Overview
overview
10Static
static
803ff897da4...b3.exe
windows7_x64
703ff897da4...b3.exe
windows10_x64
710493d98a6...41.exe
windows7_x64
710493d98a6...41.exe
windows10_x64
711747d3247...67.exe
windows7_x64
711747d3247...67.exe
windows10_x64
San11 Tc/D...eg.htm
windows7_x64
1San11 Tc/D...eg.htm
windows10_x64
1San11 Tc/DrvMgt.dll
windows7_x64
1San11 Tc/DrvMgt.dll
windows10_x64
1San11 Tc/L...es.exe
windows7_x64
1San11 Tc/L...es.exe
windows10_x64
1San11 Tc/S...er.exe
windows7_x64
1San11 Tc/S...er.exe
windows10_x64
1San11 Tc/S...er.exe
windows7_x64
1San11 Tc/S...er.exe
windows10_x64
1San11 Tc/S...YS.exe
windows7_x64
San11 Tc/S...YS.exe
windows10_x64
San11 Tc/San11.exe
windows7_x64
8San11 Tc/San11.exe
windows10_x64
8San11 Tc/san11pk.exe
windows7_x64
3San11 Tc/san11pk.exe
windows10_x64
1San11 Tc/�...��.exe
windows7_x64
3San11 Tc/�...��.exe
windows10_x64
1023c9e16cc6...7b.exe
windows7_x64
523c9e16cc6...7b.exe
windows10_x64
536a18ae31f...d0.exe
windows7_x64
736a18ae31f...d0.exe
windows10_x64
74109a062b3...d4.exe
windows7_x64
84109a062b3...d4.exe
windows10_x64
8CW3.exe
windows7_x64
1CW3.exe
windows10_x64
1Analysis
-
max time kernel
128s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 15:32
Static task
static1
Behavioral task
behavioral1
Sample
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral2
Sample
03ff897da4bfb8bc549fdb1ebf7ee940bcb9b57fed7d26d83c45d1e9ec1f40b3.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral3
Sample
10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral4
Sample
10493d98a6e78b7bbc60a9aae5ce5fa1a67cdace2a6be41740c92e21dcdb5f41.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral5
Sample
11747d3247254b7db3fb7d6b8c0b47d21546b208b1573a73ae20f46ca4131e67.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral6
Sample
11747d3247254b7db3fb7d6b8c0b47d21546b208b1573a73ae20f46ca4131e67.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral7
Sample
San11 Tc/Doc/Reg/san11_reg.htm
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral8
Sample
San11 Tc/Doc/Reg/san11_reg.htm
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral9
Sample
San11 Tc/DrvMgt.dll
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral10
Sample
San11 Tc/DrvMgt.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral11
Sample
San11 Tc/LinkSan11Res.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral12
Sample
San11 Tc/LinkSan11Res.exe
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral13
Sample
San11 Tc/S11Launcher.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral14
Sample
San11 Tc/S11Launcher.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral15
Sample
San11 Tc/S11PKLauncher.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral16
Sample
San11 Tc/S11PKLauncher.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral17
Sample
San11 Tc/SECDRV.SYS.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral18
Sample
San11 Tc/SECDRV.SYS.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral19
Sample
San11 Tc/San11.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral20
Sample
San11 Tc/San11.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral21
Sample
San11 Tc/san11pk.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral22
Sample
San11 Tc/san11pk.exe
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral23
Sample
San11 Tc/开始游戏.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral24
Sample
San11 Tc/开始游戏.exe
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral25
Sample
23c9e16cc6549ca05d349e7d04805309171cfe8a8426cdb7376f2a41b757a67b.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral26
Sample
23c9e16cc6549ca05d349e7d04805309171cfe8a8426cdb7376f2a41b757a67b.exe
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral27
Sample
36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Resource
win7-en-20210920
windows7_x64
Behavioral task
behavioral28
Sample
36a18ae31faa401de370fc7c808bd43f5f7af14c9f6f71cbd2aa9f8cca6555d0.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral29
Sample
4109a062b38d66ee7222cd984120e056acd0f5dad490c623f411c8abb18796d4.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral30
Sample
4109a062b38d66ee7222cd984120e056acd0f5dad490c623f411c8abb18796d4.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral31
Sample
CW3.exe
Resource
win7-en-20211014
windows7_x64
Behavioral task
behavioral32
Sample
CW3.exe
Resource
win10-en-20210920
windows10_x64
General
-
Target
San11 Tc/LinkSan11Res.exe
-
Size
2.7MB
-
MD5
db509fc939b15b8f1276ed1c07bb98e7
-
SHA1
faaa5e7aceb02c14bb466320850697bfce0f39a4
-
SHA256
224657b8adef1a3eb9784d924a730751a05f9aa93b48628b1bfa1f058486169d
-
SHA512
f1db7985c312bd7715919506c6736a02f3956b91b6a8f1d75b1a7b693566dbd452e3b160d218a0ccc00645e60dcb06b9af95f5427b69cc67e57ccb16cfb6375d
Malware Config
Signatures
-
Modifies registry class 36 IoCs
Processes:
LinkSan11Res.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LinkSan11Res.Application\CLSID\ = "{8C306064-52F3-4724-A485-3C44005E7ACA}" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5} LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}\1.0\FLAGS LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C306064-52F3-4724-A485-3C44005E7ACA}\ProgID\ = "LinkSan11Res.Application" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C306064-52F3-4724-A485-3C44005E7ACA}\LocalServer32 LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C306064-52F3-4724-A485-3C44005E7ACA}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SAN11T~1\\LINKSA~1.EXE" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{732E9066-5337-406A-83D1-D4A330635214} LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{732E9066-5337-406A-83D1-D4A330635214}\ = "ILinkSan11Res" LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C306064-52F3-4724-A485-3C44005E7ACA}\ = "LinkSan11Res.Application" LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}\1.0\ = "LinkSan11Res" LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{732E9066-5337-406A-83D1-D4A330635214}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LinkSan11Res.Application LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LinkSan11Res.Application\ = "LinkSan11Res.Application" LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{732E9066-5337-406A-83D1-D4A330635214}\ = "ILinkSan11Res" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{732E9066-5337-406A-83D1-D4A330635214}\TypeLib LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LinkSan11Res.Application\CLSID LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C306064-52F3-4724-A485-3C44005E7ACA}\InprocHandler32 LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C306064-52F3-4724-A485-3C44005E7ACA}\InprocHandler32\ = "ole32.dll" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}\1.0\0 LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}\1.0\0\win32 LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\San11 Tc\\LinkSan11Res.exe" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C306064-52F3-4724-A485-3C44005E7ACA} LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C306064-52F3-4724-A485-3C44005E7ACA}\ProgID LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}\1.0 LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{732E9066-5337-406A-83D1-D4A330635214}\TypeLib\Version = "1.0" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}\1.0\HELPDIR LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\San11 Tc" LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{732E9066-5337-406A-83D1-D4A330635214}\TypeLib\ = "{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{732E9066-5337-406A-83D1-D4A330635214}\ProxyStubClsid32 LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{732E9066-5337-406A-83D1-D4A330635214}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{732E9066-5337-406A-83D1-D4A330635214}\TypeLib\ = "{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}" LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9AF99991-DFC9-4700-AF3C-3C0B0CF66BA5}\1.0\FLAGS\ = "0" LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{732E9066-5337-406A-83D1-D4A330635214} LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{732E9066-5337-406A-83D1-D4A330635214}\ProxyStubClsid32 LinkSan11Res.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{732E9066-5337-406A-83D1-D4A330635214}\TypeLib LinkSan11Res.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{732E9066-5337-406A-83D1-D4A330635214}\TypeLib\Version = "1.0" LinkSan11Res.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LinkSan11Res.exepid process 1676 LinkSan11Res.exe 1676 LinkSan11Res.exe