06cf9ce2ae439886a9516fbfc8b37d8d1ae8e7ba1980af8bc36d52b0439b3c64

General

Target

99d5d13bded91f8dc27da9df343d1e01.exe
Size

284KB
MD5

99d5d13bded91f8dc27da9df343d1e01
SHA1

ffa8ab4e3355e9e79f8eae4919be02b94ca587a1
SHA256

06cf9ce2ae439886a9516fbfc8b37d8d1ae8e7ba1980af8bc36d52b0439b3c64
SHA512

46ea887c3f44180b1dbc13df660471841996298ca367f82afa0ccf3dbd28f1f054ccef63ae52f0b1e158e86ec02bff56e4a52fc2c1e9000874f8edbddd91e523
SSDEEP

3072:F1gHNPrVy2p1MH8k9VyJRjBPbH2matI7v89z/RJdkJHgGYLtFgXpG+mSFia5yQxn:T8rVr30C1BzHZatAupQSGItFCja0w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
4004	csboyDVD.dll
4384	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
3068	services.exe
4736	tuziboyAuTo.dll
1944	services.exe
4824	tuziboyAuTo.dll
3676	services.exe
4536	csboyTT.dll

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023216-32.dat	upx
behavioral2/memory/4736-33-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4824-39-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4736-46-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4824-45-0x0000000000400000-0x0000000000412000-memory.dmp	upx

VMProtect packed file 11 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0006000000023215-23.dat	vmprotect
behavioral2/memory/3068-24-0x0000000000400000-0x0000000000429000-memory.dmp	vmprotect
behavioral2/files/0x0006000000023215-25.dat	vmprotect
behavioral2/memory/3068-26-0x0000000000400000-0x0000000000429000-memory.dmp	vmprotect
behavioral2/memory/1944-36-0x0000000000400000-0x0000000000429000-memory.dmp	vmprotect
behavioral2/memory/3676-43-0x0000000000400000-0x0000000000429000-memory.dmp	vmprotect
behavioral2/memory/1944-42-0x0000000000400000-0x0000000000429000-memory.dmp	vmprotect
behavioral2/files/0x000200000001e4ac-52.dat	vmprotect
behavioral2/files/0x000200000001e4ac-54.dat	vmprotect
behavioral2/memory/4536-56-0x0000000000400000-0x0000000000415000-memory.dmp	vmprotect
behavioral2/memory/3068-58-0x0000000000400000-0x0000000000429000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttplay = "C:\\Program Files\\Common Files\\Tencent\\services.exe"	tuziboyAuTo.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttplay = "C:\\Program Files\\Common Files\\Tencent\\services.exe"	tuziboyAuTo.dll

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Services\csboyDVD.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File opened for modification	C:\Program Files\Common Files\Services\csboyDVD.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Services\csboyDvd.ocx	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Tencent\tuziboyDw.ocx	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Services\csboybind.au	99d5d13bded91f8dc27da9df343d1e01.exe
File opened for modification	C:\Program Files\Common Files\Services\csboyTT.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Tencent\services.exe	99d5d13bded91f8dc27da9df343d1e01.exe
File opened for modification	C:\Program Files\Common Files\Tencent\services.exe	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Tencent\tuziboyAuTo.ocx	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Services\csboyTj.ocx	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\Services\csboyTT.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File opened for modification	C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll	99d5d13bded91f8dc27da9df343d1e01.exe
File created	C:\Program Files\Common Files\rprtprqsdesk.ini	services.exe
File opened for modification	C:\Program Files\Common Files\rprtprqsdesk.ini	services.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	services.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	services.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4736	tuziboyAuTo.dll
4736	tuziboyAuTo.dll
4736	tuziboyAuTo.dll
4736	tuziboyAuTo.dll
4736	tuziboyAuTo.dll
4736	tuziboyAuTo.dll
4824	tuziboyAuTo.dll
4824	tuziboyAuTo.dll
4824	tuziboyAuTo.dll
4824	tuziboyAuTo.dll
4824	tuziboyAuTo.dll
4824	tuziboyAuTo.dll
4536	csboyTT.dll
4536	csboyTT.dll
4536	csboyTT.dll
4536	csboyTT.dll
4536	csboyTT.dll
4536	csboyTT.dll
4536	csboyTT.dll
4536	csboyTT.dll

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	services.exe
Token: SeDebugPrivilege	3676	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4384	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
4384	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
4384	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4384	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
4384	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
4384	new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4536	csboyTT.dll
4536	csboyTT.dll

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 4004	4560	99d5d13bded91f8dc27da9df343d1e01.exe	83
PID 4560 wrote to memory of 4004	4560	99d5d13bded91f8dc27da9df343d1e01.exe	83
PID 4560 wrote to memory of 4004	4560	99d5d13bded91f8dc27da9df343d1e01.exe	83
PID 4004 wrote to memory of 4384	4004	csboyDVD.dll	84
PID 4004 wrote to memory of 4384	4004	csboyDVD.dll	84
PID 4004 wrote to memory of 4384	4004	csboyDVD.dll	84
PID 4560 wrote to memory of 3068	4560	99d5d13bded91f8dc27da9df343d1e01.exe	85
PID 4560 wrote to memory of 3068	4560	99d5d13bded91f8dc27da9df343d1e01.exe	85
PID 4560 wrote to memory of 3068	4560	99d5d13bded91f8dc27da9df343d1e01.exe	85
PID 4560 wrote to memory of 4736	4560	99d5d13bded91f8dc27da9df343d1e01.exe	86
PID 4560 wrote to memory of 4736	4560	99d5d13bded91f8dc27da9df343d1e01.exe	86
PID 4560 wrote to memory of 4736	4560	99d5d13bded91f8dc27da9df343d1e01.exe	86
PID 4736 wrote to memory of 1944	4736	tuziboyAuTo.dll	89
PID 4736 wrote to memory of 1944	4736	tuziboyAuTo.dll	89
PID 4736 wrote to memory of 1944	4736	tuziboyAuTo.dll	89
PID 4824 wrote to memory of 3676	4824	tuziboyAuTo.dll	88
PID 4824 wrote to memory of 3676	4824	tuziboyAuTo.dll	88
PID 4824 wrote to memory of 3676	4824	tuziboyAuTo.dll	88
PID 4560 wrote to memory of 4536	4560	99d5d13bded91f8dc27da9df343d1e01.exe	92
PID 4560 wrote to memory of 4536	4560	99d5d13bded91f8dc27da9df343d1e01.exe	92
PID 4560 wrote to memory of 4536	4560	99d5d13bded91f8dc27da9df343d1e01.exe	92

C:\Users\Admin\AppData\Local\Temp\99d5d13bded91f8dc27da9df343d1e01.exe
"C:\Users\Admin\AppData\Local\Temp\99d5d13bded91f8dc27da9df343d1e01.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Program Files\Common Files\Services\csboyDVD.dll
  "C:\Program Files\Common Files\Services\csboyDVD.dll"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe
    "C:\Users\Admin\AppData\Local\Temp\new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4384
- C:\Program Files\Common Files\Tencent\services.exe
  "C:\Program Files\Common Files\Tencent\services.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
  "C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Program Files\Common Files\Tencent\services.exe
    "C:\Program Files\Common Files\Tencent\services.exe"
    3⤵
    - Executes dropped EXE
    PID:1944
- C:\Program Files\Common Files\Services\csboyTT.dll
  "C:\Program Files\Common Files\Services\csboyTT.dll"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4536

C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files\Common Files\Tencent\services.exe
  "C:\Program Files\Common Files\Tencent\services.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\csboyDVD.dll

Filesize
78KB

MD5
9ba107039695fc822e83d18e882b3a40

SHA1
5784210e03c7a77ec5b3c8f1f5ea8c3f9962973f

SHA256
5c0a71979448beafe99daad92b7ac44eb7394fd6eeeb9babafe880e42b61c155

SHA512
e92a9304df3109f87da010a1185714af68962e739bd9679c640b019c56c26c76111a088ce5d67b2aaa938a703cdad196af05fbb27fddbc40f89c9b28070dc283

Download Submit
C:\Program Files\Common Files\Services\csboyDVD.dll

Filesize
512KB

MD5
d1c354e85e790c749ed1787468228090

SHA1
e946a192be2991aa293fc91b7e46b31f046d39c0

SHA256
304e9bfff34449a5ece2327bb5f9c09db22a57761b8e45c330a68939336ff79b

SHA512
c279b6ea57aca46528ba2bbca7cb951b210eb39c006e679607b3136490f1a7110240035b798f22a788412de65a85d0867d0b354c2fbfc2556831abe3aedcbc2d

Download Submit
C:\Program Files\Common Files\Services\csboyTT.dll

Filesize
384KB

MD5
3a76eb54524ba44336fc1a89676750c2

SHA1
f15b3e437a257ab1f68055fa70abf31e213ab7cd

SHA256
e68528f42d3ac3c72545df58405db3f3e4f844a3d351efa1b96476710216978f

SHA512
18d1d6655d61bd861cbc6a73e3166edda7354f24a41d2e0da87884023582132e76a93fd8172bde88566e08a2a2c120bb1ebb5fde375f61fd82d85854418dfd59

Download Submit
C:\Program Files\Common Files\Services\csboyTT.dll

Filesize
320KB

MD5
31a5612d4371d62ca1f66b00c15f7ef2

SHA1
5b6507ed4405eded19b4bc130fad7145c8cc30d3

SHA256
c64385867d2b1a0c9e8fafc8647e89e8d0996fec2aee2f18d41d8d2fd1c6dd80

SHA512
fa6bfa6c5e3f82e4b9ca4caadf06c03f2934e7bce2490d4496f4a0e6e32df1070e8db1322f9b6b8145db0e6ad7f609cce4f3666c1147eb278a38986e9c39639f

Download Submit
C:\Program Files\Common Files\Tencent\services.exe

Filesize
4.7MB

MD5
4acf08b141a588df99c98c75a024ee70

SHA1
91b91be6a80bffaec2051008ca1508c4b3ecfc44

SHA256
839facd24cc8087b767b3dddd5d267598cee6efdba9ec954d4619f733a951451

SHA512
a675f7389b71164ad67f3fab7b484a4ff986d70557b4e727446cdc85bcafb75eeee84c9a831623ad24ab0961a4225d59c2574fb0d7bb22b49ffc77dfe57ec468

Download Submit
C:\Program Files\Common Files\Tencent\services.exe

Filesize
4.8MB

MD5
88497f8bae69c19cc07fd7062b3e83a7

SHA1
817728f218b072eb6f19aea8d68498806b9902fc

SHA256
d4f9e9c2d382d660aeb01a4c53cf61d785fdc6c98b2ba230953646def00b35a4

SHA512
d5fc84e08d365328b7da04fe714c87db2dbd32a90fc34181de485761a66db24efab40e8f5bdff7afb4c555cb719602cae551f43f1b53f45381300d12bf121187

Download Submit
C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll

Filesize
4.8MB

MD5
72f04f4fd936ad0ad75d22d95aa86f0c

SHA1
15d53397a724138c254591081546ae2d8962f72f

SHA256
8e7f493012fb22b5c8e583801ef457ebec950f54efc15140c292e2d158c588fc

SHA512
715deb6ef317901eb259d743d3b91564207b7afec6b70f9d43c975c3ba06ba06a673602ff9aec68baa550d175ed644fe4062bf69e484dc3b3fb67a4c35c4a673

Download Submit
C:\Users\Admin\AppData\Local\Temp\new_ddd67.exe_6B78578B7097C08EB500D2F8B8A1C1AC01931605.exe

Filesize
252KB

MD5
2f2a53a5a70506ac9bfca1838e081e1a

SHA1
fc6f91131dafcd78df6c5d6d44e837e22d80ec2c

SHA256
8731e946c9686c0aff66d9297073e1710b7c442e443a3ebc9f580089dc32880e

SHA512
1e8e343ebe5350d5666bc9072f078736c9e66d7d0dcfefc02b8d8642a45c1967f55df6e658428c0487ccbbc382d261b14a910d2c5d9bdd39b46f03dbaf14381b

Download Submit
memory/1944-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1944-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3676-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4004-11-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4004-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4004-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4004-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4384-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4560-53-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4560-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4560-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4560-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4736-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4736-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4824-45-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4824-39-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads