d8baad7

SHA512
e27309964790bed02bc2c5f5edbf0e22bb11d5c4e0272d09e4ff5a2ef1145f9867a4df9b569bf9bfae66ba83e80598ee25a5e0637fb76b29de44226e819ac301

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
345KB

MD5
f2c80f4b9dbeba020472c40780f99021

SHA1
164528466dab3d164163026e11f366fb3933c92c

SHA256
638a99989ab3f476de62e9eb667207a155c1ee219f9720e342f84b254d8baad7

SHA512
e27309964790bed02bc2c5f5edbf0e22bb11d5c4e0272d09e4ff5a2ef1145f9867a4df9b569bf9bfae66ba83e80598ee25a5e0637fb76b29de44226e819ac301

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe
Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe
Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdh.dll
Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdh.dll.pak
Filesize
111KB

MD5
685b3b018e2b56918ea195941bbf86f9

SHA1
ec1fffed6436a88be6a7a6b7061d364ff72c245c

SHA256
613f50eeef023471190bda9112c67db2559a36436f426bf96129e0f5dba69399

SHA512
7e8bda580ab606e4fb1f7f28f8b0651fd3f4ef62214f305e5b90aae27386652dd089cb281ce778bca6771d80f35117aa129531a0a44b842baf94e25f427b8d9a

Download Submit
\ProgramData\QQBrowser\PDH.dll
Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe
Filesize
345KB

MD5
f2c80f4b9dbeba020472c40780f99021

SHA1
164528466dab3d164163026e11f366fb3933c92c

SHA256
638a99989ab3f476de62e9eb667207a155c1ee219f9720e342f84b254d8baad7

SHA512
e27309964790bed02bc2c5f5edbf0e22bb11d5c4e0272d09e4ff5a2ef1145f9867a4df9b569bf9bfae66ba83e80598ee25a5e0637fb76b29de44226e819ac301

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe
Filesize
345KB

MD5
f2c80f4b9dbeba020472c40780f99021

SHA1
164528466dab3d164163026e11f366fb3933c92c

SHA256
638a99989ab3f476de62e9eb667207a155c1ee219f9720e342f84b254d8baad7

SHA512
e27309964790bed02bc2c5f5edbf0e22bb11d5c4e0272d09e4ff5a2ef1145f9867a4df9b569bf9bfae66ba83e80598ee25a5e0637fb76b29de44226e819ac301

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe
Filesize
345KB

MD5
f2c80f4b9dbeba020472c40780f99021

SHA1
164528466dab3d164163026e11f366fb3933c92c

SHA256
638a99989ab3f476de62e9eb667207a155c1ee219f9720e342f84b254d8baad7

SHA512
e27309964790bed02bc2c5f5edbf0e22bb11d5c4e0272d09e4ff5a2ef1145f9867a4df9b569bf9bfae66ba83e80598ee25a5e0637fb76b29de44226e819ac301

Download Submit
\Users\Admin\AppData\Local\Temp\PDH.dll
Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe
Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
memory/904-58-0x0000000000000000-mapping.dmp

Download
memory/904-69-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/1012-92-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1012-91-0x0000000000000000-mapping.dmp

Download
memory/1076-62-0x0000000000000000-mapping.dmp

Download
memory/1076-89-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/1076-75-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/1076-74-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/1108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1128-73-0x0000000070591000-0x0000000070593000-memory.dmp

Filesize
8KB

Download
memory/1128-83-0x000000007157D000-0x0000000071588000-memory.dmp

Filesize
44KB

Download
memory/1128-72-0x0000000072B11000-0x0000000072B14000-memory.dmp

Filesize
12KB

Download
memory/1128-90-0x000000007157D000-0x0000000071588000-memory.dmp

Filesize
44KB

Download
memory/1128-70-0x0000000000000000-mapping.dmp

Download
memory/1128-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1128-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1128-94-0x000000007157D000-0x0000000071588000-memory.dmp

Filesize
44KB

Download
memory/1184-84-0x00000000000B0000-0x00000000000CB000-memory.dmp

Filesize
108KB

Download
memory/1184-86-0x0000000000000000-mapping.dmp

Download
memory/1184-88-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download