a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
Size

4.1MB
MD5

431898fc759567adcec70f869d138b1f
SHA1

e83641da7ceb94e963cacd329762958d3480b949
SHA256

a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa
SHA512

09120d3079bfaad0dcb902872068916c3c202f541eab9c506e2df7b3ce58b5a59e868e9ec995560a25246a8e3d0154a58be5cd317af13eede4124a9020ba07f1
SSDEEP

98304:8wr/2SwTGO2/ixrmfSFUXZFsMTbTwha7G4/pGH:DiSwaixrqSuXIMT/4j4RGH

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe

Executes dropped EXE 4 IoCs

Processes:

wzzx2.exeCefView.exeCefView.exeCefView.exe

pid process

2372 wzzx2.exe
1952 CefView.exe
2816 CefView.exe
2728 CefView.exe

pid	process
2372	wzzx2.exe
1952	CefView.exe
2816	CefView.exe
2728	CefView.exe

Loads dropped DLL 8 IoCs

Processes:

a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exewzzx2.exeCefView.exeCefView.exeCefView.exe

pid	process
1760	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
1760	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
1760	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
1760	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
2372	wzzx2.exe
1952	CefView.exe
2816	CefView.exe
2728	CefView.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exewzzx2.exeCefView.exeCefView.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
File opened for modification	\??\PhysicalDrive0	wzzx2.exe
File opened for modification	\??\PhysicalDrive0	CefView.exe
File opened for modification	\??\PhysicalDrive0	CefView.exe

Drops file in Windows directory 2 IoCs

Processes:

CefView.exeCefView.exe

description ioc process

File opened for modification C:\Windows\ CefView.exe
File opened for modification C:\Windows\ CefView.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\	CefView.exe
File opened for modification	C:\Windows\	CefView.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

CefView.exeCefView.exeCefView.exe

pid	process
1952	CefView.exe
1952	CefView.exe
1952	CefView.exe
1952	CefView.exe
2816	CefView.exe
2816	CefView.exe
2816	CefView.exe
2816	CefView.exe
2728	CefView.exe
2728	CefView.exe
2728	CefView.exe
2728	CefView.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wzzx2.exe

pid process

2372 wzzx2.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

wzzx2.exe

pid process

2372 wzzx2.exe

pid	process
2372	wzzx2.exe

pid	process
2372	wzzx2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exewzzx2.exeCefView.exe

description	pid	process	target process
PID 1760 wrote to memory of 2372	1760	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe	wzzx2.exe
PID 1760 wrote to memory of 2372	1760	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe	wzzx2.exe
PID 1760 wrote to memory of 2372	1760	a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe	wzzx2.exe
PID 2372 wrote to memory of 1952	2372	wzzx2.exe	CefView.exe
PID 2372 wrote to memory of 1952	2372	wzzx2.exe	CefView.exe
PID 2372 wrote to memory of 1952	2372	wzzx2.exe	CefView.exe
PID 1952 wrote to memory of 2816	1952	CefView.exe	CefView.exe
PID 1952 wrote to memory of 2816	1952	CefView.exe	CefView.exe
PID 1952 wrote to memory of 2816	1952	CefView.exe	CefView.exe
PID 1952 wrote to memory of 2728	1952	CefView.exe	CefView.exe
PID 1952 wrote to memory of 2728	1952	CefView.exe	CefView.exe
PID 1952 wrote to memory of 2728	1952	CefView.exe	CefView.exe

C:\Users\Admin\AppData\Local\Temp\a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe
"C:\Users\Admin\AppData\Local\Temp\a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Roaming\LittleGame\wzzx2\wzzx2.exe
"C:\Users\Admin\AppData\Roaming\LittleGame\wzzx2\wzzx2.exe" /install_launch
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe
"C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe" --parent_wnd=201d6 --tab_rect="0,0,0,0" --tab_ids="C31C349D-F411-4cd0-897C-A5D66ADF2246" --cmd="" --url="http://wan.ludashi.com/micro/wzzx2/index_lds.html?channel=jkwtaskpop&from=jkwtaskpop_wzzx2&timestamp=1680392726&mid=649a686d4ea00f508590d3fe4b929018&open_type=self&scene=1&version=65535.0.230.1009&lastRunTime=&timestamp=1680392726" --tab_group_ids="1212E356-2A06-47fc-B38B-52419AF019AF" --web_view_id=256 --allow-universal-access-from-files --cache_path=C:\Users\Admin\AppData\Roaming\LittleGame\cef_cache --log_file=C:\Users\Admin\AppData\Roaming\LittleGame\cef_cache\cef.log
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe
"C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe" --type=renderer --no-sandbox --lang=en-US --lang=zh-CN --log-file="C:\Users\Admin\AppData\Roaming\LittleGame\cef_cache\cef.log" --disable-extensions --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=24.0.0.221 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1952.0.638830517\1533134409" /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe
"C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe" --type=utility --channel="1952.1.660726639\1346659008" --lang=en-US --no-sandbox --no-sandbox --lang=zh-CN --log-file="C:\Users\Admin\AppData\Roaming\LittleGame\cef_cache\cef.log" /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\wan[2].txt
Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\NetBridge.dll
Filesize
231KB

MD5
2d74e1f7a2f1b6273a81a8dc8387f691

SHA1
7ac6bc7ec3b9591ccdb029c1d5a8d0ff394e3495

SHA256
afb14730e5dbfdf23d5fab15eb82a251c021b4d721b114c70eae1641f4bd28df

SHA512
c48921684a881922c5ccf561004dcbf195e6a44fb10d1d0d0d6cafe7d58f960485cd3a45de888a58d125918c9d7369158dd3e538b603ab8d575c5e6619d4643c

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\7z.dll
Filesize
1.1MB

MD5
c4aa6d9e72a1721b3f65646e04e702cf

SHA1
6a41028ab246ce033e19da5c54e066e0752cb616

SHA256
d4298c89fc52459842e7658ebf3aa34a9f6e061a97b8984790239609b492f696

SHA512
d2de0b47ec3a5564592797468f02944fe911c66034c08fbeb5ef4592b1cce7561e6ed36e4433d6520f2927b66dbdbe68424939cac286b325eb7e83f09ab65843

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\CefHelper.dll
Filesize
317KB

MD5
0657d87a49e749524ccecea970da2193

SHA1
67c9d3ae52ce502dda09031415a40cccd02743e7

SHA256
eecfcfe66c1f87ab39375f449b7eca5bce0c3db7d10a59c3cca861ffe1905985

SHA512
187205e1577e9b96883e5e498ae15be4c8256d2c8db2f1851e30013e560cb38a1aae2b554687cb9188cbedb7bb8244c5e697b002d281c01f2917d78492e45299

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\CefHelper.dll
Filesize
317KB

MD5
0657d87a49e749524ccecea970da2193

SHA1
67c9d3ae52ce502dda09031415a40cccd02743e7

SHA256
eecfcfe66c1f87ab39375f449b7eca5bce0c3db7d10a59c3cca861ffe1905985

SHA512
187205e1577e9b96883e5e498ae15be4c8256d2c8db2f1851e30013e560cb38a1aae2b554687cb9188cbedb7bb8244c5e697b002d281c01f2917d78492e45299

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\CefRes.dll
Filesize
24.3MB

MD5
d968b1e60a230ad173b48d13a539bf3e

SHA1
4568f37f0d333db9b51a655aa793aae550806ede

SHA256
c0f421bd24431127cd2ea55e450902e608752220f9dbeea27f4e1b367a7d938f

SHA512
a5587269a0d942bea0bd7f123fa6101b6530ef80cf55704e4273772ed308be3a6621e6887276b87ed161da2105468f599e7776eca163e0f700b87cb9c9bff4f7

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\CefRes.dll
Filesize
24.3MB

MD5
d968b1e60a230ad173b48d13a539bf3e

SHA1
4568f37f0d333db9b51a655aa793aae550806ede

SHA256
c0f421bd24431127cd2ea55e450902e608752220f9dbeea27f4e1b367a7d938f

SHA512
a5587269a0d942bea0bd7f123fa6101b6530ef80cf55704e4273772ed308be3a6621e6887276b87ed161da2105468f599e7776eca163e0f700b87cb9c9bff4f7

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\WebView.dll
Filesize
1.3MB

MD5
cb3191d006c23fb7f12eb2fb0a6c2534

SHA1
2a21b854897071c8bb99370ab48afa9e14b275df

SHA256
186e5d542f65db8c01854467fecf7a121825f4336f5c5ecdcbba18466efa22b1

SHA512
029f3904d84cd32a71644ca58c6d2130a066bda276fa856d18331577c071430af699fc088a8d194b5ea732c684829fd5a7d04c6561fed63b88861780c778e76a

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\WebView.dll
Filesize
1.3MB

MD5
cb3191d006c23fb7f12eb2fb0a6c2534

SHA1
2a21b854897071c8bb99370ab48afa9e14b275df

SHA256
186e5d542f65db8c01854467fecf7a121825f4336f5c5ecdcbba18466efa22b1

SHA512
029f3904d84cd32a71644ca58c6d2130a066bda276fa856d18331577c071430af699fc088a8d194b5ea732c684829fd5a7d04c6561fed63b88861780c778e76a

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe
Filesize
1.6MB

MD5
a2803aeed9cb724a555bdf0c9a71eeba

SHA1
547ea243e34d089fa1a4a97bfa859189fcf8715e

SHA256
ddee2a77598fc72f237450c3c84bbaf4faa25cd931199546f42c0d2a69f5926b

SHA512
e35996d888d6cf47fe381b92a57e015eb98c24e29894ef95993816149e3ce4a9241e1a4f5248aaa4593faf1ee1958d4b9129543291c169de2d860f23c6313803

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe
Filesize
1.6MB

MD5
a2803aeed9cb724a555bdf0c9a71eeba

SHA1
547ea243e34d089fa1a4a97bfa859189fcf8715e

SHA256
ddee2a77598fc72f237450c3c84bbaf4faa25cd931199546f42c0d2a69f5926b

SHA512
e35996d888d6cf47fe381b92a57e015eb98c24e29894ef95993816149e3ce4a9241e1a4f5248aaa4593faf1ee1958d4b9129543291c169de2d860f23c6313803

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe
Filesize
1.6MB

MD5
a2803aeed9cb724a555bdf0c9a71eeba

SHA1
547ea243e34d089fa1a4a97bfa859189fcf8715e

SHA256
ddee2a77598fc72f237450c3c84bbaf4faa25cd931199546f42c0d2a69f5926b

SHA512
e35996d888d6cf47fe381b92a57e015eb98c24e29894ef95993816149e3ce4a9241e1a4f5248aaa4593faf1ee1958d4b9129543291c169de2d860f23c6313803

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\CefView.exe
Filesize
1.6MB

MD5
a2803aeed9cb724a555bdf0c9a71eeba

SHA1
547ea243e34d089fa1a4a97bfa859189fcf8715e

SHA256
ddee2a77598fc72f237450c3c84bbaf4faa25cd931199546f42c0d2a69f5926b

SHA512
e35996d888d6cf47fe381b92a57e015eb98c24e29894ef95993816149e3ce4a9241e1a4f5248aaa4593faf1ee1958d4b9129543291c169de2d860f23c6313803

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\cef.pak
Filesize
2.2MB

MD5
4d991b6db94e823aac8cef6eb1959662

SHA1
84856f2eba08c5ad2df6a946e0eb7519bc9fb6cc

SHA256
2e07dc909efb9d9316e15452f168581966bdc7ad8fb607d3d3a339aaa8dc0266

SHA512
9842bf88339eaed96f81e82b1f1b15f6fe259449097e44f5d7738cd0aa79786da5e0b777d84b9a6a1c08bf3d0edfcf71c9cb396bd6c78145c5dfd171b8384f1f

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\cef_100_percent.pak
Filesize
141KB

MD5
ad2ddfc39c78eedc734af6506a579a8c

SHA1
64e66d48ab3a98503948202dec3ff2f35470cd5b

SHA256
58f7ce00d589aaaebfaf3d0badac45924545e49f2d1531156f282eac7abb11b5

SHA512
7482b0c4c51bf4d3c3389a6ccf9c59307911ba793116bac04077594d9b3d6f54a07e6187764201fba8bb31ede88b9ff65ab6867a2526e0f8e7b16136f7978367

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\cef_extensions.pak
Filesize
4.1MB

MD5
6e727928ebeeeb5847c65c15c41802ed

SHA1
d22ba6f8e3160484dd40fd5f4eb685182f404d88

SHA256
221a97daf8263321ceb9ce244452fc97b865b561e399b23d42682fef4785ea7f

SHA512
d39e98d8d2e9afc84f8188e27e412079667df2174da14f93f451396ea1a27fd5abf9fb8218ff02c94b56c60e7e5e59a5819d50d2463ef6f6ad71d29cf1f155a8

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\icudtl.dat
Filesize
9.7MB

MD5
d03ad9a1189d190119209072d048e428

SHA1
aa954098e3ae4c00f67bace45b39a7b4a8242c6a

SHA256
2857fbe46d007307b1e204c6eb1b7e4988973b958ec8edb07445988f332c1ab5

SHA512
4f73a2c0ceef525e5947dc6eeb7608db40e535eeadb37d83842bdd638eb4d9114f3654d8094c0b72c66ae4bb0214b0947cd4fe2b56426f778c07f3cac5faea21

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\libcef.dll
Filesize
47.5MB

MD5
4c4de93f209539707be8d89a123afec1

SHA1
a29a28eaf62550f8307f380744ddda1dcf96fd39

SHA256
2943d3aa899150d20b4e63232b5c178ec6fc2d204ca247d5e5a1b9b1b770993d

SHA512
cedc0162d1734208ef6df83f042f8a16e836c2d7325412e6c89bf6b82df57d1b9fce2416c04c9b77eabbd9773ce846be5e619405703e7d76abf353431c29f228

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\libcef.dll
Filesize
47.5MB

MD5
4c4de93f209539707be8d89a123afec1

SHA1
a29a28eaf62550f8307f380744ddda1dcf96fd39

SHA256
2943d3aa899150d20b4e63232b5c178ec6fc2d204ca247d5e5a1b9b1b770993d

SHA512
cedc0162d1734208ef6df83f042f8a16e836c2d7325412e6c89bf6b82df57d1b9fce2416c04c9b77eabbd9773ce846be5e619405703e7d76abf353431c29f228

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\libcef.dll
Filesize
47.5MB

MD5
4c4de93f209539707be8d89a123afec1

SHA1
a29a28eaf62550f8307f380744ddda1dcf96fd39

SHA256
2943d3aa899150d20b4e63232b5c178ec6fc2d204ca247d5e5a1b9b1b770993d

SHA512
cedc0162d1734208ef6df83f042f8a16e836c2d7325412e6c89bf6b82df57d1b9fce2416c04c9b77eabbd9773ce846be5e619405703e7d76abf353431c29f228

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\libcef.dll
Filesize
47.5MB

MD5
4c4de93f209539707be8d89a123afec1

SHA1
a29a28eaf62550f8307f380744ddda1dcf96fd39

SHA256
2943d3aa899150d20b4e63232b5c178ec6fc2d204ca247d5e5a1b9b1b770993d

SHA512
cedc0162d1734208ef6df83f042f8a16e836c2d7325412e6c89bf6b82df57d1b9fce2416c04c9b77eabbd9773ce846be5e619405703e7d76abf353431c29f228

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\locales\zh-CN.pak
Filesize
38KB

MD5
c3fd82ec2cddcf7192e9de8d9834dbc5

SHA1
f4cdb9879deef57d188b859744e4b1badfca7edc

SHA256
77650516087c2a6c43e7b775beb8148d8f9e6906dbe6bbcf5c3678fcbc02fa9a

SHA512
0542acd610c055fcf68e5c94a616df4b1fb0a0684b9c168f158e2ac97f1ed830fe68753c215d2837be0c5553cb5cf0f3522aa7990e6c91995a7f85293fadfe8e

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\natives_blob.bin
Filesize
402KB

MD5
8f4d6515f4d321313a39a659c3c5ff01

SHA1
f4c95f1abd24c715a3dd4b3e4c9cff5decda7250

SHA256
7d9c0c4d88618bdd16bb0681fdec1dd736e2ed1141ae527a27b22fb93f27848f

SHA512
3c00eb9a8ca8d076140df0071cfa702e1c032edbc20481bb7f7b7a88c1a82c959b8ac901182c2f9d235f55b4528c8e12b1e765119f1e784645c61f66c1c2b007

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\cef\snapshot_blob.bin
Filesize
474KB

MD5
d36180bc71e06d032b0c95ab10f01f51

SHA1
085998f72418c106a4a541312555e00fd4a48c98

SHA256
30fb9d346e000d948d212e70756ac81bc70d6eef195261e37ab4e135318d8d1f

SHA512
19b0cf7135c84e38917da61ae6bfe63e1dd646e710cf9725d340321c9f604b8e41d59a4dba365b5823d27fe030691dccdaf9b3f88c9f985fa1eb6a0ead5e05ee

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\progress.gif
Filesize
13KB

MD5
ef09afa5bf49f5b03b7e8cc5b7aa7e33

SHA1
255b345511c32879aabdc7b53343d497bd22cfa0

SHA256
2a5a7ace6a323882946c20ad8b4dcb89cb09e2f8bbb4215facdd64aa48c38b16

SHA512
bfd772dbe8b5e33c4509b8d3aa6b24039beb35331f512bc97ccdb1c21fc1352878ce08fec78056bc800dc6da34d782d1f844c7d893a4af99e6940128183665e5

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\Utils\uninst.exe
Filesize
489KB

MD5
462b860d5b377d3a8a75580de176809e

SHA1
ab69be0a7714f5297e1da6910100d8db3c82cd6b

SHA256
c3daed387f736d2283e7ca5034a8aa69936247c8a54bb12e8e09cb585eb376a4

SHA512
11fad932931cf874b885406f0c505703e8a2270c9198c616935ee4567dae61e2cf96d8ed1b2b715ef00edad113bf69c612be8d0aa483b64a366757e4e9bc6581

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\wzzx2\wzzx2.exe
Filesize
4.1MB

MD5
431898fc759567adcec70f869d138b1f

SHA1
e83641da7ceb94e963cacd329762958d3480b949

SHA256
a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa

SHA512
09120d3079bfaad0dcb902872068916c3c202f541eab9c506e2df7b3ce58b5a59e868e9ec995560a25246a8e3d0154a58be5cd317af13eede4124a9020ba07f1

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\wzzx2\wzzx2.exe
Filesize
4.1MB

MD5
431898fc759567adcec70f869d138b1f

SHA1
e83641da7ceb94e963cacd329762958d3480b949

SHA256
a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa

SHA512
09120d3079bfaad0dcb902872068916c3c202f541eab9c506e2df7b3ce58b5a59e868e9ec995560a25246a8e3d0154a58be5cd317af13eede4124a9020ba07f1

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\wzzx2\wzzx2.exe
Filesize
4.1MB

MD5
431898fc759567adcec70f869d138b1f

SHA1
e83641da7ceb94e963cacd329762958d3480b949

SHA256
a3455cf8e2ce4c933567360b795ea137a1d83f7c63568ecfb0f2ec440f96ffaa

SHA512
09120d3079bfaad0dcb902872068916c3c202f541eab9c506e2df7b3ce58b5a59e868e9ec995560a25246a8e3d0154a58be5cd317af13eede4124a9020ba07f1

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\wzzx2\wzzx2.json
Filesize
1KB

MD5
0c3393646c298ffaf495723ff8765cf0

SHA1
23987d83a8cf58156dfdf3f303e33f409c99d26d

SHA256
2901d9a00caf0930241c0cb99d0da9f762ef0fb00689dcda367cf9357dde847a

SHA512
f5955ea99a9a49af11c91ce7f303b3bdbd0cb8597f8f035b6122924bf5bc32aa225c658a069a8b3132a61aca57f82658cdaa6207a33f1de0558a47beef90a7a1

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\wzzx2\wzzx2.ui
Filesize
1.3MB

MD5
5e8668adf0b7a5566795a684f38673f7

SHA1
89a2adb6316593f9296713e986474a051a1da6bd

SHA256
ba5a97d48badd1f6422b0958437b1f437fd616832fb28a2be1692444b015c39e

SHA512
b68f21a59f7f48bd59ff648e206d014a804ffdd621eee773f9922af49843747ca659241acb79b77ef5f68b88c4ecfd55e0a2bc03c29e167a6890bde9653ecc90

Download Submit
C:\Users\Admin\AppData\Roaming\LittleGame\wzzx2\卸载王者之心2.lnk
Filesize
1KB

MD5
67430aa5b065ef0b61d1d22eb4496cd2

SHA1
5d969a7dde0dfb0cd4b642dcb9c5133f0b0f6241

SHA256
f33659122532442a85295a7ead3ad43e1384c0cd47daa105402de7a2a48ce815

SHA512
9e39e17913b8ef9bcce46914aa3f48ed4665ec945461c503da684f88f8ad51f2f5a27c8ed7e837a0687d88c534d15e34d28aa5099351923912f43b8793634374

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\王者之心2\王者之心2.lnk
Filesize
1KB

MD5
5b655090af132b593a7df18ad6815493

SHA1
7a43d4269f8c2d7ab1d703a4f85125dc4f84403d

SHA256
81d29d12d7aaed27418992e3a90a2fff9c69d3dde0dcce47c2f62a5635d37f35

SHA512
6976930a1df175f82b1a56e12224f08116964d17b9430a45a1b84c7f4cefa03f99b9451c7fdb5fdf213d7faae805fa8c6306352778d826e54028c5ff78e7afd3

Download Submit
C:\Users\Admin\Desktop\王者之心2.lnk
Filesize
1KB

MD5
090f481175e6a6773eb4845a5ca5efea

SHA1
77a356fe95477f5322f9fa4dd6a43aa4bff7c134

SHA256
0cbd4ee8200d30f07c97550b2861603990a852606f6225a26a4d04bb579ea1ce

SHA512
7136de5b97b67c687af991e3f61fb927d18fb5517ec166bd3e87698ec3d2f00535d85711a552455419ae31464aadea166b896086d3b147f5bb559c504f305669

Download Submit
memory/1952-405-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2816-404-0x0000000028400000-0x0000000028401000-memory.dmp

Filesize
4KB

Download