Overview
overview
3Static
static
1热血江�...��.url
windows7-x64
1热血江�...��.url
windows10-2004-x64
1热血江�...�.js
windows7-x64
3热血江�...�.js
windows10-2004-x64
3热血江�...��.htm
windows7-x64
1热血江�...��.htm
windows10-2004-x64
1热血江�...��.htm
windows7-x64
1热血江�...��.htm
windows10-2004-x64
1热血江�...��.htm
windows7-x64
1热血江�...��.htm
windows10-2004-x64
1Analysis
-
max time kernel
145s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 07:56
Static task
static1
Behavioral task
behavioral1
Sample
热血江湖全功能小精灵 V18.4/新云软件.url
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
热血江湖全功能小精灵 V18.4/新云软件.url
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
热血江湖全功能小精灵 V18.4/热血江湖官方对按键精灵的看法/热血江湖-警惕�.js
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
热血江湖全功能小精灵 V18.4/热血江湖官方对按键精灵的看法/热血江湖-警惕�.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
热血江湖全功能小精灵 V18.4/热血江湖官方对按键精灵的看法/热血江湖-警惕�.htm
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
热血江湖全功能小精灵 V18.4/热血江湖官方对按键精灵的看法/热血江湖-警惕�.htm
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
热血江湖全功能小精灵 V18.4/热血江湖官方对按键精灵的看法/热血江湖-警惕�.htm
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
热血江湖全功能小精灵 V18.4/热血江湖官方对按键精灵的看法/热血江湖-警惕�.htm
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
热血江湖全功能小精灵 V18.4/热血江湖官方对按键精灵的看法/热血江湖-警惕�.htm
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
热血江湖全功能小精灵 V18.4/热血江湖官方对按键精灵的看法/热血江湖-警惕�.htm
Resource
win10v2004-20240226-en
General
-
Target
热血江湖全功能小精灵 V18.4/热血江湖官方对按键精灵的看法/热血江湖-警惕�.htm
-
Size
1KB
-
MD5
01f3bec9218a41e75dbfb1d973eb7f56
-
SHA1
ca919312eee0f756e268db13c1760d81007f8436
-
SHA256
ea39bd46309afd2d5dd165f1e2636e4454a61dd8cf7cc21580de565a3b0c9da7
-
SHA512
d568079828d7754fceb6027855e01f7d4251698cab209661fa5966010ef347e35955dd34b903526dd49fd3141f2895daa2ba548ce074b546a99042066f90f9a7
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4932 msedge.exe 4932 msedge.exe 3168 msedge.exe 3168 msedge.exe 936 identity_helper.exe 936 identity_helper.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3168 wrote to memory of 1068 3168 msedge.exe 83 PID 3168 wrote to memory of 1068 3168 msedge.exe 83 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 1148 3168 msedge.exe 84 PID 3168 wrote to memory of 4932 3168 msedge.exe 85 PID 3168 wrote to memory of 4932 3168 msedge.exe 85 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86 PID 3168 wrote to memory of 3660 3168 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\热血江湖全功能小精灵 V18.4\热血江湖官方对按键精灵的看法\热血江湖-警惕�.htm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaea8446f8,0x7ffaea844708,0x7ffaea8447182⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:22⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:12⤵PID:2628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:2268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,3525048371374963922,7833843981547720081,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4332
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c5abc082d9d9307e797b7e89a2f755f4
SHA154c442690a8727f1d3453b6452198d3ec4ec13df
SHA256a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c
-
Filesize
152B
MD5b4a74bc775caf3de7fc9cde3c30ce482
SHA1c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA51255578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f
-
Filesize
5KB
MD5e56356018ef1d40f9338fda6cd0d93d3
SHA1d2b6b7ba8bd7c6f3f22cc7a7d443128e1274f83c
SHA256db831a93153db5a6025f574be46aebcf77517229a91ead6f14557a2f93464c30
SHA512b4b2e240ea12475a2a0336244dedaccde123b83ef7f48868620409527bba80d2cd4034992cb0459d62cbee449906215a974b5f75318aa8e5af4b58e9fd8821ac
-
Filesize
6KB
MD57818896fa6022a212099fc343ae9cdb5
SHA145ca98c9e92682a2c14256b24effd1d58d647108
SHA256fde393db771a05cf0b77eaec15c99750d7e32b44550f56b271188f407b63704f
SHA51259e73ed18b6efa5fd88c8419676c454ccc2f36ad829143186ee3fea119b569c237e5e24ec890df578d2b387adc7f5a17bb2703200a3d9b877f4273c2c85c6055
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5aaf2d621d988db86eff2bc2d09556c28
SHA110c0a431e4a3e71dd8226c76d89091cd631b37e6
SHA25663a5d25290a239cb977a7043f67088bb411c9eb18da8f6c536a717b4d31bfcb2
SHA5127a5de9bf9078d4ce35eac63757e9cf6d783b6716dbcf33d7f84e27af9ca394952b3d15fbe2502f1a5bf429c58259359e196aa282371687249574724d0bdbafae