Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 10:23
Static task
static1
Behavioral task
behavioral1
Sample
TCGhostRfs+18Tr-LNG.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
TCGhostRfs+18Tr-LNG.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
游侠网专题导航-游侠网中国单机游戏门户.url
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral4
Sample
游侠网专题导航-游侠网中国单机游戏门户.url
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
TCGhostRfs+18Tr-LNG.exe
-
Size
2.0MB
-
MD5
e7669bb2da68c90eee43d5e81f57dd43
-
SHA1
c126fb02afe29f95415c61aa7be03165fd8cc854
-
SHA256
b0175c3718d0cb5fbdfddec360078b33a27f4f44a2dfa89bcc74420c8e65cdc9
-
SHA512
d839ef7a7f83d47183f750eb3633e84776feb040ac56a22661049f9ea6d450065f6263ec47d4e4df28652a38b956ddda8dbc5ae88d6267aaef02f0d524b0f065
-
SSDEEP
49152:qeu3Nk8fnRcu9n5OyyVlYpFS/8buu8JJ/vZHDTZH:qV3S8vRcqCWFfbuu8X/5f1
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3504 TCGhostRfs+18Tr-LNG.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe 3504 TCGhostRfs+18Tr-LNG.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3504 TCGhostRfs+18Tr-LNG.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4312 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4312 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3504 TCGhostRfs+18Tr-LNG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TCGhostRfs+18Tr-LNG.exe"C:\Users\Admin\AppData\Local\Temp\TCGhostRfs+18Tr-LNG.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3504
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x304 0x4681⤵
- Suspicious use of AdjustPrivilegeToken
PID:4312