Overview
overview
7Static
static
3JJmatch-v20101124.exe
windows7-x64
7JJmatch-v20101124.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3GCSkin/Def...t1.ps1
windows7-x64
3GCSkin/Def...t1.ps1
windows10-2004-x64
3LordTheme/...n0.ps1
windows7-x64
3LordTheme/...n0.ps1
windows10-2004-x64
3TKChatCtrl.dll
windows7-x64
1TKChatCtrl.dll
windows10-2004-x64
1TKEmotionPlayer.dll
windows7-x64
1TKEmotionPlayer.dll
windows10-2004-x64
1TKGC.exe
windows7-x64
1TKGC.exe
windows10-2004-x64
1TKGameChatCtrl.dll
windows7-x64
3TKGameChatCtrl.dll
windows10-2004-x64
3TKLobby.exe
windows7-x64
1TKLobby.exe
windows10-2004-x64
1TKLobby.exe
windows7-x64
1TKLobby.exe
windows10-2004-x64
1TKLord.exe
windows7-x64
1TKLord.exe
windows10-2004-x64
1TKLordDll.dll
windows7-x64
5TKLordDll.dll
windows10-2004-x64
5TKMahjongDll.dll
windows7-x64
4TKMahjongDll.dll
windows10-2004-x64
4TKMatchInfo.dll
windows7-x64
1TKMatchInfo.dll
windows10-2004-x64
1TKProducts...ion.js
windows7-x64
3TKProducts...ion.js
windows10-2004-x64
3Analysis
-
max time kernel
125s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 15:28
Static task
static1
Behavioral task
behavioral1
Sample
JJmatch-v20101124.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
JJmatch-v20101124.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
GCSkin/Default/BtnPot1.ps1
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
GCSkin/Default/BtnPot1.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
LordTheme/Default/ChangeYellowBoyBtn0.ps1
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral10
Sample
LordTheme/Default/ChangeYellowBoyBtn0.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
TKChatCtrl.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral12
Sample
TKChatCtrl.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
TKEmotionPlayer.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral14
Sample
TKEmotionPlayer.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
TKGC.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral16
Sample
TKGC.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
TKGameChatCtrl.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
TKGameChatCtrl.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
TKLobby.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral20
Sample
TKLobby.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
TKLobby.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral22
Sample
TKLobby.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
TKLord.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral24
Sample
TKLord.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
TKLordDll.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral26
Sample
TKLordDll.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
TKMahjongDll.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral28
Sample
TKMahjongDll.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
TKMatchInfo.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
TKMatchInfo.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
TKProducts/10/SpryAssets/SpryAccordion.js
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral32
Sample
TKProducts/10/SpryAssets/SpryAccordion.js
Resource
win10v2004-20240611-en
windows10-2004-x64
General
-
Target
TKEmotionPlayer.dll
-
Size
88KB
-
MD5
9790413b780b0cc28a8d041332c22ed2
-
SHA1
e8f8d35078f276f126d1427973290c0542bc4b1d
-
SHA256
9f57b712be7a1b9c00dffe3c1b8cb02d136c8fec09946331b2b29214a95c64e7
-
SHA512
4c2f7a4ea2dfb014f86b46080233c4740645d6ca64a771096e997bf90510619c67fe37d980f7b926310ccbb0ed98d44cc1ccc0ddcd1a4166d5620a4f3c494d85
-
SSDEEP
1536:nmXclcc4FZB1byQgT1FnmZ1o6QF9n3x1NBc5wcu2:mXscxZB1bZgTjnm/onFNx1NW5x
Malware Config
Signatures
-
Modifies registry class 62 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ = "EMotionPlayer Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib\ = "{7BC231B9-3BB8-4811-9597-ED1270C7822A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TKEmotionPlayer.DLL regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TKEmotionPlayer.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TKEmotionPlayer.dll, 6001" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\MiscStatus\1\ = "131473" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1\ = "EMotionPlayer Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\VersionIndependentProgID\ = "TKEmotionPlayer.EMotionPlayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\TypeLib\ = "{7BC231B9-3BB8-4811-9597-ED1270C7822A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib\ = "{7BC231B9-3BB8-4811-9597-ED1270C7822A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1\CLSID\ = "{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1\Insertable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\CLSID\ = "{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{24C0E520-9D35-43A6-8B6C-5D738137CEA1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Insertable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TKEmotionPlayer.DLL\AppID = "{24C0E520-9D35-43A6-8B6C-5D738137CEA1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\ = "EMotionPlayer Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\AppID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer\CurVer\ = "TKEmotionPlayer.EMotionPlayer.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ = "IEMotionPlayer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ = "IEMotionPlayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BC231B9-3BB8-4811-9597-ED1270C7822A}\1.0\ = "TKEmotionPlayer 1.0 ÀàÐÍ¿â" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TKEmotionPlayer.EMotionPlayer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\ProgID\ = "TKEmotionPlayer.EMotionPlayer.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55CB029F-12F5-41CB-9689-403194925D2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55CB029F-12F5-41CB-9689-403194925D2F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{24C0E520-9D35-43A6-8B6C-5D738137CEA1}\ = "TKEmotionPlayer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TKEmotionPlayer.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C77D9FC7-2BA5-4697-9CBC-0B6458F3B206}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3364 wrote to memory of 2652 3364 regsvr32.exe 83 PID 3364 wrote to memory of 2652 3364 regsvr32.exe 83 PID 3364 wrote to memory of 2652 3364 regsvr32.exe 83