Malware Analysis Report

2025-03-15 05:43

Sample ID 240509-pt6vxshh81
Target 2a01d36ca6a333b9eb0cbce7386cd85c_JaffaCakes118
SHA256 47a983035cbe36a957034b8f8e5cd7dd56752b6b510a9a1c7e1eaa6c6116d57f
Tags
upx aspackv2
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

47a983035cbe36a957034b8f8e5cd7dd56752b6b510a9a1c7e1eaa6c6116d57f

Threat Level: Likely malicious

The file 2a01d36ca6a333b9eb0cbce7386cd85c_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx aspackv2

Blocklisted process makes network request

UPX packed file

Loads dropped DLL

ASPack v2.12-2.42

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of SendNotifyMessage

Runs regedit.exe

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 12:38

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win7-20240419-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\BH2Game\BH2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\BH2Game\BH2.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\BH2Game\BH2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 336

Network

N/A

Files

memory/2288-0-0x0000000000400000-0x000000000047C000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\BH2Game\BH2.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2Game\BH2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2Game\BH2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2Game\BH2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\BH2Game\BH2.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\BH2Game\BH2.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4a0 0x50c

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3916-0-0x0000000000400000-0x000000000047C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\RegSetup.exe"

Signatures

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\BH2002\RegSetup.exe C:\Windows\SysWOW64\regedit.exe
PID 3600 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\BH2002\RegSetup.exe C:\Windows\SysWOW64\regedit.exe
PID 3600 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\BH2002\RegSetup.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\RegSetup.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\RegSetup.exe"

C:\Windows\SysWOW64\regedit.exe

/s C:\Users\Admin\AppData\Local\Temp\cls3C1E.tmp

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\cls3C1E.tmp

MD5 49b0c13c4d1ab5773eccdc8aabd148dc
SHA1 328e2f7490ccbe8f3957fefdc53f22102d13378d
SHA256 dbaa23358bb88a9ddd96d25a10bd3d4c59d5af664e046ace9b9568e260b1061c
SHA512 f4aecb02c022841d22ade238ce13a985feba61b169168e08d7361521fafab5a8737d701fc0609bdd40ac049be793f706b2c9adc936a13347e6659cae9fbae51d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe"

C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS

intro

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x538 0x534

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2864-0-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.ini

MD5 46f41e004709c7db1cb81d77d89df1ba
SHA1 e08f33bb3d5acd91d9b962b824f663372a820e32
SHA256 ad4b1821ecd6f8690f7169a2b120e775dac1c65b185ecada1ddddc41b6fb8c60
SHA512 7a7d7b0a09baab6278f70edf0a5d7dcc591f7d0cd790247331d2ee1590700baad2358c6cd6cc7e3ec1b54733d10d521fdc011771bd4cdabb4d9f0dd7926342e1

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win7-20240508-en

Max time kernel

140s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BH2002\\" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BH2002\\PlayGame.exe" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\ = "StartGame Library" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 box.962.net udp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:80 www.paopaoche.net tcp
US 8.8.8.8:53 www.paopaoche.net udp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 paopaoche.net udp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 pic.paopaoche.net udp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
US 8.8.8.8:53 s6.cnzz.com udp
CN 220.185.168.234:80 s6.cnzz.com tcp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 cbjs.baidu.com udp
US 8.8.8.8:53 s94.cnzz.com udp
CN 119.188.176.49:80 cbjs.baidu.com tcp
CN 220.185.168.234:80 s94.cnzz.com tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp
CN 82.157.27.9:80 pic.paopaoche.net tcp

Files

memory/2056-0-0x0000000000400000-0x0000000000791000-memory.dmp

memory/2056-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\BH2002\Greening.dll

MD5 82ccb4dd63833063abd1c56ea80b529a
SHA1 bd89dae631cb68e5fa0c53accc83881f7cd365b3
SHA256 e3dccccc8f63981e528b0823a149f234bfd7cb56a23618f5004e379f8ada7183
SHA512 c908c553b7b9b7053c5938e20fe3ff97591097c3237554da3197b4d078b24cd12a5bb01597347652c422aaa920e86dc38a3776b96a6cfd46222798a3f8036867

\Users\Admin\AppData\Local\Temp\BH2002\aqhttp.dll

MD5 3c9ec661f20ee6ca4bb17cfe7c0a5174
SHA1 9b9cbfe0e640d7e97c9c6caa5eb5fa9160cfcfe3
SHA256 71fd49b5c6af695e92eea36794025fca1b629cba62be6a5cdaf37648dd412c98
SHA512 2eebe718992a392c9a57a99cd3414e3a52fd14f06d52974d7700d57d9cf6dffafe80061f6f872edd4173982eabb95abbd99694760ce3fb35377513a8cf13ca5a

C:\Users\Admin\AppData\Local\Temp\BH2002\rungame.ini

MD5 ed3e41f51455e531a87c3d763627d29c
SHA1 c476a4f0e1e0f5c0bd1a4336b1ecf2d06a95db4b
SHA256 9b1bb7e5ca961d23b60528b440131d3c95e82f6ff5899e6dc92bf30e9521cf25
SHA512 44298934aec280a8014fca361d9fb1477bef7b93df81955bd5d348158e4a00a7019f72f62781643c9e3d8c6bc2622602d59407bf35fa5093db7ffe17c70d1b34

memory/2056-27-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVDR4C1U\rank[1].htm

MD5 4f8e702cc244ec5d4de32740c0ecbd97
SHA1 3adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA256 9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA512 21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

memory/2056-59-0x0000000000400000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\softmain[1].css

MD5 729aa1f32dc5fe22bc67e7d73895c9c5
SHA1 bd90148bf8c4c47c9639826bde9d2341423dfa73
SHA256 c62bf9e3e8def17b145ee84add6b6f62ec972fd3609dc2a4bf175a2c4b9dbb02
SHA512 813a6d68fbe51a01d3f148a298cdcbf83b7404c895349b6dc42204f29b63bf50ff13d0ff43938a75f6b00dcdd6ea40c422cf8464807a722f387a37b9539aa720

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\softui[1].js

MD5 b9582f731eda9c4b2d967fc6d0cd3c02
SHA1 bc79c5b327762f3f3cfb0045c5098f26bdf94ef9
SHA256 de223f2810d08af3ef852c54ad26381998ad6a50fe75142eb505ff8f7058ae36
SHA512 f348ea4e0e129a49fd1cb48fe34bf9cabbd2bfea3167a6fa7d0b91e993711bf19df0d158a4d81ce371516d4ebdb7d25de770e3a1fe59b2258245f203ed83e85a

memory/2056-117-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2056-119-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/2056-121-0x0000000000400000-0x0000000000791000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\ = "StartGame Library" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BH2002\\" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ = "ITaaaa" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BH2002\\PlayGame.exe" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624} C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\ = "IMyClose" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\TypeLib C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E61F1335-6EFE-4A33-86C1-D1505D96E624}\TypeLib\ = "{91F22F3C-B0D7-4777-A439-E0709A01D50B}" C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91F22F3C-B0D7-4777-A439-E0709A01D50B}\1.0 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9B96DE9-1158-41B6-B611-6AE96B2C44D9}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\PlayGame.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 box.962.net udp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:80 www.paopaoche.net tcp
HK 43.135.124.120:80 www.paopaoche.net tcp
HK 43.135.124.120:80 www.paopaoche.net tcp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 120.124.135.43.in-addr.arpa udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/2920-0-0x0000000000400000-0x0000000000791000-memory.dmp

memory/2920-1-0x0000000000830000-0x0000000000831000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BH2002\rungame.ini

MD5 1811a2a6ddd36df1f846f4eaa826cb4e
SHA1 edef399fed5ff6647d17ed37834e3eda45650a2f
SHA256 0b9842a6b7dbebd68ad9b29dec74a0caa32ff884c202cc52fb72a501b2a9144f
SHA512 6ba63c6d2c29f630431b666b822177216104cc877bb11acfaeb56caaf60836e89fa693b7f6016ed3f4878a769012ccb3319959bf111ca4484350f2cf0924aaa1

C:\Users\Admin\AppData\Local\Temp\BH2002\Greening.dll

MD5 82ccb4dd63833063abd1c56ea80b529a
SHA1 bd89dae631cb68e5fa0c53accc83881f7cd365b3
SHA256 e3dccccc8f63981e528b0823a149f234bfd7cb56a23618f5004e379f8ada7183
SHA512 c908c553b7b9b7053c5938e20fe3ff97591097c3237554da3197b4d078b24cd12a5bb01597347652c422aaa920e86dc38a3776b96a6cfd46222798a3f8036867

C:\Users\Admin\AppData\Local\Temp\BH2002\aqhttp.dll

MD5 3c9ec661f20ee6ca4bb17cfe7c0a5174
SHA1 9b9cbfe0e640d7e97c9c6caa5eb5fa9160cfcfe3
SHA256 71fd49b5c6af695e92eea36794025fca1b629cba62be6a5cdaf37648dd412c98
SHA512 2eebe718992a392c9a57a99cd3414e3a52fd14f06d52974d7700d57d9cf6dffafe80061f6f872edd4173982eabb95abbd99694760ce3fb35377513a8cf13ca5a

memory/2920-37-0x0000000000400000-0x0000000000791000-memory.dmp

memory/2920-39-0x0000000000830000-0x0000000000831000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win7-20231129-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\RegSetup.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\RegSetup.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\RegSetup.exe"

C:\Windows\SysWOW64\regedit.exe

/s C:\Users\Admin\AppData\Local\Temp\clsE72.tmp

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\clsE72.tmp

MD5 49b0c13c4d1ab5773eccdc8aabd148dc
SHA1 328e2f7490ccbe8f3957fefdc53f22102d13378d
SHA256 dbaa23358bb88a9ddd96d25a10bd3d4c59d5af664e046ace9b9568e260b1061c
SHA512 f4aecb02c022841d22ade238ce13a985feba61b169168e08d7361521fafab5a8737d701fc0609bdd40ac049be793f706b2c9adc936a13347e6659cae9fbae51d

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 476

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\bh2.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4e4

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.ini

MD5 46f41e004709c7db1cb81d77d89df1ba
SHA1 e08f33bb3d5acd91d9b962b824f663372a820e32
SHA256 ad4b1821ecd6f8690f7169a2b120e775dac1c65b185ecada1ddddc41b6fb8c60
SHA512 7a7d7b0a09baab6278f70edf0a5d7dcc591f7d0cd790247331d2ee1590700baad2358c6cd6cc7e3ec1b54733d10d521fdc011771bd4cdabb4d9f0dd7926342e1

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win7-20240221-en

Max time kernel

140s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\安装程序.exe

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:443 www.paopaoche.net tcp
US 8.8.8.8:53 8pic.paopaoche.net udp
US 8.8.8.8:53 c.qx5577.com udp
CN 82.157.27.9:80 8pic.paopaoche.net tcp
CN 82.157.27.9:80 8pic.paopaoche.net tcp
CN 82.157.27.9:80 8pic.paopaoche.net tcp

Files

memory/2968-0-0x0000000001080000-0x000000000117F000-memory.dmp

C:\BH2002\Fichas\creditos\credE03.tga

MD5 37ffc547dd151b44186ae3bb7963eaec
SHA1 d6b45691f6c11535fe07aeca50dbb62e6900a85a
SHA256 3a48ab5e024902907e074494c2c79190fa86052e5ad79b19cd07f3cdca3d1b1c
SHA512 496f0f5b1ad3053a8d7a47048ee5a22f9d90ffadf21d656ead6cec1c8f3f567ad3c555f7581c20e37768495f4bf0c88777dc94e0cafc1d50a6810b190efca70d

C:\BH2002\Fichas\creditos\credE04.tga

MD5 38a83a9dede09a5c7405f847a3942505
SHA1 6965c6b005c7ad1008eda710c121e3793bd6fc50
SHA256 0af5c14a6fd20157bd9986048656ed72f0fe12026955fabcfca31730ce49e002
SHA512 ee8c8ae8f1f4803f192cf97611495b04ecaee5fff244dc4bc9734470cd78e503e8d57c036a885e8a95bd072bd3fe7aa4768aa700d2b476dc8f365601255ac34d

C:\BH2002\Fichas\data\APC103.tga

MD5 954128cdb3b7d54a032cac323df07c36
SHA1 522e06ce4ae75ad3b7a36f31040d781d91546c91
SHA256 19e6ff911bbf9fbf711088424fa1d7ec8463938f073c14752e76abcf6f107a30
SHA512 eff7650d539ae340a4c4f697ce9131ff51d2cd75803dd18a66e0d037373fdf68f135fbad2bb6fe4b43a62a81a5106f89ebac53a97f4cfbfb5de11c998a5f5d97

C:\BH2002\Fichas\data\APC104.tga

MD5 cf0b986ee1a87211469d4dc7ee7cb091
SHA1 335cf09097cc50cbd11407ce5a9bfd79c91b09e9
SHA256 a7e4760700fb79cf7023b04eec4e8a6f477101eb77702f0db45538d5c230bca2
SHA512 660aca847da7f32910f742b68dd75a576a49ecec4a8bba7a1db2b8f64416c6c46c1ab39fcd75152a0636e3916978fc3b98703d33d1acbd281ff6bf6c55c5dd44

C:\BH2002\Fichas\data\C13001.tga

MD5 6dce83fa4ab6162e860ceaf28a7588a1
SHA1 b468f0a3e9d4c7fa95412859795ea522c526c2d0
SHA256 7757887d55aefa7b07e81be85489e57b59f27ff051ebc0157b180593e7c7175b
SHA512 e2ce04c3c043e9fb3f5349ff5489ecb37c272a90e7d6b92963923a44d11c7f9bc0c6b3bbbf23a23a7d9668db53849a601323d035148efc6b08b247179498cfb3

C:\BH2002\Fichas\data\C13002.tga

MD5 0268652e66817c76ec0afd9287abb73e
SHA1 822f0002371541318d103e3dc43a1d89981bbdf9
SHA256 b1d8a16dae51fd4d583fa499a97a88c735f70253e8eafbbc170da0e664eb8d5f
SHA512 84a78e9892252a6950b2916d009e0fbee39446e8e17dcb72a6716f50da7ec677a504488f943e6d3b46582f29100b16768e212e6daa95a9d9e30dded0ace795c4

C:\BH2002\Fichas\Options\Video03.tga

MD5 4d1cd5a570ddd8b79f3d605dc4992e1f
SHA1 f22c35045123ce9af7cfe94920676bc2af268df0
SHA256 88cf636b8050e308804559dc9bf6b2d6e504275e928896bc81c733125b87fdb5
SHA512 df064a587b76e97702c37900cd17a6c03ccdd3d4f43ea9aede8a511c3fb979ec32b5d4eb0255d8776519ffab0471c499c5707315d7d4070869644a71432438ae

C:\BH2002\Fichas\Texmenu\menu1 file.tga

MD5 d8d9c4487d50f761fa5d67293f34b9c6
SHA1 16e925ceeb674240ebef6194fcfcdf40d6f27eaf
SHA256 f9f04ac9d24a0a66baefb7f10ce3012ca069c2993dfc8f1eae58b709c25d894b
SHA512 dda65325db90f42dedd019566e2e794b1e12a3246108c3505c04d10b16725005ace738965fb586224b1f5d5f7ed3d00093856a3469efc0b4c1592790f9254fb7

memory/2968-427-0x0000000001080000-0x000000000117F000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\安装程序.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\安装程序.exe

"C:\Users\Admin\AppData\Local\Temp\安装程序.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 paopaoche.net udp
HK 43.135.124.120:80 paopaoche.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
BE 2.17.107.130:443 www.bing.com tcp
HK 43.135.124.120:443 paopaoche.net tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 120.124.135.43.in-addr.arpa udp
US 8.8.8.8:53 130.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
BE 2.17.107.130:443 www.bing.com tcp
US 8.8.8.8:53 www.paopaoche.net udp
HK 43.135.124.120:443 www.paopaoche.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 8pic.paopaoche.net udp
CN 82.157.27.9:80 8pic.paopaoche.net tcp
US 8.8.8.8:53 c.qx5577.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
CN 82.157.27.9:80 8pic.paopaoche.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
CN 82.157.27.9:80 8pic.paopaoche.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
SE 192.229.221.95:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/392-0-0x0000000000FD0000-0x00000000010CF000-memory.dmp

C:\BH2002\Fichas\creditos\credE04.tga

MD5 38a83a9dede09a5c7405f847a3942505
SHA1 6965c6b005c7ad1008eda710c121e3793bd6fc50
SHA256 0af5c14a6fd20157bd9986048656ed72f0fe12026955fabcfca31730ce49e002
SHA512 ee8c8ae8f1f4803f192cf97611495b04ecaee5fff244dc4bc9734470cd78e503e8d57c036a885e8a95bd072bd3fe7aa4768aa700d2b476dc8f365601255ac34d

C:\BH2002\Fichas\data\C13002.tga

MD5 0268652e66817c76ec0afd9287abb73e
SHA1 822f0002371541318d103e3dc43a1d89981bbdf9
SHA256 b1d8a16dae51fd4d583fa499a97a88c735f70253e8eafbbc170da0e664eb8d5f
SHA512 84a78e9892252a6950b2916d009e0fbee39446e8e17dcb72a6716f50da7ec677a504488f943e6d3b46582f29100b16768e212e6daa95a9d9e30dded0ace795c4

C:\BH2002\Fichas\data\C13001.tga

MD5 6dce83fa4ab6162e860ceaf28a7588a1
SHA1 b468f0a3e9d4c7fa95412859795ea522c526c2d0
SHA256 7757887d55aefa7b07e81be85489e57b59f27ff051ebc0157b180593e7c7175b
SHA512 e2ce04c3c043e9fb3f5349ff5489ecb37c272a90e7d6b92963923a44d11c7f9bc0c6b3bbbf23a23a7d9668db53849a601323d035148efc6b08b247179498cfb3

C:\BH2002\Fichas\Options\Video03.tga

MD5 4d1cd5a570ddd8b79f3d605dc4992e1f
SHA1 f22c35045123ce9af7cfe94920676bc2af268df0
SHA256 88cf636b8050e308804559dc9bf6b2d6e504275e928896bc81c733125b87fdb5
SHA512 df064a587b76e97702c37900cd17a6c03ccdd3d4f43ea9aede8a511c3fb979ec32b5d4eb0255d8776519ffab0471c499c5707315d7d4070869644a71432438ae

C:\BH2002\Fichas\data\APC104.tga

MD5 cf0b986ee1a87211469d4dc7ee7cb091
SHA1 335cf09097cc50cbd11407ce5a9bfd79c91b09e9
SHA256 a7e4760700fb79cf7023b04eec4e8a6f477101eb77702f0db45538d5c230bca2
SHA512 660aca847da7f32910f742b68dd75a576a49ecec4a8bba7a1db2b8f64416c6c46c1ab39fcd75152a0636e3916978fc3b98703d33d1acbd281ff6bf6c55c5dd44

C:\BH2002\Fichas\data\APC103.tga

MD5 954128cdb3b7d54a032cac323df07c36
SHA1 522e06ce4ae75ad3b7a36f31040d781d91546c91
SHA256 19e6ff911bbf9fbf711088424fa1d7ec8463938f073c14752e76abcf6f107a30
SHA512 eff7650d539ae340a4c4f697ce9131ff51d2cd75803dd18a66e0d037373fdf68f135fbad2bb6fe4b43a62a81a5106f89ebac53a97f4cfbfb5de11c998a5f5d97

C:\BH2002\Fichas\creditos\credE03.tga

MD5 37ffc547dd151b44186ae3bb7963eaec
SHA1 d6b45691f6c11535fe07aeca50dbb62e6900a85a
SHA256 3a48ab5e024902907e074494c2c79190fa86052e5ad79b19cd07f3cdca3d1b1c
SHA512 496f0f5b1ad3053a8d7a47048ee5a22f9d90ffadf21d656ead6cec1c8f3f567ad3c555f7581c20e37768495f4bf0c88777dc94e0cafc1d50a6810b190efca70d

C:\BH2002\Fichas\Texmenu\menu1 file.tga

MD5 d8d9c4487d50f761fa5d67293f34b9c6
SHA1 16e925ceeb674240ebef6194fcfcdf40d6f27eaf
SHA256 f9f04ac9d24a0a66baefb7f10ce3012ca069c2993dfc8f1eae58b709c25d894b
SHA512 dda65325db90f42dedd019566e2e794b1e12a3246108c3505c04d10b16725005ace738965fb586224b1f5d5f7ed3d00093856a3469efc0b4c1592790f9254fb7

memory/392-418-0x0000000000FD0000-0x00000000010CF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 12:38

Reported

2024-05-09 12:41

Platform

win7-20240221-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe

"C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {09671ded-a376-46f4-b248-9763ed9bfd76};C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe;1300

C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWS

intro

Network

Country Destination Domain Proto
US 8.8.8.8:53 movie.metaservices.microsoft.com udp
US 65.55.5.170:80 movie.metaservices.microsoft.com tcp

Files

memory/1300-0-0x0000000000400000-0x0000000000407000-memory.dmp

memory/640-1-0x0000000000850000-0x0000000000857000-memory.dmp