Overview
overview
7Static
static
3泽华音�...32.dll
windows7-x64
1泽华音�...32.dll
windows10-2004-x64
1泽华音乐/Diag.dll
windows7-x64
1泽华音乐/Diag.dll
windows10-2004-x64
1泽华音�...ta.exe
windows7-x64
1泽华音�...ta.exe
windows10-2004-x64
1泽华音�...ew.dll
windows7-x64
1泽华音�...ew.dll
windows10-2004-x64
1泽华音�...io.exe
windows7-x64
3泽华音�...io.exe
windows10-2004-x64
3泽华音�...ay.dll
windows7-x64
1泽华音�...ay.dll
windows10-2004-x64
1泽华音�...fo.dll
windows7-x64
1泽华音�...fo.dll
windows10-2004-x64
1泽华音�...ad.dll
windows7-x64
1泽华音�...ad.dll
windows10-2004-x64
1泽华音�...nu.dll
windows7-x64
1泽华音�...nu.dll
windows10-2004-x64
1泽华音�...in.exe
windows7-x64
1泽华音�...in.exe
windows10-2004-x64
1泽华音�...ct.exe
windows7-x64
7泽华音�...ct.exe
windows10-2004-x64
7泽华音�...ng.htm
windows7-x64
1泽华音�...ng.htm
windows10-2004-x64
1泽华音�...eu.exe
windows7-x64
1泽华音�...eu.exe
windows10-2004-x64
1泽华音乐/reg.cmd
windows7-x64
5泽华音乐/reg.cmd
windows10-2004-x64
5泽华音�...��.url
windows7-x64
1泽华音�...��.url
windows10-2004-x64
1泽华音�...��.exe
windows7-x64
3泽华音�...��.exe
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 21:21
Static task
static1
Behavioral task
behavioral1
Sample
泽华音乐/COMDLG32.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
泽华音乐/COMDLG32.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
泽华音乐/Diag.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
泽华音乐/Diag.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
泽华音乐/LiveUpdata.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral6
Sample
泽华音乐/LiveUpdata.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
泽华音乐/RMListView.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral8
Sample
泽华音乐/RMListView.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
泽华音乐/Radio.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
泽华音乐/Radio.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
泽华音乐/SysTray.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral12
Sample
泽华音乐/SysTray.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
泽华音乐/TrayInfo.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral14
Sample
泽华音乐/TrayInfo.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
泽华音乐/UpdateDownload.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
泽华音乐/UpdateDownload.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
泽华音乐/XpMenu.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
泽华音乐/XpMenu.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
泽华音乐/data/User/RealPlugin.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral20
Sample
泽华音乐/data/User/RealPlugin.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
泽华音乐/data/User/system32/BsradioVisualEffect.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
泽华音乐/data/User/system32/BsradioVisualEffect.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
泽华音乐/data/User/web/Loading.htm
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral24
Sample
泽华音乐/data/User/web/Loading.htm
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
泽华音乐/liveu.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral26
Sample
泽华音乐/liveu.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
泽华音乐/reg.cmd
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral28
Sample
泽华音乐/reg.cmd
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
泽华音乐/新云软件.url
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral30
Sample
泽华音乐/新云软件.url
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
泽华音乐/泽华音乐安装.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral32
Sample
泽华音乐/泽华音乐安装.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
泽华音乐/reg.cmd
-
Size
492B
-
MD5
6ffe53e8cebb373d109a5d81b8da1c3f
-
SHA1
2219347b32baf3f6aff9b75482b2c5520d129c76
-
SHA256
4781fccb007580ddcd88f73c4e1f644caa74440f66377f69d4cc522e9df47e70
-
SHA512
1e11fe2211cd15c9ee72212ff1a24ca019bfac6ae5c51ea3066b0483167c0967afc90c75e89f0c03fe94ed656726261af18f9ff52a19771dd9e4acd259ff252e
Malware Config
Signatures
-
Drops file in System32 directory 14 IoCs
description ioc Process File created \??\c:\windows\system32\RMListView.dll cmd.exe File opened for modification \??\c:\windows\system32\RMListView.dll cmd.exe File created \??\c:\windows\system32\COMDLG32.OCX cmd.exe File created \??\c:\windows\system32\TrayInfo.dll cmd.exe File opened for modification \??\c:\windows\system32\SysTray.ocx cmd.exe File opened for modification \??\c:\windows\system32\XpMenu.dll cmd.exe File opened for modification \??\c:\windows\system32\UpdateDownload.dll cmd.exe File created \??\c:\windows\system32\SysTray.ocx cmd.exe File created \??\c:\windows\system32\UpdateDownload.dll cmd.exe File created \??\c:\windows\system32\XpMenu.dll cmd.exe File created \??\c:\windows\system32\Diag.dll cmd.exe File opened for modification \??\c:\windows\system32\Diag.dll cmd.exe File opened for modification \??\c:\windows\system32\COMDLG32.OCX cmd.exe File opened for modification \??\c:\windows\system32\TrayInfo.dll cmd.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2620 regedit.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs
pid Process 2632 regsvr32.exe 2684 regsvr32.exe 2752 regsvr32.exe 2420 regsvr32.exe 2576 regsvr32.exe 2628 regsvr32.exe 2724 regsvr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2620 2856 cmd.exe 29 PID 2856 wrote to memory of 2620 2856 cmd.exe 29 PID 2856 wrote to memory of 2620 2856 cmd.exe 29 PID 2856 wrote to memory of 2632 2856 cmd.exe 30 PID 2856 wrote to memory of 2632 2856 cmd.exe 30 PID 2856 wrote to memory of 2632 2856 cmd.exe 30 PID 2856 wrote to memory of 2632 2856 cmd.exe 30 PID 2856 wrote to memory of 2632 2856 cmd.exe 30 PID 2632 wrote to memory of 2672 2632 regsvr32.exe 31 PID 2632 wrote to memory of 2672 2632 regsvr32.exe 31 PID 2632 wrote to memory of 2672 2632 regsvr32.exe 31 PID 2632 wrote to memory of 2672 2632 regsvr32.exe 31 PID 2632 wrote to memory of 2672 2632 regsvr32.exe 31 PID 2632 wrote to memory of 2672 2632 regsvr32.exe 31 PID 2632 wrote to memory of 2672 2632 regsvr32.exe 31 PID 2856 wrote to memory of 2684 2856 cmd.exe 32 PID 2856 wrote to memory of 2684 2856 cmd.exe 32 PID 2856 wrote to memory of 2684 2856 cmd.exe 32 PID 2856 wrote to memory of 2684 2856 cmd.exe 32 PID 2856 wrote to memory of 2684 2856 cmd.exe 32 PID 2684 wrote to memory of 2568 2684 regsvr32.exe 33 PID 2684 wrote to memory of 2568 2684 regsvr32.exe 33 PID 2684 wrote to memory of 2568 2684 regsvr32.exe 33 PID 2684 wrote to memory of 2568 2684 regsvr32.exe 33 PID 2684 wrote to memory of 2568 2684 regsvr32.exe 33 PID 2684 wrote to memory of 2568 2684 regsvr32.exe 33 PID 2684 wrote to memory of 2568 2684 regsvr32.exe 33 PID 2856 wrote to memory of 2752 2856 cmd.exe 34 PID 2856 wrote to memory of 2752 2856 cmd.exe 34 PID 2856 wrote to memory of 2752 2856 cmd.exe 34 PID 2856 wrote to memory of 2752 2856 cmd.exe 34 PID 2856 wrote to memory of 2752 2856 cmd.exe 34 PID 2752 wrote to memory of 2540 2752 regsvr32.exe 35 PID 2752 wrote to memory of 2540 2752 regsvr32.exe 35 PID 2752 wrote to memory of 2540 2752 regsvr32.exe 35 PID 2752 wrote to memory of 2540 2752 regsvr32.exe 35 PID 2752 wrote to memory of 2540 2752 regsvr32.exe 35 PID 2752 wrote to memory of 2540 2752 regsvr32.exe 35 PID 2752 wrote to memory of 2540 2752 regsvr32.exe 35 PID 2856 wrote to memory of 2420 2856 cmd.exe 36 PID 2856 wrote to memory of 2420 2856 cmd.exe 36 PID 2856 wrote to memory of 2420 2856 cmd.exe 36 PID 2856 wrote to memory of 2420 2856 cmd.exe 36 PID 2856 wrote to memory of 2420 2856 cmd.exe 36 PID 2420 wrote to memory of 2532 2420 regsvr32.exe 37 PID 2420 wrote to memory of 2532 2420 regsvr32.exe 37 PID 2420 wrote to memory of 2532 2420 regsvr32.exe 37 PID 2420 wrote to memory of 2532 2420 regsvr32.exe 37 PID 2420 wrote to memory of 2532 2420 regsvr32.exe 37 PID 2420 wrote to memory of 2532 2420 regsvr32.exe 37 PID 2420 wrote to memory of 2532 2420 regsvr32.exe 37 PID 2856 wrote to memory of 2576 2856 cmd.exe 38 PID 2856 wrote to memory of 2576 2856 cmd.exe 38 PID 2856 wrote to memory of 2576 2856 cmd.exe 38 PID 2856 wrote to memory of 2576 2856 cmd.exe 38 PID 2856 wrote to memory of 2576 2856 cmd.exe 38 PID 2576 wrote to memory of 2664 2576 regsvr32.exe 39 PID 2576 wrote to memory of 2664 2576 regsvr32.exe 39 PID 2576 wrote to memory of 2664 2576 regsvr32.exe 39 PID 2576 wrote to memory of 2664 2576 regsvr32.exe 39 PID 2576 wrote to memory of 2664 2576 regsvr32.exe 39 PID 2576 wrote to memory of 2664 2576 regsvr32.exe 39 PID 2576 wrote to memory of 2664 2576 regsvr32.exe 39 PID 2856 wrote to memory of 2628 2856 cmd.exe 40
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\泽华音乐\reg.cmd"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\regedit.exeregedit.exe /s Reg.reg2⤵
- Runs .reg file with regedit
PID:2620
-
-
C:\Windows\system32\regsvr32.exeregsvr32 COMDLG32.OCX -s2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\regsvr32.exeCOMDLG32.OCX -s3⤵PID:2672
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 Diag.dll -s2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\regsvr32.exeDiag.dll -s3⤵PID:2568
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 TrayInfo.dll -s2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\regsvr32.exeTrayInfo.dll -s3⤵PID:2540
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 UpdateDownload.dll -s2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\regsvr32.exeUpdateDownload.dll -s3⤵PID:2532
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 RMListView.dll -s2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\regsvr32.exeRMListView.dll -s3⤵PID:2664
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 SysTray.ocx -s2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2628 -
C:\Windows\SysWOW64\regsvr32.exeSysTray.ocx -s3⤵PID:2440
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 XpMenu.dll -s2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2724 -
C:\Windows\SysWOW64\regsvr32.exeXpMenu.dll -s3⤵PID:2608
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD5d76f0eab36f83a31d411aeaf70da7396
SHA19bc145b54500fb6fbea9be61fbdd90f65fd1bc14
SHA25646f4fdb12c30742ff4607876d2f36cf432cdc7ec3d2c99097011448fc57e997c
SHA5129c22bc6b2e7dbcd344809085894b768cfa76e8512062c5bbf3caeaa2771c6b7ce128bd5a0b6e385a5da777d0d822a5b2191773cc0ddb05abe1fa935fa853d79d
-
Filesize
137KB
MD5b73809a916e6d7c1ae56f182a2e8f7e2
SHA134e4213d8bf0e150d3f50ae0bd3f5b328e1105f5
SHA25664c6ee999562961d11af130254ad3ffd24bb725d3c18e7877f9fd362f4936195
SHA51226c28cb6c7e1b47425403ab8850a765ac420dd6474327ce8469376219c830ab46218383d15a73c9ea3a23fc6b5f392ee6e2a1632a1bf644b1bd1a05a4729e333
-
Filesize
316KB
MD5842b3d7091aab7ae1c28e3a85bb3fa8e
SHA1c4fa2a9f28daeabd8a9e7db9c7873da0e6a7e4e8
SHA256babd698ae6f99c31b75e0c9c9fd6a2fd6b6f04cfd85602a4563fff682fd5ba8d
SHA5126e7c3a36218fe1138b96d6571770349134c1682e159ae56f757bc9b800c61c73d484c8f5bc9a322c6f27a3ff3e41161df114fd123a2fe168ff277542c23c8550
-
Filesize
40KB
MD5b7d9fd13383422cde37c58e1f4816a6a
SHA198591490a342685b82dac21def58bb50de8552a4
SHA256337d63f0d2bb3d3d5ce1e231bfc0f353806c5271bbba1b74f163c8ec589ba648
SHA5129442c50eacc45a0351281473488bb8bd5065e3433cc7968860f3df314633ce68779b1ec4861e9c0292e3861a51a23ce4b89a40cc57f3dffec8b9baf2cab36047
-
Filesize
40KB
MD53a2347459c6122c3a0fda54f5c0f01e3
SHA12da8d828ddc4780f8e703b3d1e009e58789cf9e2
SHA2565558433c2eff9a42ad9027df14e7bb9899b036e4766f7ed039c6fed18bef1521
SHA512fd4c632b13a127a365a6d78eaa747b12dd69ede3f3714cdc6e75ede62211741799eaee11f36a952d3c8361c0bf5310e84a809a27cabd63a3842e744ccb84bf0b
-
Filesize
536KB
MD55b8ce3afe029616f9b913d9c01692f40
SHA1d7f1e6aef62411d7835c5c4bfdbaa291434eba6d
SHA2569be9ff23e0ef787fc65d4775d20e00fb235cde38de45c5b418386d0ace76d101
SHA512b7a1ac5ab35072c689ce36263531547e320a91b20b77ae362ae88dbc31d74360c3f286c2bf74661dd473d01530ad9cf1a764dab964202eba85d27b118135d4cf
-
Filesize
232KB
MD54c70a59a1588e1394adb9e703bc9d291
SHA1907034dc1dbdeaeac0153d3b28fbb1ef6c7371ab
SHA256ed5f2358d2449bf1eabcc04a63d314d7496b2bc4f1e466974b87d8a0c2eff8db
SHA51257d8d6f38013a622feb16692b1c3dc4fc5980ad9a18d22ac11e5d46324602937fc7a8abebad13f82cd42681a63de7a768a67f8badbd84e05e65e359367977e28