7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 07:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe
Size

4.8MB
MD5

a8e72784f15d459cef243be1d5c0e43d
SHA1

7817832a1d04ba87e8de2ec05efb716f4f42eb87
SHA256

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496
SHA512

332160af62f88ab8e7d2f25c94a900d543af52052c0d64c5cf0cc8a4df368acb4f2c713ff4c5075dfde6e7a6c37a8ce4c3e605a467298371786f25c568ede69b
SSDEEP

98304:seLpmrmc2lAu28lkcf5YjovKqGYiOE8oLj5YINfSyo8aXW:TcmZl85gyjovK65E8ob5Sx8aXW

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1492	7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe
1492	7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe
1492	7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe
"C:\Users\Admin\AppData\Local\Temp\7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:1492

Network

DNS

0.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.181.190.20.in-addr.arpa

IN PTR

Response
DNS

zhushou.ludashi.com

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

8.8.8.8:53

Request

zhushou.ludashi.com

IN A

Response

zhushou.ludashi.com

IN A

120.27.83.10
DNS

s.ludashi.com

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

8.8.8.8:53

Request

s.ludashi.com

IN A

Response

s.ludashi.com

IN A

101.132.120.17
GET

http://zhushou.ludashi.com/game/Getloadernew?channel_num=officialwebsite_7&subpid=officialwebsite_7&from=officialwebsite_7&version=7.3.3592.2470&existsver=&osver=10.0&iever=11.0.19041.1288&ids=&mid=9791e64e3aea793ef82795e5835ad45f&motion=&osbit=x64&memory=8589934592&vdibit=

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

120.27.83.10:80

Request

GET /game/Getloadernew?channel_num=officialwebsite_7&subpid=officialwebsite_7&from=officialwebsite_7&version=7.3.3592.2470&existsver=&osver=10.0&iever=11.0.19041.1288&ids=&mid=9791e64e3aea793ef82795e5835ad45f&motion=&osbit=x64&memory=8589934592&vdibit= HTTP/1.1
Connection: Close
Host: zhushou.ludashi.com

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:16 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.41
Set-Cookie: ip=89.149.23.59; expires=Mon, 12-Feb-2024 07:34:16 GMT; path=/
Set-Cookie: ip_city=-%E7%BD%97%E9%A9%AC%E5%B0%BC%E4%BA%9A-%E7%BD%97%E9%A9%AC%E5%B0%BC%E4%BA%9A--; expires=Mon, 12-Feb-2024 07:34:16 GMT; path=/
Set-Cookie: ip=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: ip=89.149.23.59; expires=Mon, 12-Feb-2024 07:34:16 GMT; path=/
Set-Cookie: ip_city=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: ip_city=-%E7%BD%97%E9%A9%AC%E5%B0%BC%E4%BA%9A-%E7%BD%97%E9%A9%AC%E5%B0%BC%E4%BA%9A--; expires=Mon, 12-Feb-2024 07:34:16 GMT; path=/
GET

http://s.ludashi.com/mgame?type=installpkg&action=run&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073414943&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

101.132.120.17:80

Request

GET /mgame?type=installpkg&action=run&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073414943&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: s.ludashi.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:16 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT
ETag: "5e06b3b7-2"
Accept-Ranges: bytes
GET

http://s.ludashi.com/mgame?type=installpkg&action=osver_10.0&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073414943&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

101.132.120.17:80

Request

GET /mgame?type=installpkg&action=osver_10.0&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073414943&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: s.ludashi.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:16 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT
ETag: "5e06b3b7-2"
Accept-Ranges: bytes
GET

http://s.ludashi.com/mgame?type=dsk_game&action=hav_&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073415693&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

101.132.120.17:80

Request

GET /mgame?type=dsk_game&action=hav_&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073415693&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: s.ludashi.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT
ETag: "5e06b3b7-2"
Accept-Ranges: bytes
GET

http://s.ludashi.com/mgame?type=dsk_game&action=get_start&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073415693&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

101.132.120.17:80

Request

GET /mgame?type=dsk_game&action=get_start&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073415693&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: s.ludashi.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT
ETag: "5e06b3b7-2"
Accept-Ranges: bytes
GET

http://s.ludashi.com/mgame?type=dsk_game&action=get_success&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416271&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

101.132.120.17:80

Request

GET /mgame?type=dsk_game&action=get_success&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416271&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: s.ludashi.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:17 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT
ETag: "5e06b3b7-2"
Accept-Ranges: bytes
GET

http://s.ludashi.com/mgame?type=installpkg&action=newinstall&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416271&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

101.132.120.17:80

Request

GET /mgame?type=installpkg&action=newinstall&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416271&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: s.ludashi.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:18 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT
ETag: "5e06b3b7-2"
Accept-Ranges: bytes
GET

http://s.ludashi.com/mgame?type=installpkg&action=start_install&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416958&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

101.132.120.17:80

Request

GET /mgame?type=installpkg&action=start_install&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416958&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: s.ludashi.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:18 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT
ETag: "5e06b3b7-2"
Accept-Ranges: bytes
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

http://zhushou.ludashi.com/game/slfg/index?channel=officialwebsite_7&environment=&mid=9791e64e3aea793ef82795e5835ad45f

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

120.27.83.10:80

Request

GET /game/slfg/index?channel=officialwebsite_7&environment=&mid=9791e64e3aea793ef82795e5835ad45f HTTP/1.1
Connection: Close
Host: zhushou.ludashi.com

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:17 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.41
DNS

l.public.ludashi.com

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

8.8.8.8:53

Request

l.public.ludashi.com

IN A

Response

l.public.ludashi.com

IN A

118.190.210.73
POST

http://l.public.ludashi.com/pc/udmgame/dogSun

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

Remote address:

118.190.210.73:80

Request

POST /pc/udmgame/dogSun HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Content-Type: multipart/form-data; boundary=---------------------------1qaz240603187
Host: l.public.ludashi.com
Content-Length: 439
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sat, 13 Jan 2024 07:34:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Powered-By: PHP/7.1.8
DNS

10.83.27.120.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.83.27.120.in-addr.arpa

IN PTR

Response
DNS

17.120.132.101.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.120.132.101.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

73.210.190.118.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.210.190.118.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR

Response

104.241.123.92.in-addr.arpa

IN PTR

a92-123-241-104deploystaticakamaitechnologiescom
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

174.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.178.17.96.in-addr.arpa

IN PTR

Response

174.178.17.96.in-addr.arpa

IN PTR

a96-17-178-174deploystaticakamaitechnologiescom
DNS

32.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.134.221.88.in-addr.arpa

IN PTR

Response

32.134.221.88.in-addr.arpa

IN PTR

a88-221-134-32deploystaticakamaitechnologiescom
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

176.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

176.178.17.96.in-addr.arpa

IN PTR

Response

176.178.17.96.in-addr.arpa

IN PTR

a96-17-178-176deploystaticakamaitechnologiescom
DNS

211.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.135.221.88.in-addr.arpa

IN PTR

Response

211.135.221.88.in-addr.arpa

IN PTR

a88-221-135-211deploystaticakamaitechnologiescom
DNS

211.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.135.221.88.in-addr.arpa

IN PTR

Response

211.135.221.88.in-addr.arpa

IN PTR

a88-221-135-211deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301262_1RDFU04FEHLX4BCDQ&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301262_1RDFU04FEHLX4BCDQ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 457945
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6DB797539ADA44DBB53A8CF3C9C51F6E Ref B: LON04EDGE0813 Ref C: 2024-01-13T07:35:56Z
date: Sat, 13 Jan 2024 07:35:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301671_1BH92C2YLS6P8OGGR&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301671_1BH92C2YLS6P8OGGR&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

120.27.83.10:80

http://zhushou.ludashi.com/game/Getloadernew?channel_num=officialwebsite_7&subpid=officialwebsite_7&from=officialwebsite_7&version=7.3.3592.2470&existsver=&osver=10.0&iever=11.0.19041.1288&ids=&mid=9791e64e3aea793ef82795e5835ad45f&motion=&osbit=x64&memory=8589934592&vdibit=

http

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

587 B
2.6kB
6
5

HTTP Request

GET http://zhushou.ludashi.com/game/Getloadernew?channel_num=officialwebsite_7&subpid=officialwebsite_7&from=officialwebsite_7&version=7.3.3592.2470&existsver=&osver=10.0&iever=11.0.19041.1288&ids=&mid=9791e64e3aea793ef82795e5835ad45f&motion=&osbit=x64&memory=8589934592&vdibit=

HTTP Response

200
101.132.120.17:80

http://s.ludashi.com/mgame?type=installpkg&action=start_install&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416958&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

http

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

5.1kB
2.0kB
24
10

HTTP Request

GET http://s.ludashi.com/mgame?type=installpkg&action=run&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073414943&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

HTTP Response

200

HTTP Request

GET http://s.ludashi.com/mgame?type=installpkg&action=osver_10.0&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073414943&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

HTTP Response

200

HTTP Request

GET http://s.ludashi.com/mgame?type=dsk_game&action=hav_&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073415693&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

HTTP Response

200

HTTP Request

GET http://s.ludashi.com/mgame?type=dsk_game&action=get_start&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073415693&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

HTTP Response

200

HTTP Request

GET http://s.ludashi.com/mgame?type=dsk_game&action=get_success&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416271&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

HTTP Response

200

HTTP Request

GET http://s.ludashi.com/mgame?type=installpkg&action=newinstall&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416271&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

HTTP Response

200

HTTP Request

GET http://s.ludashi.com/mgame?type=installpkg&action=start_install&channel=officialwebsite_7__officialwebsite_7&from=officialwebsite_7&mid=9791e64e3aea793ef82795e5835ad45f&appver=7.3.3592.2470&modver=7.3.3592.2470&timestamp=20240113073416958&mid2=871f76a489f2e7e6120e6fbc726f16fb23032f382bda&osbit=x64&memory=8589934592&ex1=7.3.3592.2470

HTTP Response

200
120.27.83.10:80

http://zhushou.ludashi.com/game/slfg/index?channel=officialwebsite_7&environment=&mid=9791e64e3aea793ef82795e5835ad45f

http

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

385 B
429 B
5
5

HTTP Request

GET http://zhushou.ludashi.com/game/slfg/index?channel=officialwebsite_7&environment=&mid=9791e64e3aea793ef82795e5835ad45f

HTTP Response

200
118.190.210.73:80

http://l.public.ludashi.com/pc/udmgame/dogSun

http

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

1.3kB
614 B
12
5

HTTP Request

POST http://l.public.ludashi.com/pc/udmgame/dogSun

HTTP Response

200
52.142.223.178:80

46 B
1
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301671_1BH92C2YLS6P8OGGR&pid=21.2&w=1080&h=1920&c=4

tls, http2

53.7kB
1.5MB
1091
1119

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301262_1RDFU04FEHLX4BCDQ&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301671_1BH92C2YLS6P8OGGR&pid=21.2&w=1080&h=1920&c=4
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
9.7kB
17
15
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
9.7kB
17
15
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
9.7kB
17
15

8.8.8.8:53

0.181.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.181.190.20.in-addr.arpa
8.8.8.8:53

zhushou.ludashi.com

dns

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

65 B
81 B
1
1

DNS Request

zhushou.ludashi.com

DNS Response

120.27.83.10
8.8.8.8:53

s.ludashi.com

dns

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

59 B
75 B
1
1

DNS Request

s.ludashi.com

DNS Response

101.132.120.17
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

l.public.ludashi.com

dns

7969f79dce89be7095e5dca45752acafa26376b3a1cbfa314edd160f5957b496.exe

66 B
82 B
1
1

DNS Request

l.public.ludashi.com

DNS Response

118.190.210.73
8.8.8.8:53

10.83.27.120.in-addr.arpa

dns

71 B
153 B
1
1

DNS Request

10.83.27.120.in-addr.arpa
8.8.8.8:53

17.120.132.101.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

17.120.132.101.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

73.210.190.118.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

73.210.190.118.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

104.241.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

104.241.123.92.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

174.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

174.178.17.96.in-addr.arpa
8.8.8.8:53

32.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

32.134.221.88.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

176.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

176.178.17.96.in-addr.arpa
8.8.8.8:53

211.135.221.88.in-addr.arpa

dns

146 B
278 B
2
2

DNS Request

211.135.221.88.in-addr.arpa

DNS Request

211.135.221.88.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
173 B
2
1

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

55.36.223.20.in-addr.arpa

DNS Request

55.36.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LDSGameMaster\Store\360Base\360NetUL.dll

Filesize
82KB

MD5
e3948c732ae93c4ce48147327a883c30

SHA1
0a55b7897fc4739c04e94e2ff4a16e530da1be3c

SHA256
9746c0423a2555b8c4e206cbf38f972306f6b2327ead8f5d563131e9f8a02a1e

SHA512
673b64f935576406eac5b900f1e4ed759f45a94ac662a2fb0baa6a30d7ee705a6edc6af239f35f9352765943fe6c77a6fbdf7e67a501c9c4dd38c2287976e34b

Download Submit
C:\Users\Admin\AppData\Local\LDSGameMaster\Store\360Base\Utils\LDSBasic.dll

Filesize
39KB

MD5
c979e20bcf72426a05aab3882e439e90

SHA1
930d7b3f98948be0bb64279ee090c16025fe6f4b

SHA256
2eb46bbf1546d001b7a9ca2ef7c3fa9d93a249f42b0d947a2053fc3eae7acf02

SHA512
17b99770b6e6d19fd077377ac46c2f353b63f18143850989d866c5a652742a4e16337c63151ad951b39eeae054eb79e78f8984da315fc8e7f0a1f7fb22f8abf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\mgame[1].txt

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\{23052A63-3363-4a9c-91CC-848C8D909A98}.tmp\7z.dll

Filesize
175KB

MD5
e91661830d953655bf119ae264938221

SHA1
3fc4d331a63ee591cb3d10076214724bee16fc3e

SHA256
68f2a13efccc8216541ad72cafa3891aa55e53f979639112654b14b49bb4517a

SHA512
29aba3624f93cc602f0b068fb27ff00d2bb3faf8d9a6d19edaa755e98f3b8bf7d939edbd85af1c6db90e81a687edd1b89b7b5721f7eb1536baef7ac402039355

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.