Overview
overview
9Static
static
9TheWorldPo...me.dll
windows7-x64
3TheWorldPo...me.dll
windows10-2004-x64
3TheWorldPo...ent.js
windows7-x64
1TheWorldPo...ent.js
windows10-2004-x64
1TheWorldPo...ld.dll
windows7-x64
1TheWorldPo...ld.dll
windows10-2004-x64
1TheWorldPo...mo.dll
windows7-x64
3TheWorldPo...mo.dll
windows10-2004-x64
3TheWorldPo...32.dll
windows7-x64
1TheWorldPo...32.dll
windows10-2004-x64
1TheWorldPo...dt.dll
windows7-x64
3TheWorldPo...dt.dll
windows10-2004-x64
3TheWorldPo...ad.dll
windows7-x64
1TheWorldPo...ad.dll
windows10-2004-x64
1TheWorldPo...ad.dll
windows7-x64
8TheWorldPo...ad.dll
windows10-2004-x64
8TheWorldPo...rl.dll
windows7-x64
1TheWorldPo...rl.dll
windows10-2004-x64
1TheWorldPo...er.dll
windows7-x64
1TheWorldPo...er.dll
windows10-2004-x64
3TheWorldPo...ex.dll
windows7-x64
1TheWorldPo...ex.dll
windows10-2004-x64
1TheWorldPo...cp.dll
windows7-x64
1TheWorldPo...cp.dll
windows10-2004-x64
3TheWorldPo...it.dll
windows7-x64
1TheWorldPo...it.dll
windows10-2004-x64
1TheWorldPo...it.dll
windows7-x64
1TheWorldPo...it.dll
windows10-2004-x64
1TheWorldPo...ei.dll
windows7-x64
1TheWorldPo...ei.dll
windows10-2004-x64
3TheWorldPo...ces.js
windows7-x64
1TheWorldPo...ces.js
windows10-2004-x64
1Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 07:12
Behavioral task
behavioral1
Sample
TheWorldPortable/Application/6.2.0.128/chrome.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
TheWorldPortable/Application/6.2.0.128/chrome.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
TheWorldPortable/Application/6.2.0.128/chrome_100_percent.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
TheWorldPortable/Application/6.2.0.128/chrome_100_percent.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
TheWorldPortable/Application/6.2.0.128/chrome_child.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
TheWorldPortable/Application/6.2.0.128/chrome_child.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
TheWorldPortable/Application/6.2.0.128/ffmpegsumo.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
TheWorldPortable/Application/6.2.0.128/ffmpegsumo.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
TheWorldPortable/Application/6.2.0.128/gcswf32.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
TheWorldPortable/Application/6.2.0.128/gcswf32.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
TheWorldPortable/Application/6.2.0.128/icudt.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
TheWorldPortable/Application/6.2.0.128/icudt.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
TheWorldPortable/Application/6.2.0.128/plugins/np115upload.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
TheWorldPortable/Application/6.2.0.128/plugins/np115upload.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
TheWorldPortable/Application/6.2.0.128/plugins/np360upload.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
TheWorldPortable/Application/6.2.0.128/plugins/np360upload.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npAliSecCtrl.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npAliSecCtrl.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npUploader.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npUploader.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npactivex.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral22
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npactivex.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npalidcp.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral24
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npalidcp.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npaliedit.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral26
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npaliedit.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
TheWorldPortable/Application/6.2.0.128/plugins/nptxftnWebKit.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral28
Sample
TheWorldPortable/Application/6.2.0.128/plugins/nptxftnWebKit.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npxunlei.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral30
Sample
TheWorldPortable/Application/6.2.0.128/plugins/npxunlei.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
TheWorldPortable/Application/6.2.0.128/resources.js
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral32
Sample
TheWorldPortable/Application/6.2.0.128/resources.js
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
TheWorldPortable/Application/6.2.0.128/plugins/npAliSecCtrl.dll
-
Size
319KB
-
MD5
f8a73ad4ffd5344898784045afcbb61f
-
SHA1
0f393c69bf22380ba9c15dc5e7003edf24355f16
-
SHA256
050f3ed5951ceff7fc0e4a1a21723cd81793159f587d174b43ff4cf95307a0b8
-
SHA512
7750f5b02e2c7508574f78375389cf31e11be2e9f3cdabdb5cd9d0c1016ddd25a244669bf989261faf34dd70eba34c3b872d6e3d10c409fa94fc21964e992aa3
-
SSDEEP
6144:sXZq2P3zFr7GAVW0cjh3jISY7OJ295JlCdHRLi1sYziuPiU6H0:ss2PD57GHh3c77msxMRU3Pim
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\ = "ISecCtrl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\npAliSecCtrl.SecCtrl\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\TypeLib\ = "{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\ = "SecCtrl Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\TypeLib regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\npAliSecCtrl.SecCtrl.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\AppID = "{8F982283-A269-4395-A31A-4387439CE661}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\npAliSecCtrl.SecCtrl\CLSID\ = "{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\npAliSecCtrl.SecCtrl\CurVer\ = "npAliSecCtrl.SecCtrl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWorldPortable\\Application\\6.2.0.128\\plugins\\npAliSecCtrl.dll, 102" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A1879C0-16EF-42D0-9145-95AB096068A1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6}\TypeLib\ = "{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A1879C0-16EF-42D0-9145-95AB096068A1}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWorldPortable\\Application\\6.2.0.128\\plugins\\npAliSecCtrl.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\ProxyStubClsid32\ = "{1A1879C0-16EF-42D0-9145-95AB096068A1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\NumMethods\ = "10" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TheWorldPortable\\Application\\6.2.0.128\\plugins" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\npAliSecCtrl.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\npAliSecCtrl.SecCtrl\ = "SecCtrl Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6}\TypeLib\ = "{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A1879C0-16EF-42D0-9145-95AB096068A1}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\npAliSecCtrl.SecCtrl regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\VersionIndependentProgID\ = "npAliSecCtrl.SecCtrl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\TypeLib\ = "{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\ = "ISecCtrl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8F982283-A269-4395-A31A-4387439CE661}\ = "npAliSecCtrl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\ProgID\ = "npAliSecCtrl.SecCtrl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{342A599D-694C-45AA-BD07-7CFD8FA3B3A6}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\npAliSecCtrl.SecCtrl.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\npAliSecCtrl.SecCtrl\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB7C6CB-2DA6-4ABE-B2EA-EAC5A372E757}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED873E93-0916-4FAF-BDA8-AA4A37A4D94C}\1.0\ = "npAliSecCtrl 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1879C0-16EF-42D0-9145-95AB096068A1}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\npAliSecCtrl.DLL\AppID = "{8F982283-A269-4395-A31A-4387439CE661}" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1500 wrote to memory of 3948 1500 regsvr32.exe 77 PID 1500 wrote to memory of 3948 1500 regsvr32.exe 77 PID 1500 wrote to memory of 3948 1500 regsvr32.exe 77
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\TheWorldPortable\Application\6.2.0.128\plugins\npAliSecCtrl.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\TheWorldPortable\Application\6.2.0.128\plugins\npAliSecCtrl.dll2⤵
- Modifies registry class
PID:3948
-