48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e

Analysis

max time kernel
84s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2023 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
Size

1.1MB
MD5

71732eb5647b8cd8a12cd8cd68502255
SHA1

f262f14249059df102414bfeaa5d61beffe13b40
SHA256

48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e
SHA512

b6df55e57e2c785bc713f92e1b1c6743810c0eebe7967c344f1a5a70ae9dc0c9a8843ff69903623a4b359b15ba9c121f6722f902dfd0b661d6ccb9f1853f790d
SSDEEP

24576:Y7IvpH41Cl36RgrO/+6WdKHsJYrrg0H+2UbDC:Y72mVpOY3gH2UbD

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2896	Logo1_.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
3948	QQPCMgr_Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
File created	C:\Windows\Logo1_.exe	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_6 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e16177add6ecaa94d4f7bf3ac2344cf6f8f05	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_22 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_8 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7dcd83972677185ad85e8fa7c	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_7 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706c3bbcbcac1480e998b4e866c9621d267	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_29 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706c3bbcbcac1480e998b4e866c9621d267	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_31 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e16177add6ecaa94d4f7bf3ac2344cf6f8f05	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_43 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44f66fbf052b8cb103fa5e917a4beb61b7ed0058ab80ea5fb90928	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_44 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44f66fbf052b8cb103fa5e917a4beb61b7ed0058ab80ea5fb90928	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_11 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_30 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771bcadb8e8fa7ceb1ba8ffbfd631778d67	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_32 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa190e476ab7ebd82872477181ad88e8e67cef1b	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_35 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_16 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e14177edd6bcaad4d497bf5ac2744	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_23 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_46 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c175fdd77caa54d487bf7ac3244c46f8805378c	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_48 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706c3bbd9cad1480299904e9c6c8a21d167d3193a10660b696bc6b1d877fff7faa1d901095d7634d067a388	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_55 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c174ddd71caa24d587bf5ac2444	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_21 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7dad83972697190ad87e8ef7cfe1bbfffb8d6	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_37 = 3874d037c712e267fc05809e9cffdb765a172ee31b9238562ac3f722952e351776dd2bcaf44d	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_54 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c174bdd71caa54d497befac2544cf6f8f05	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_24 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771bcadb8e8fa7ceb1ba8ffbfd631778d67	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_53 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c1756dd6dcab54d547bf9ac	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_27 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ded82e726d718ead9fe8eb7cf81bfaff98d62c779267eeab772d18b2321c41de561f	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_39 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e001772dd7bcab24d487be8ac3244d96f	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_59 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa19054751b7fcd832725871a2ad9ee8fc7ce41b	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_9 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd839726a7184adbfe8e17c	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\TestWritable = 7b74ea37	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_5 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e141774dd7bcab34d507bffac3944de6f8f05	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_38 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_42 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_45 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea6eb91f2832bc40669627478210fb6a85c195	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_47 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771bcadaae8ea7ce71bb3ffa5d62d778e67e8ab712d1ab2331c5cde531fcab81406cbbbf7cada4803998a4e	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\NewVersionAvailable	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\UpdateVersion	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\QMConfig	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_2 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_41 = 3874d037c712e267fc05809e9cffdb765a172ee31b9218562ac3f722b62e1f174cdd2ecaf24d	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_13 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e1d176edd6bcaaf4d5e7b	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_36 = 3874d037c712e267fc05809e9cffdb765a172ee3	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_0 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e14177edd6bcaad4d497bf5ac2744	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_14 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e061772dd7ccaa34d527be9ac	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_20 = 3874d037c712e267fc05809e9cffdb765a172ee31b920d563cc3ea22952e2317	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_25 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c175fdd7dcab54d567beeac3844da6f	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_33 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa190e476ab7ebd8287247718fad84e8e57ce31bbfffb8d6	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_34 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa190f474db7fdd828726b7192ad92e8	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_40 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSimpleVersionNetConfig = 7b74ea37	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_19 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7c0d83972707197ad84e8fc7ce11bfaff98d62c779267eeab772d18b2321c41de561f	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_26 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_28 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_56 = 3874d037c712e267fc05809e9cffdb765a172ee31b92395636c3f7228e2e251769dd7bcaa34d4e7b	QQPCMgr_Setup.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2284	2036	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe	85
PID 2036 wrote to memory of 2284	2036	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe	85
PID 2036 wrote to memory of 2284	2036	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe	85
PID 2036 wrote to memory of 2896	2036	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe	86
PID 2036 wrote to memory of 2896	2036	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe	86
PID 2036 wrote to memory of 2896	2036	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe	86
PID 2896 wrote to memory of 1212	2896	Logo1_.exe	88
PID 2896 wrote to memory of 1212	2896	Logo1_.exe	88
PID 2896 wrote to memory of 1212	2896	Logo1_.exe	88
PID 1212 wrote to memory of 1196	1212	net.exe	90
PID 1212 wrote to memory of 1196	1212	net.exe	90
PID 1212 wrote to memory of 1196	1212	net.exe	90
PID 2284 wrote to memory of 1320	2284	cmd.exe	92
PID 2284 wrote to memory of 1320	2284	cmd.exe	92
PID 2284 wrote to memory of 1320	2284	cmd.exe	92
PID 2896 wrote to memory of 3216	2896	Logo1_.exe	45
PID 2896 wrote to memory of 3216	2896	Logo1_.exe	45
PID 1320 wrote to memory of 3948	1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe	104
PID 1320 wrote to memory of 3948	1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe	104
PID 1320 wrote to memory of 3948	1320	NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe	104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3216
- C:\Users\Admin\AppData\Local\Temp\NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6D7F.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Users\Admin\AppData\Roaming\tencent\QQPCMgr\Download\QQPCMgr_Setup.exe
        
        "C:\Users\Admin\AppData\Roaming\tencent\QQPCMgr\Download\QQPCMgr_Setup.exe" /S ##silence=1&handle=524388&update=1&supply=79401&forceinstall=1&qqpcmgr=0&DownloadSetupInOne=1
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3948
      - C:\Windows\SysWOW64\cacls.exe
        
        "cacls" "C:\Program Files (x86)\Tencent\QQPCMgr\16.8.24468.211" /t /e /c /g SYSTEM:f
        6⤵
        
        PID:4120
      - C:\Program Files (x86)\Tencent\QQPCMgr\16.8.24468.211\QQPCSoftCmd.exe
        
        "C:\Program Files (x86)\Tencent\QQPCMgr\16.8.24468.211\QQPCSoftCmd.exe" /command=SetSimpleVersionConfig /SimpleVersion=2 /From=Installer
        6⤵
        
        PID:1988
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a6D7F.bat

Filesize
770B

MD5
186ba0436e5c57366aeb9218bbf22edc

SHA1
7fc38a5acd723ea54b950eaa8acb514eecbccef6

SHA256
f32cf941a4e0b02d1e5298f33a104579f6f83d8a8bb07c28b9410d08b2e41a40

SHA512
a66bce2527d015bb929cfddf1780293f5b85f0acfb700314cd919c1aa19e5677b720ad29150f7ee9e23b157e7636406dd92e196b8b2df6a04b02e41e74a6c0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

Filesize
1.1MB

MD5
72a20a60da7293a8df665ae07c4121a0

SHA1
e8f46a54aaff502d5de46eb9ee17bbba5f58e301

SHA256
08aa61ff4a66962e89a9774c3a9e7922ede89bbcd294ac87cd75aae5a600c151

SHA512
54de2877f9a414fd0047a44b07c27e1acf76795cb4c1ac9eccfd1f9e9f3c98093d3c051ab935d47c8c53ad42d8e4728143fbdaefe82713ea687937bfc6d6e9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe.exe

Filesize
1.1MB

MD5
72a20a60da7293a8df665ae07c4121a0

SHA1
e8f46a54aaff502d5de46eb9ee17bbba5f58e301

SHA256
08aa61ff4a66962e89a9774c3a9e7922ede89bbcd294ac87cd75aae5a600c151

SHA512
54de2877f9a414fd0047a44b07c27e1acf76795cb4c1ac9eccfd1f9e9f3c98093d3c051ab935d47c8c53ad42d8e4728143fbdaefe82713ea687937bfc6d6e9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e576f92\QQPCDownload.dll

Filesize
1.3MB

MD5
8eac6c3146f7d8db62a773e32bc6cf53

SHA1
a5d3ad50eac345e298cdb3b7f80f4966fb4234c1

SHA256
28d2477926de5d5a8ffcb708cb0c95c3aa9808d757f77b92f82ad4aa50a05cc8

SHA512
c3b9a21e0f649699401b5def8b3ec4939a336086d8f470d1d79c69ebccf9ffeafbe9133303d89bc6d0beb713624be52d93ce3bc3204bf62f91fedb2879f868fe

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe

Filesize
127.3MB

MD5
0413e55c76011e621c33a1fabe1813c9

SHA1
8eb43d6099da96d9e6a3728316c145d170f9f63c

SHA256
df5b41891e00ddf4b56116202dc005b880f6380dab5f82d5e63f3b20778ee123

SHA512
f9a4d6239639e412634602cdd67a2bedb4e817ac7fc6ab14b01c8b6a39a42ffc9487e0d94a83e57c4d941f0c09f03c4a995cfd3cb9ffa7551b8a44974064ab91

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
1a720367f885df1bd4420e96237a0013

SHA1
ab2a15dc7b967975af194d5abc757b67b884b72c

SHA256
4ae58b687ef04bc7901a3c74108f5c580ee2e085b287fd50fabaf1512a42ad86

SHA512
f44f03ec6f12a418a2ac541df4f4dd5414b89d6b80b818ee4792fa87e0831aa83e86a4ab9e888322a10f573fc8e68155fe0c6bb2636c8e7edc0679dcf5449d54

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
1a720367f885df1bd4420e96237a0013

SHA1
ab2a15dc7b967975af194d5abc757b67b884b72c

SHA256
4ae58b687ef04bc7901a3c74108f5c580ee2e085b287fd50fabaf1512a42ad86

SHA512
f44f03ec6f12a418a2ac541df4f4dd5414b89d6b80b818ee4792fa87e0831aa83e86a4ab9e888322a10f573fc8e68155fe0c6bb2636c8e7edc0679dcf5449d54

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
1a720367f885df1bd4420e96237a0013

SHA1
ab2a15dc7b967975af194d5abc757b67b884b72c

SHA256
4ae58b687ef04bc7901a3c74108f5c580ee2e085b287fd50fabaf1512a42ad86

SHA512
f44f03ec6f12a418a2ac541df4f4dd5414b89d6b80b818ee4792fa87e0831aa83e86a4ab9e888322a10f573fc8e68155fe0c6bb2636c8e7edc0679dcf5449d54

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1926387074-3400613176-3566796709-1000\_desktop.ini

Filesize
9B

MD5
a2fae4db32159548a9fccda46ab88233

SHA1
d57c64b9dac9f95995c9012ecc5165d9d3e97fd0

SHA256
893642ba8870266e4c26cd6a2dee47512d3ed2ac89ac9b020e23c6e1c05e3d3f

SHA512
83aa09a389ee5b3ecbc624b3d50be3aa0a44690f3cd20256db57a30b004e8da096bd628bbb09f8067930c62be2b9a126ec6a7b22236aedbfe6769443d6f08486

Download Submit
memory/1988-92-0x0000000076630000-0x0000000076720000-memory.dmp

Filesize
960KB

Download
memory/1988-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1988-91-0x0000000076630000-0x0000000076720000-memory.dmp

Filesize
960KB

Download
memory/2036-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-84-0x0000000073B30000-0x0000000073B45000-memory.dmp

Filesize
84KB

Download
memory/3948-85-0x0000000073B30000-0x0000000073B44000-memory.dmp

Filesize
80KB

Download
memory/3948-86-0x0000000073BA0000-0x0000000073BB2000-memory.dmp

Filesize
72KB

Download