06cf9ce2ae439886a9516fbfc8b37d8d1ae8e7ba1980af8bc36d52b0439b3c64

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99d5d13bded91f8dc27da9df343d1e01.exe
Size

284KB
MD5

99d5d13bded91f8dc27da9df343d1e01
SHA1

ffa8ab4e3355e9e79f8eae4919be02b94ca587a1
SHA256

06cf9ce2ae439886a9516fbfc8b37d8d1ae8e7ba1980af8bc36d52b0439b3c64
SHA512

46ea887c3f44180b1dbc13df660471841996298ca367f82afa0ccf3dbd28f1f054ccef63ae52f0b1e158e86ec02bff56e4a52fc2c1e9000874f8edbddd91e523
SSDEEP

3072:F1gHNPrVy2p1MH8k9VyJRjBPbH2matI7v89z/RJdkJHgGYLtFgXpG+mSFia5yQxn:T8rVr30C1BzHZatAupQSGItFCja0w

Score

7^/10

persistence upx vmprotect

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2332	csboyDVD.dll
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
2776	services.exe
2608	tuziboyAuTo.dll
2648	services.exe
1832	csboyTT.dll
2692	tuziboyAuTo.dll
380	services.exe

Loads dropped DLL 31 IoCs

pid	Process
2896	99d5d13bded91f8dc27da9df343d1e01.exe
2332	csboyDVD.dll
2332	csboyDVD.dll
2332	csboyDVD.dll
2332	csboyDVD.dll
2332	csboyDVD.dll
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
2896	99d5d13bded91f8dc27da9df343d1e01.exe
2896	99d5d13bded91f8dc27da9df343d1e01.exe
2776	services.exe
2776	services.exe
2776	services.exe
2896	99d5d13bded91f8dc27da9df343d1e01.exe
2896	99d5d13bded91f8dc27da9df343d1e01.exe
2608	tuziboyAuTo.dll
2608	tuziboyAuTo.dll
2608	tuziboyAuTo.dll
2608	tuziboyAuTo.dll
2608	tuziboyAuTo.dll
2648	services.exe
2648	services.exe
2648	services.exe
2896	99d5d13bded91f8dc27da9df343d1e01.exe
2896	99d5d13bded91f8dc27da9df343d1e01.exe
1832	csboyTT.dll
1832	csboyTT.dll
1832	csboyTT.dll
2692	tuziboyAuTo.dll
2692	tuziboyAuTo.dll

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016609-58.dat	upx
behavioral1/memory/2896-59-0x0000000000250000-0x0000000000262000-memory.dmp	upx
behavioral1/files/0x0007000000016609-61.dat	upx
behavioral1/files/0x0007000000016609-65.dat	upx
behavioral1/files/0x0007000000016609-67.dat	upx
behavioral1/memory/2608-66-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x0007000000016609-69.dat	upx
behavioral1/files/0x0007000000016609-68.dat	upx
behavioral1/files/0x0007000000016609-101.dat	upx
behavioral1/memory/2896-91-0x0000000000250000-0x0000000000279000-memory.dmp	upx
behavioral1/memory/2896-104-0x0000000000250000-0x0000000000265000-memory.dmp	upx
behavioral1/memory/2692-112-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2608-114-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2608-128-0x0000000000400000-0x0000000000412000-memory.dmp	upx

VMProtect packed file 24 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000700000001658a-40.dat	vmprotect
behavioral1/memory/2896-42-0x0000000000250000-0x0000000000279000-memory.dmp	vmprotect
behavioral1/files/0x000700000001658a-43.dat	vmprotect
behavioral1/files/0x000700000001658a-46.dat	vmprotect
behavioral1/memory/2776-53-0x0000000000400000-0x0000000000429000-memory.dmp	vmprotect
behavioral1/files/0x000700000001658a-72.dat	vmprotect
behavioral1/memory/2648-80-0x0000000000400000-0x0000000000429000-memory.dmp	vmprotect
behavioral1/files/0x000700000001658a-76.dat	vmprotect
behavioral1/files/0x000700000001658a-75.dat	vmprotect
behavioral1/files/0x000700000001658a-74.dat	vmprotect
behavioral1/files/0x000700000001658a-71.dat	vmprotect
behavioral1/files/0x0009000000016ad3-89.dat	vmprotect
behavioral1/files/0x0009000000016ad3-95.dat	vmprotect
behavioral1/files/0x0009000000016ad3-92.dat	vmprotect
behavioral1/files/0x0009000000016ad3-100.dat	vmprotect
behavioral1/files/0x0009000000016ad3-99.dat	vmprotect
behavioral1/files/0x000700000001658a-103.dat	vmprotect
behavioral1/files/0x000700000001658a-102.dat	vmprotect
behavioral1/files/0x0009000000016ad3-98.dat	vmprotect
behavioral1/files/0x0009000000016ad3-97.dat	vmprotect
behavioral1/files/0x0009000000016ad3-96.dat	vmprotect
behavioral1/files/0x000700000001658a-105.dat	vmprotect
behavioral1/memory/1832-107-0x0000000000400000-0x0000000000415000-memory.dmp	vmprotect
behavioral1/memory/380-125-0x0000000000400000-0x0000000000429000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttplay = "C:\\Program Files\\Common Files\\Tencent\\services.exe"	tuziboyAuTo.dll

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	services.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Services\csboyDVD.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\rprtprqsdesk.ini	services.exe
File opened for modification	C:\Program Files\Common Files\Services\csboyTT.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Services\csboyDVD.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Tencent\tuziboyDw.ocx	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Services\csboybind.au	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Services\csboyTT.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File opened for modification	C:\Program Files\Common Files\rprtprqsdesk.ini	services.exe
File created	C:\Program Files\Common Files\Services\csboyDvd.ocx	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Tencent\services.exe	99d5d13bded91f8dc27da9df343d1e01.exe
File opened for modification	C:\Program Files\Common Files\Tencent\services.exe	99d5d13bded91f8dc27da9df343d1e01.exe
File opened for modification	C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Tencent\tuziboyAuTo.ocx	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Services\csboyTj.ocx	99d5d13bded91f8dc27da9df343d1e01.exe

Modifies data under HKEY_USERS 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{967CEB0D-E482-4844-86FA-BECD2558DE40}\WpadDecisionTime = a063fb93aa5eda01	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f2-f9-00-75-f7\WpadDecisionReason = "1"	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{967CEB0D-E482-4844-86FA-BECD2558DE40}\WpadDecisionTime = 00c5fd93aa5eda01	services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	services.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	services.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	services.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f2-f9-00-75-f7\WpadDetectedUrl	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{967CEB0D-E482-4844-86FA-BECD2558DE40}\WpadDecisionTime = c05ccb8caa5eda01	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	services.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{967CEB0D-E482-4844-86FA-BECD2558DE40}\WpadNetworkName = "Network 3"	services.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f2-f9-00-75-f7	services.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{967CEB0D-E482-4844-86FA-BECD2558DE40}\1e-f2-f9-00-75-f7	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f2-f9-00-75-f7\WpadDecisionTime = c05ccb8caa5eda01	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	services.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	services.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{967CEB0D-E482-4844-86FA-BECD2558DE40}\WpadDecision = "0"	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f2-f9-00-75-f7\WpadDecision = "0"	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f2-f9-00-75-f7\WpadDecisionTime = a063fb93aa5eda01	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-f2-f9-00-75-f7\WpadDecisionTime = 00c5fd93aa5eda01	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	services.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	services.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{967CEB0D-E482-4844-86FA-BECD2558DE40}	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{967CEB0D-E482-4844-86FA-BECD2558DE40}\WpadDecisionReason = "1"	services.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2608	tuziboyAuTo.dll
2608	tuziboyAuTo.dll
2608	tuziboyAuTo.dll
2692	tuziboyAuTo.dll
2692	tuziboyAuTo.dll
2692	tuziboyAuTo.dll
1832	csboyTT.dll
1832	csboyTT.dll
1832	csboyTT.dll
1832	csboyTT.dll

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	services.exe
Token: SeDebugPrivilege	380	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
2848	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1832	csboyTT.dll
1832	csboyTT.dll

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2332	2896	99d5d13bded91f8dc27da9df343d1e01.exe	28
PID 2896 wrote to memory of 2332	2896	99d5d13bded91f8dc27da9df343d1e01.exe	28
PID 2896 wrote to memory of 2332	2896	99d5d13bded91f8dc27da9df343d1e01.exe	28
PID 2896 wrote to memory of 2332	2896	99d5d13bded91f8dc27da9df343d1e01.exe	28
PID 2896 wrote to memory of 2332	2896	99d5d13bded91f8dc27da9df343d1e01.exe	28
PID 2896 wrote to memory of 2332	2896	99d5d13bded91f8dc27da9df343d1e01.exe	28
PID 2896 wrote to memory of 2332	2896	99d5d13bded91f8dc27da9df343d1e01.exe	28
PID 2332 wrote to memory of 2848	2332	csboyDVD.dll	29
PID 2332 wrote to memory of 2848	2332	csboyDVD.dll	29
PID 2332 wrote to memory of 2848	2332	csboyDVD.dll	29
PID 2332 wrote to memory of 2848	2332	csboyDVD.dll	29
PID 2332 wrote to memory of 2848	2332	csboyDVD.dll	29
PID 2332 wrote to memory of 2848	2332	csboyDVD.dll	29
PID 2332 wrote to memory of 2848	2332	csboyDVD.dll	29
PID 2896 wrote to memory of 2776	2896	99d5d13bded91f8dc27da9df343d1e01.exe	30
PID 2896 wrote to memory of 2776	2896	99d5d13bded91f8dc27da9df343d1e01.exe	30
PID 2896 wrote to memory of 2776	2896	99d5d13bded91f8dc27da9df343d1e01.exe	30
PID 2896 wrote to memory of 2776	2896	99d5d13bded91f8dc27da9df343d1e01.exe	30
PID 2896 wrote to memory of 2776	2896	99d5d13bded91f8dc27da9df343d1e01.exe	30
PID 2896 wrote to memory of 2776	2896	99d5d13bded91f8dc27da9df343d1e01.exe	30
PID 2896 wrote to memory of 2776	2896	99d5d13bded91f8dc27da9df343d1e01.exe	30
PID 2896 wrote to memory of 2608	2896	99d5d13bded91f8dc27da9df343d1e01.exe	31
PID 2896 wrote to memory of 2608	2896	99d5d13bded91f8dc27da9df343d1e01.exe	31
PID 2896 wrote to memory of 2608	2896	99d5d13bded91f8dc27da9df343d1e01.exe	31
PID 2896 wrote to memory of 2608	2896	99d5d13bded91f8dc27da9df343d1e01.exe	31
PID 2896 wrote to memory of 2608	2896	99d5d13bded91f8dc27da9df343d1e01.exe	31
PID 2896 wrote to memory of 2608	2896	99d5d13bded91f8dc27da9df343d1e01.exe	31
PID 2896 wrote to memory of 2608	2896	99d5d13bded91f8dc27da9df343d1e01.exe	31
PID 2608 wrote to memory of 2648	2608	tuziboyAuTo.dll	32
PID 2608 wrote to memory of 2648	2608	tuziboyAuTo.dll	32
PID 2608 wrote to memory of 2648	2608	tuziboyAuTo.dll	32
PID 2608 wrote to memory of 2648	2608	tuziboyAuTo.dll	32
PID 2608 wrote to memory of 2648	2608	tuziboyAuTo.dll	32
PID 2608 wrote to memory of 2648	2608	tuziboyAuTo.dll	32
PID 2608 wrote to memory of 2648	2608	tuziboyAuTo.dll	32
PID 2896 wrote to memory of 1832	2896	99d5d13bded91f8dc27da9df343d1e01.exe	33
PID 2896 wrote to memory of 1832	2896	99d5d13bded91f8dc27da9df343d1e01.exe	33
PID 2896 wrote to memory of 1832	2896	99d5d13bded91f8dc27da9df343d1e01.exe	33
PID 2896 wrote to memory of 1832	2896	99d5d13bded91f8dc27da9df343d1e01.exe	33
PID 2896 wrote to memory of 1832	2896	99d5d13bded91f8dc27da9df343d1e01.exe	33
PID 2896 wrote to memory of 1832	2896	99d5d13bded91f8dc27da9df343d1e01.exe	33
PID 2896 wrote to memory of 1832	2896	99d5d13bded91f8dc27da9df343d1e01.exe	33
PID 2692 wrote to memory of 380	2692	tuziboyAuTo.dll	35
PID 2692 wrote to memory of 380	2692	tuziboyAuTo.dll	35
PID 2692 wrote to memory of 380	2692	tuziboyAuTo.dll	35
PID 2692 wrote to memory of 380	2692	tuziboyAuTo.dll	35

C:\Users\Admin\AppData\Local\Temp\99d5d13bded91f8dc27da9df343d1e01.exe
"C:\Users\Admin\AppData\Local\Temp\99d5d13bded91f8dc27da9df343d1e01.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Program Files\Common Files\Services\csboyDVD.dll
  "C:\Program Files\Common Files\Services\csboyDVD.dll"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
    "C:\Users\Admin\AppData\Local\Temp\new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2848
- C:\Program Files\Common Files\Tencent\services.exe
  "C:\Program Files\Common Files\Tencent\services.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
  "C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Program Files\Common Files\Tencent\services.exe
    "C:\Program Files\Common Files\Tencent\services.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2648
- C:\Program Files\Common Files\Services\csboyTT.dll
  "C:\Program Files\Common Files\Services\csboyTT.dll"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1832

C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Program Files\Common Files\Tencent\services.exe
  "C:\Program Files\Common Files\Tencent\services.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\csboyTT.dll

Filesize
1.2MB

MD5
d82def97f6307f137d574a621eff18f6

SHA1
81aeab6ee83f776491bcb3fe1543d8273ab707e3

SHA256
a23d60018643d9cb2bbf089177b5ee7db482528eb1ac2fab9da8610916540819

SHA512
c4ef4fb11f58bc9b9d9776bf7a7d58e442b5954e2d6ec3ca02d98d784089a3ed8a1651b64441a60897254cfe7365a56a9960f7507ba6ea360c59876345dbf17d

Download Submit
C:\Program Files\Common Files\Services\csboyTT.dll

Filesize
2.0MB

MD5
98fc1eb84fee76bae158ea424dbdf51b

SHA1
0edfedf6e057639debd174586fc6f33ea996b838

SHA256
a19ac588aebebd99d1f44b893ec0dca00427f03f3baaea3e0b8386634e9701a5

SHA512
67f147f571dfba94d46db7bcee033d809fcc56326c829a1604fccffb4c0fc03a8302fd3489c6505982c7593e1560bd5075423b22efecf1d2c4a576bddb02d495

Download Submit
C:\Program Files\Common Files\Services\csboyTT.dll

Filesize
1.4MB

MD5
ef50e03e1a80b38aa6d4b999d2ffa827

SHA1
61765117e9e2023653f0d27b2866d86889a47220

SHA256
510133efff1542030e133492c0b55ed39f38a38056e7b073bcbba0f39ed9f63b

SHA512
a01b0dbcd7a6511b676a20bd2d6a44efbc0426808cae82f0dfe95d15931bdb5992233227fbb47b87f278cbaa6a463265209851c7b29f6b74cbecb5ee6ce46561

Download Submit
C:\Program Files\Common Files\Tencent\services.exe

Filesize
704KB

MD5
a8d3ea9c2a22736944f2d42b1dce1071

SHA1
83b4c8d00246b2e4e52e12a34dc53595946170e6

SHA256
bce0ba6c210a9540eefe0066caaf5cb99770a7921a2698757dd5453da29df2fe

SHA512
28da90236476e46d2ae1424727d8513f257f65812e2d6b71a8f13a1461f8d380a853f561d14e897e5f8dd235129cbbfbd2eb575baa9c47265e5ce8720032aaa3

Download Submit
C:\Program Files\Common Files\Tencent\services.exe

Filesize
4.8MB

MD5
d3b7b6488233803bb8361c728bb43eec

SHA1
69798528ed51e897c568275e809590949a5d3a33

SHA256
77454c3d2055f32415c4f945a57b08f2ec9ee0ae06ade9ef07149be93c8dbcb9

SHA512
3f7005507b99725cedf92a5f92403725180c2e0696d29a66b66be789dde9a97b2e46bb79030ac37b9229325c134779d2e4ddc9ef88b5339c4f9a02546a9a9a3b

Download Submit
C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll

Filesize
2.7MB

MD5
15b6f4db75fa0eca33fb83351b0a5ee9

SHA1
c63463d128d6047fc153cd8a1cf5a8262f9ae4b7

SHA256
e5b857194961d3e532fb40493454fd4cf1dfe2ad1128e770807f002d796c339d

SHA512
d68a1a728281b39839786a8a1da1fba1557876022ee8f7582ff6a46c5e2da2c417a648434e6524cba46fb14316cdc47ad4fb9767ed2727f6466d0005a11e5716

Download Submit
C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll

Filesize
1.6MB

MD5
a77739cf6f76b4039fdccbed0aabca67

SHA1
64f98f74b1a947c670d930c25c2529b117a8266e

SHA256
6f792c902397d73b1fb82d634fc0ca38516b3f671a5b98ce536f4480f7249534

SHA512
1cd6bb53890c36e7d970c517ec26148f6b06d85d40ee355e54c9d0820b0f7fe932c405c1745d3c20963d792e400b859ffd04ce2747bbac848e538430cc93434d

Download Submit
C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll

Filesize
2.6MB

MD5
ad553977989a1a6906d0be4701aa13df

SHA1
8a6957bc9e253fd873c87ffb762d7d34d9b496ef

SHA256
42df12270858a78095e90aafa4608039b1a1123f5be12b747105e2b935ec5dbe

SHA512
fba655a5a082a88354f00eebfbbc540d0cf2632ceefe44ef981dc783e68ce5685b41d3ed0065b439dff7b81311f35421aee54f7234a991ecb86cbbde4615acf2

Download Submit
\Program Files\Common Files\Services\csboyDVD.dll

Filesize
192KB

MD5
2720e01e0c83d76029f678e7f37656ff

SHA1
793391e93eb8a13ce56580f8af446557c46a4d03

SHA256
e69786f02eb0a2560808351d31a3f5ce136e12c574310a16163d4197e696b95d

SHA512
c161abd3f0cc9709665e982731c7d15b9f3ca61c7666c6cde26eec868595c4f14ed7dd45d1e5d44857af56cd7c623d0083f81b6337c610db4ff5071a5838c35d

Download Submit
\Program Files\Common Files\Services\csboyDVD.dll

Filesize
128KB

MD5
f3452f96d0efca6c71b64000ab6e3d8d

SHA1
9194be3a02151f8fca2c1d50833921da56073162

SHA256
2ee617143ab5d5c3743cf246be76f0e804e92576f6f76baf05d9f2d61fae669a

SHA512
8790d47563ea53d224f8f5f97a2d0ece087118ffb3afc47812bd9d14e65f235acfc8c5e4c255afc891cfaf231a55f52398051deaac1f86c82b1e4feb99bff50d

Download Submit
\Program Files\Common Files\Services\csboyDVD.dll

Filesize
606KB

MD5
bab551fe6a4e78126083085aced430f4

SHA1
213e43fd84104b00e1655b5ebd83645718e80f2a

SHA256
ed9372646ae020bb0b89b7954fb17a7d10741a6e33b5781e0fea9b7ade8490ac

SHA512
317e6119bffb1f930defd193a016929ceee876c2d0079ee9bcdaa8e232ffe5075dee67f3dafec3eeb90ec59710ff603b5d8015a697e1cc43ebe6447e6c7cb6a4

Download Submit
\Program Files\Common Files\Services\csboyTT.dll

Filesize
1.1MB

MD5
30877ec99783e0a603236b817395a4a8

SHA1
e11b41dbbdfe890d54033c830cfd0624d3b14541

SHA256
244a83d7b221fbbd2fba056959ea6c8cae9cca4f7aff02c1455420cee342d930

SHA512
1586f4725e6d3e4b6073c52a6d7259be4babe86535e9ca2f01aa70f0e5645274dc0e7b41a348307abd07e96ff8a3005ef8fa255fe80e23ba3eab72d0798cb388

Download Submit
\Program Files\Common Files\Services\csboyTT.dll

Filesize
1.2MB

MD5
feeee21fd546dc736a9c56bc154bc8bb

SHA1
33243ad7a59953e220cdad0ff2a7aeb13a2c8518

SHA256
73dd3f5170845f6c833626c87ea9c915b7e3b60778be806d9af7e4e214dfdea3

SHA512
9facb06ed5ee72f52636c05fcc46fe44a30ece36ed1c0355d87af5df6fa70343a95b347f0a0a90a7f92fc9c2e13231cd45f406ce9202d728432fbbd0fca12faf

Download Submit
\Program Files\Common Files\Services\csboyTT.dll

Filesize
896KB

MD5
19b71ed494f966560923c7430ec3c0ab

SHA1
520891180f126d6818dcd1ba59c0e8372f77dfe5

SHA256
038d94de6d44587dd400e2802f4a72c120221c05f0a5771576934eb1d488d723

SHA512
014291a92da39867efcb38f7d9188dd0582500891dde76cd282e5551478d22110bbac106e86357563e43440032b5f5ad3951f8b816a482e1ee8fac9891f304dd

Download Submit
\Program Files\Common Files\Services\csboyTT.dll

Filesize
2.1MB

MD5
e6de8efdcf141d52c1b564f917ba32a0

SHA1
876d545892078ec98def160dada0bd8765d58c00

SHA256
f2a29ed7f0eabe9a4b808e2a64894fd49bbb9df881f457c2bf063c98401e5975

SHA512
d3e51323468a58a813e5cce0701943a97b657a72b97c92f99035c007437fdd09b0674660e50ef56a32bcc526350164424138d57d04f667f24ec25d919fdd726d

Download Submit
\Program Files\Common Files\Services\csboyTT.dll

Filesize
704KB

MD5
279a434849bcf6fb79d24e13569f1522

SHA1
44c321a942defb85c55ae61b454e958b9cc1ac04

SHA256
e89f12e5bd8f78aaee1bb02d62dc20056dc650485a9ecc19b2055fcb41cdd277

SHA512
b97b27e264bcb5b8bc84a8dfc76df0a0f35fc8169f9e28a88e6149576d827fc30788943335dff594a381c32ea60df4693d175ef26499ff29d074b23cb416d130

Download Submit
\Program Files\Common Files\Tencent\services.exe

Filesize
832KB

MD5
a072d45fa67e1cd25612738e44f6d817

SHA1
5bd9b50a93874476695a9433ace4ae2fb191ec8b

SHA256
61126dc121582301a71f0602984ffbdbea3163b145cadb206043f53846938b28

SHA512
abad5e269e1676865c1536c9149992b283ef19076fc7ecbb50b6b711eec88f88e436a614869434c3d0a3adabb73bab9c3d3c8e8276d2cb76d05831bea1caa72d

Download Submit
\Program Files\Common Files\Tencent\services.exe

Filesize
1.1MB

MD5
27c5fedba4f33027d5d3473d5e68d8a3

SHA1
8add39abecf67e7b408b139b4886ba4f6e1dacde

SHA256
bac1ed64bcc8cfb58fa4a88de952e7facc3efb54e0c716e985c5756204f7a2d0

SHA512
07c1a54f989344adb2460cff7d1e984987d939ccd928be1d5965478b63fe3839951fb93a60ff9919b0df7ef162606a2ab01c7bb4eaa747dbbd07bc150b6200c4

Download Submit
\Program Files\Common Files\Tencent\services.exe

Filesize
3.1MB

MD5
b32c47e6385bf070847e82a0456338f8

SHA1
a910f1641b1beea67629592ff9f3f2220ebe5483

SHA256
724cd34ee6dccc25da4511acba1797f37b3e856d0fede40ad6a8143b79ebcae0

SHA512
727ac2a3938c0ff9122691968e4c81321165763412547f60b382329746322a005313bc8d9d7239bbd110c227108d8adaf14f94a58412ae90b688f8edceedf414

Download Submit
\Program Files\Common Files\Tencent\services.exe

Filesize
3.4MB

MD5
62a8e5a6edba5fe3111517abac7fce73

SHA1
0b85fef3327c6c498f53a61e8b19fd9e8fd02da4

SHA256
e8fa80c2757b1af6d7228349ebcd2cefdc5d9d34cbe6c8929e5ffd34dd6d4225

SHA512
1e9613b2bd490da1d392135ad092dc1b1e6f7a603ab00da06e83b4b5b192bc82c1f4e70bdf8fda0e98252e335f94d748f587411a0ab3c88441a96ec58b8dcd8a

Download Submit
\Program Files\Common Files\Tencent\services.exe

Filesize
2.9MB

MD5
27e4e4d2051684df618c2a672e0a1f1e

SHA1
d7a5389352c84f638f5a32d200386541c2fe7793

SHA256
d8ace7d055e0bda3bd53834edc36741d582c9b39b9a7a50897a0de279a4e72d5

SHA512
7a2c1e3ab480ad6ec21ff1b186d63c9b2e3cf4dd319466759a6a55491036294a58c486929da9ffb495608bc403e14c0519cb1b4a1f774e8cb8791621c9f7371e

Download Submit
\Program Files\Common Files\Tencent\services.exe

Filesize
2.1MB

MD5
ee32090af48f861ee263c4938f2da82c

SHA1
e942bb6e39be536027a9278d2f945f7a34ab9eda

SHA256
848cdf5c07b7d3721681bba19006c12957fcc99165de5c7d978eecfed27b6094

SHA512
b9ee070bfbb471e21aed107831a3bdfabae011c18740aa81460a8c3fcb71f7a2c055a5bd976e20499b14d19bb9f7847c47da0305d017ebec6f165b5be996d833

Download Submit
\Program Files\Common Files\Tencent\services.exe

Filesize
2.6MB

MD5
d524ab82f77b6e76346034eea4c6f722

SHA1
93bc6aba2493a4802e6af51dbb8688996a33f2af

SHA256
02372962969f709e4f06f442f5dca7d6ef4d477bb49c4d2bf92e29b4eea853cb

SHA512
a3fb0e64d48ea3f19875f709d8072d6c3600fb2d1fa5760977b377219cb9245086dae9f6794f1ad2c6a57a71baf9a47725603f549ef64f73a7d7e9d2dc52b775

Download Submit
\Program Files\Common Files\Tencent\services.exe

Filesize
2.4MB

MD5
9acbf9b4cbf6cf539c92a46c8cb3530d

SHA1
c093447f2adf642d7545cf422e2eca6a8fa50008

SHA256
c22306cf711686e3cfa90da74833a1daa759814ed39689c3867d0a930a0983a7

SHA512
cb7bb813178b5db24dc3823edd7b3eec607b0cd70c9e18f140e4362fed85f3147f0817d20027b8f8bd735fa3172c0bb0955cffba3cdf22b69e7d832c9d99b9a6

Download Submit
\Program Files\Common Files\Tencent\services.exe

Filesize
2.4MB

MD5
0ad5c293147116828ad54a821b6614d6

SHA1
5023d17a9a78aaec7d60747af58caaa686702ba3

SHA256
c61bb53d99588d7db912eddccaa8094aa894ace5d2eaa633d70cfdb5d9327a14

SHA512
743fab79998286fe07e23e1f8569844d8f742bee16b802244c35a581d375f5a0e07d4c6dc674b8fd840225e74bbd72f40309341d17e95fd334d46073122673ca

Download Submit
\Program Files\Common Files\Tencent\tuziboyAuTo.dll

Filesize
3.6MB

MD5
cf9254cd36a7533693fa9880aa3491ec

SHA1
8604b3e38bebc4521488810718b93c7c71595e85

SHA256
25ec460ecd1dd0c48f23c63cd6e6034657091e41a8c8aa48284a0c559dff3872

SHA512
5b33791e0db57672b26d975dd1c8b9c246199bc4f8a600f3dea31c3141cc370b49598c3e8404ba21d3efaff979c3bceaa4211971c05a7bea2499d355058a0751

Download Submit
\Program Files\Common Files\Tencent\tuziboyAuTo.dll

Filesize
2.6MB

MD5
29c05601db98055b4842d4aabfd0026e

SHA1
22d6eb8af3371edb779d7264a0b6ed4d717f528e

SHA256
fe84be328d79f9ec70d26ea89db7ecddfffea4e79a68c0d06281613c2bddd7ea

SHA512
cb62b532155b8668ebd43f0a8ab4b1c930bbc9afab74a2426b9b62ce7df794a9d3337eb701ceb12f60d5bdd699911c0aef40627c4328d97c805f68eef5974685

Download Submit
\Program Files\Common Files\Tencent\tuziboyAuTo.dll

Filesize
1.7MB

MD5
a7be4dda5d8070452c3250609ba08ecb

SHA1
592ed4a08847275b34c5d73dc463c6c796815d29

SHA256
2e739c39e4b8545d530964e2e200ee0a07912b515b3134955d8be478ce86dc4a

SHA512
de41c928b0dcf70a1449f0da0dff0c30e1df4b15cb5e2a21e266378196814181a506b3177c8099191534bf6cdf25dd5a5fcfbfb1ccb3e3e84f43faa6a3bd9243

Download Submit
\Program Files\Common Files\Tencent\tuziboyAuTo.dll

Filesize
1.7MB

MD5
44a93a227663e34d98fcf9c46d658109

SHA1
060bd14d813445df4328030f88d22ce9b99ba18d

SHA256
c92c8f63001870aa6a160261c44a838429f912840ec619d716f0ec4dc5606d94

SHA512
61636db44e9d138ec93be325afc021f36be004e2e6eea8407ef11f99fabf318b70efca9a4a1a8edcbb26896f96c4204c3f00106fdb89250f9a8cae47c3011dbe

Download Submit
\Users\Admin\AppData\Local\Temp\new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe

Filesize
252KB

MD5
2f2a53a5a70506ac9bfca1838e081e1a

SHA1
fc6f91131dafcd78df6c5d6d44e837e22d80ec2c

SHA256
8731e946c9686c0aff66d9297073e1710b7c442e443a3ebc9f580089dc32880e

SHA512
1e8e343ebe5350d5666bc9072f078736c9e66d7d0dcfefc02b8d8642a45c1967f55df6e658428c0487ccbbc382d261b14a910d2c5d9bdd39b46f03dbaf14381b

Download Submit
memory/380-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-121-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1832-107-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1832-111-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1832-109-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2332-16-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2332-15-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2332-30-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2332-27-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2608-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2608-79-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2608-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2608-114-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2608-118-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2608-78-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2648-83-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2648-80-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-112-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2692-123-0x00000000002F0000-0x0000000000319000-memory.dmp

Filesize
164KB

Download
memory/2692-122-0x00000000002F0000-0x0000000000319000-memory.dmp

Filesize
164KB

Download
memory/2692-113-0x00000000002F0000-0x0000000000319000-memory.dmp

Filesize
164KB

Download
memory/2776-52-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/2776-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2848-34-0x0000000002FC0000-0x00000000031C4000-memory.dmp

Filesize
2.0MB

Download
memory/2848-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2848-35-0x0000000002FC0000-0x00000000031C4000-memory.dmp

Filesize
2.0MB

Download
memory/2896-2-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2896-81-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2896-42-0x0000000000250000-0x0000000000279000-memory.dmp

Filesize
164KB

Download
memory/2896-110-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/2896-108-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2896-1-0x0000000000230000-0x000000000028E000-memory.dmp

Filesize
376KB

Download
memory/2896-8-0x0000000000250000-0x000000000029E000-memory.dmp

Filesize
312KB

Download
memory/2896-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2896-91-0x0000000000250000-0x0000000000279000-memory.dmp

Filesize
164KB

Download
memory/2896-104-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/2896-59-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download