Overview
overview
8Static
static
3apnetwork_...14.exe
windows7-x64
7apnetwork_...14.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3????.exe
windows7-x64
8????.exe
windows10-2004-x64
8LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
3ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
3libGLESv2.dll
windows10-2004-x64
3resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1resources/...rt.dll
windows7-x64
1resources/...rt.dll
windows10-2004-x64
1resources/...32.sys
windows10-2004-x64
1resources/...64.sys
windows10-2004-x64
1resources/...ce.exe
windows7-x64
1resources/...ce.exe
windows10-2004-x64
1resources/...un.dll
windows7-x64
3resources/...un.dll
windows10-2004-x64
3swiftshade...GL.dll
windows7-x64
1Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
apnetwork_Setup_0.0.14.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
apnetwork_Setup_0.0.14.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
????.exe
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
????.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
LICENSES.chromium.html
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
ffmpeg.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20240611-en
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240419-en
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
resources/elevate.exe
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
resources/elevate.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
resources/extraResources/WinDivert.dll
Resource
win7-20231129-en
Behavioral task
behavioral25
Sample
resources/extraResources/WinDivert.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
resources/extraResources/WinDivert32.sys
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
resources/extraResources/WinDivert64.sys
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
resources/extraResources/apn_service.exe
Resource
win7-20240508-en
Behavioral task
behavioral29
Sample
resources/extraResources/apn_service.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral30
Sample
resources/extraResources/wintun.dll
Resource
win7-20240611-en
Behavioral task
behavioral31
Sample
resources/extraResources/wintun.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
swiftshader/libEGL.dll
Resource
win7-20231129-en
General
-
Target
????.exe
-
Size
117.8MB
-
MD5
e4fb5b6879486628df824ce3dcc2e007
-
SHA1
d02c1ac09bf788a8708b8d8e35d9091756087415
-
SHA256
08442e8713ab66e3117f06372fbbda290e770630d79c5f46274d22af0caa5375
-
SHA512
37084049a706301ee19c6b3fe9ccacaed9b9e0dc4ecb58d9d0487c04c1e6029078ca0c3cec5c261dc28be5ad76590a25e24dc3b1ba4585c3c6412965165401e7
-
SSDEEP
1572864:Zbjpp6KvAbWqERVxLKeHbOnOO7uTss/iiwFTKlWOQsQxhEEkkiYvEX74BWpR9nai:bUXe8qhYvia1klj/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
____.exe____.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ____.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ____.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
____.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\electron.app.飞机加速 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\____.exe --openAsHidden" ____.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4916 sc.exe 3628 sc.exe 1300 sc.exe -
Modifies registry class 1 IoCs
Processes:
____.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{4C43B7F5-024E-4F37-AEA1-E7E47802392B} ____.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
____.exe____.exe____.exe____.exepid process 3096 ____.exe 3096 ____.exe 264 ____.exe 264 ____.exe 1656 ____.exe 1656 ____.exe 4328 ____.exe 4328 ____.exe 4328 ____.exe 4328 ____.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
____.exepid process 3876 ____.exe 3876 ____.exe 3876 ____.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
____.exepid process 3876 ____.exe 3876 ____.exe 3876 ____.exe 3876 ____.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
____.execmd.exeapn_service.exenet.exe____.execmd.execmd.exedescription pid process target process PID 3876 wrote to memory of 208 3876 ____.exe ____.exe PID 3876 wrote to memory of 208 3876 ____.exe ____.exe PID 3876 wrote to memory of 208 3876 ____.exe ____.exe PID 3876 wrote to memory of 3096 3876 ____.exe ____.exe PID 3876 wrote to memory of 3096 3876 ____.exe ____.exe PID 3876 wrote to memory of 3096 3876 ____.exe ____.exe PID 3876 wrote to memory of 264 3876 ____.exe ____.exe PID 3876 wrote to memory of 264 3876 ____.exe ____.exe PID 3876 wrote to memory of 264 3876 ____.exe ____.exe PID 3876 wrote to memory of 1656 3876 ____.exe ____.exe PID 3876 wrote to memory of 1656 3876 ____.exe ____.exe PID 3876 wrote to memory of 1656 3876 ____.exe ____.exe PID 3876 wrote to memory of 4916 3876 ____.exe sc.exe PID 3876 wrote to memory of 4916 3876 ____.exe sc.exe PID 3876 wrote to memory of 4916 3876 ____.exe sc.exe PID 3876 wrote to memory of 3628 3876 ____.exe sc.exe PID 3876 wrote to memory of 3628 3876 ____.exe sc.exe PID 3876 wrote to memory of 3628 3876 ____.exe sc.exe PID 3876 wrote to memory of 1300 3876 ____.exe sc.exe PID 3876 wrote to memory of 1300 3876 ____.exe sc.exe PID 3876 wrote to memory of 1300 3876 ____.exe sc.exe PID 3876 wrote to memory of 5024 3876 ____.exe cmd.exe PID 3876 wrote to memory of 5024 3876 ____.exe cmd.exe PID 3876 wrote to memory of 5024 3876 ____.exe cmd.exe PID 5024 wrote to memory of 3564 5024 cmd.exe apn_service.exe PID 5024 wrote to memory of 3564 5024 cmd.exe apn_service.exe PID 5024 wrote to memory of 3564 5024 cmd.exe apn_service.exe PID 3564 wrote to memory of 1308 3564 apn_service.exe net.exe PID 3564 wrote to memory of 1308 3564 apn_service.exe net.exe PID 3564 wrote to memory of 1308 3564 apn_service.exe net.exe PID 1308 wrote to memory of 1988 1308 net.exe net1.exe PID 1308 wrote to memory of 1988 1308 net.exe net1.exe PID 1308 wrote to memory of 1988 1308 net.exe net1.exe PID 1656 wrote to memory of 1688 1656 ____.exe cmd.exe PID 1656 wrote to memory of 1688 1656 ____.exe cmd.exe PID 1656 wrote to memory of 1688 1656 ____.exe cmd.exe PID 1688 wrote to memory of 1908 1688 cmd.exe cmd.exe PID 1688 wrote to memory of 1908 1688 cmd.exe cmd.exe PID 1908 wrote to memory of 2916 1908 cmd.exe reg.exe PID 1908 wrote to memory of 2916 1908 cmd.exe reg.exe PID 3876 wrote to memory of 4328 3876 ____.exe ____.exe PID 3876 wrote to memory of 4328 3876 ____.exe ____.exe PID 3876 wrote to memory of 4328 3876 ____.exe ____.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\____.exe"C:\Users\Admin\AppData\Local\Temp\____.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\____.exeC:\Users\Admin\AppData\Local\Temp\____.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\apnetwork /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\apnetwork\Crashpad --annotation=_productName=apnetwork --annotation=_version=0.0.14 --annotation=prod=Electron --annotation=ver=16.2.1 --initial-client-data=0x474,0x47c,0x480,0x450,0x484,0x770a970,0x770a980,0x770a98c2⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\____.exe"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=gpu-process --field-trial-handle=1612,18227286373489722873,2437656842608677934,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 /prefetch:22⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\____.exe"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,18227286373489722873,2437656842608677934,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --mojo-platform-channel-handle=1980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:264 -
C:\Users\Admin\AppData\Local\Temp\____.exe"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --no-sandbox --field-trial-handle=1612,18227286373489722873,2437656842608677934,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2348 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.execmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"3⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid4⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\System32\reg.exeC:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid5⤵PID:2916
-
C:\Windows\SysWOW64\sc.exesc delete FadeService2⤵
- Launches sc.exe
PID:4916 -
C:\Windows\SysWOW64\sc.exesc delete APNetworkService2⤵
- Launches sc.exe
PID:3628 -
C:\Windows\SysWOW64\sc.exesc queryex APNetworkService2⤵
- Launches sc.exe
PID:1300 -
C:\Windows\SysWOW64\cmd.execmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe" /install"2⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe"C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe" /install3⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\net.exenet start APNetworkService4⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start APNetworkService5⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\____.exe"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=gpu-process --field-trial-handle=1612,18227286373489722873,2437656842608677934,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2896 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exeC:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe1⤵PID:4628
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
40B
MD5578e8b61419e3237c74cf1937592d992
SHA16d0b444952e5ea0b5877e83fbe2cd43fe83d32ae
SHA256988556fc5becee727314cd982b1f2269adfedd201c384fa5e4e3e3e685b19561
SHA512cf1d48b6e8e62dde972c2d59ea1132e03de0861be61c7db3ee2e1be0c8a6c3144e23cc57668f6b3f43107914ad3c50cf981251a31c3475462a085ac463dc518b
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
29B
MD50799ca7d102110a905ca21b94611a6bb
SHA195a4c4747e5d602e2974fe61e5c6e1d86f8ca5fa
SHA2565274b4d9db541cc217801862c8caf3bb075979b25dd5ced8ea4506aba43664fa
SHA512eb8ed75921c4d5c8fc9b932ff5651cb45bb788ab233ee8d6093b12768a320a0b76b528d814fabcd4034b06e69465e930bb9e54a058cd242064480de76911281d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e