Overview
overview
5Static
static
3Clanwar1.0...mp.dll
windows7-x64
1Clanwar1.0...mp.dll
windows10-2004-x64
3Clanwar1.0/CWBase.dll
windows7-x64
1Clanwar1.0/CWBase.dll
windows10-2004-x64
1Clanwar1.0...ib.dll
windows7-x64
3Clanwar1.0...ib.dll
windows10-2004-x64
3Clanwar1.0...gr.dll
windows7-x64
1Clanwar1.0...gr.dll
windows10-2004-x64
1Clanwar1.0...le.dll
windows7-x64
1Clanwar1.0...le.dll
windows10-2004-x64
5Clanwar1.0...rt.exe
windows7-x64
1Clanwar1.0...rt.exe
windows10-2004-x64
1Clanwar1.0...le.dll
windows7-x64
5Clanwar1.0...le.dll
windows10-2004-x64
5Clanwar1.0/FNWar3.dll
windows7-x64
1Clanwar1.0/FNWar3.dll
windows10-2004-x64
3Clanwar1.0/GGWAR3.dll
windows7-x64
1Clanwar1.0/GGWAR3.dll
windows10-2004-x64
3Clanwar1.0/GHDx8.dll
windows7-x64
1Clanwar1.0/GHDx8.dll
windows10-2004-x64
3Clanwar1.0...ta.dll
windows7-x64
1Clanwar1.0...ta.dll
windows10-2004-x64
1Clanwar1.0...oc.dll
windows7-x64
1Clanwar1.0...oc.dll
windows10-2004-x64
1Clanwar1.0...ll.dll
windows7-x64
1Clanwar1.0...ll.dll
windows10-2004-x64
1Clanwar1.0...ar.exe
windows7-x64
1Clanwar1.0...ar.exe
windows10-2004-x64
1Clanwar1.0...gr.dll
windows7-x64
1Clanwar1.0...gr.dll
windows10-2004-x64
1Clanwar1.0...pt.dll
windows7-x64
3Clanwar1.0...pt.dll
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 22:32
Static task
static1
Behavioral task
behavioral1
Sample
Clanwar1.0/AgentBmp.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
Clanwar1.0/AgentBmp.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Clanwar1.0/CWBase.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Clanwar1.0/CWBase.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Clanwar1.0/ComCtrlLib.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
Clanwar1.0/ComCtrlLib.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Clanwar1.0/ConfigMgr.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
Clanwar1.0/ConfigMgr.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Clanwar1.0/ErrHandle.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
Clanwar1.0/ErrHandle.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Clanwar1.0/ErrorReport.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
Clanwar1.0/ErrorReport.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Clanwar1.0/EzIMClientModule.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
Clanwar1.0/EzIMClientModule.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Clanwar1.0/FNWar3.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
Clanwar1.0/FNWar3.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Clanwar1.0/GGWAR3.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
Clanwar1.0/GGWAR3.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Clanwar1.0/GHDx8.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
Clanwar1.0/GHDx8.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Clanwar1.0/GameStatDota.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
Clanwar1.0/GameStatDota.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Clanwar1.0/GetIPLoc.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
Clanwar1.0/GetIPLoc.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Clanwar1.0/HFAuthShell.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral26
Sample
Clanwar1.0/HFAuthShell.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Clanwar1.0/HFClanWar.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral28
Sample
Clanwar1.0/HFClanWar.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Clanwar1.0/HFDLMgr.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
Clanwar1.0/HFDLMgr.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Clanwar1.0/HFEncrypt.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
Clanwar1.0/HFEncrypt.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
Clanwar1.0/EzIMClientModule.dll
-
Size
424KB
-
MD5
bc292a40ceaed5b8b8a61fa472b69b2a
-
SHA1
1e6d81a43c030ce5d4cc5267ce1adaf298fedb1d
-
SHA256
7b518889eb63355ddc5d334c45e081866e4ef41c9f8a7a911e345a5535906ca1
-
SHA512
596640a33c0ed5b0cb191597927126dd25d1f3c551a26e6204f3a8bdd9ce10e9757d55449b32668971f51a8b8b2aa36439c8645d09abe80e1d1839fe0d7a8c86
-
SSDEEP
6144:ttFyfQZMatkZOCvH92CVd6IB06a0Tx0vv/DNp/xPXSPKeQpUhV6YAOe0etmxj:RyfQZM+GOo9LTta0Ty/DRPX9eVgYD
Malware Config
Signatures
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\EzImLog\EzImClientModule.log rundll32.exe File opened for modification C:\Windows\SysWOW64\EZIMLog\NetLib\2024-07\21.log rundll32.exe File created C:\Windows\SysWOW64\EZIMLog\NetLib\2024-07\21.log rundll32.exe File opened for modification C:\Windows\SysWOW64\EzImLog\UDPStream.log rundll32.exe File created C:\Windows\SysWOW64\EzImLog\UDPStream.log rundll32.exe File opened for modification C:\Windows\SysWOW64\EzImLog\EzImClientModule.log rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2704 2688 rundll32.exe 30 PID 2688 wrote to memory of 2704 2688 rundll32.exe 30 PID 2688 wrote to memory of 2704 2688 rundll32.exe 30 PID 2688 wrote to memory of 2704 2688 rundll32.exe 30 PID 2688 wrote to memory of 2704 2688 rundll32.exe 30 PID 2688 wrote to memory of 2704 2688 rundll32.exe 30 PID 2688 wrote to memory of 2704 2688 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Clanwar1.0\EzIMClientModule.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Clanwar1.0\EzIMClientModule.dll,#12⤵
- Drops file in System32 directory
PID:2704
-