baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc

Resubmissions

06/08/2024, 15:36

240806-s1xglswgmf 8

06/08/2024, 15:33

240806-sy6mhasfrk 6

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
Size

5.3MB
MD5

86e0f88dcc69e631df6cfd28bb5babb1
SHA1

e7b3552cf10983c97bf3381fe66053f8f5a1ea9c
SHA256

baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc
SHA512

c2e0b76ea267cbe01019cd826c90ffcf84e88da1f16c83ae36cebe543cf75316b5a375a3f053165d4e8fe0b6d65a70558cb08693473d5710dc9de4a44fef7843
SSDEEP

98304:cevOCyjertpQj68ndGaX6tJJQv2FKA75OpVclc02vDRZTEW:pvOCyj2tpYo3u0jc02vVZoW

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	nemu-downloader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	nemu-downloader.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qt.conf	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\ItemDelegate.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-core-console-l1-1-0.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\device\RendererDetector.exe	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\SwitchSpecifics.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\SDL2.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Action.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\RadioButton.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\LocalStorage\qmllocalstorageplugin.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-crt-filesystem-l1-1-0.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\plugins\mediaservice\wmfengine.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\icuin71.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\Tumbler.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\img\icon_failed.c0d96dda.svg	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMHostChannel.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetAdpUninstall.exe	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\7z1602\Far\7-ZipFar.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\zlib1.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\VerticalHeaderView.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\ApplicationWindow.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Window.2\windowplugin.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp.sys	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\7z1602\Far\7-ZipRus.hlf	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMCAPI.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\Qt5Network.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\CheckBox.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\button-icon.png	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQml\qmlplugin.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\nemu-vboxmanager.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Pane.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\mumuvmmvmmr0.cat	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-crt-heap-l1-1-0.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\img\system_icon.e37bd68f.svg	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\SpinBox.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMVMMR0.inf	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\Qt5PrintSupport.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\plugins\audio\qtaudio_wasapi.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\VerticalHeaderView.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\js\lang-sp-json.399cd4eb.js	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\AdbWinApi.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Page.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\GroupBox.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-crt-conio-l1-1-0.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\msvcp140_2.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Control.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\CheckBox.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\MuMuManager.exe	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\SwipeDelegate.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\combobox-icon.png	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Dial.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-core-file-l2-1-0.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\labs\calendar\DayOfWeekRow.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\MuMuPlayerRemote.exe	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\ToolBarSpecifics.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtTest\TestCase.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\labs\sharedimage\plugins.qmltypes	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-core-namedpipe-l1-1-0.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\labs\calendar\plugins.qmltypes	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\7z1602\Far\far7z.txt	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\MenuBarItem.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\[email protected]	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\plugins\qmltooling\qmldbg_messages.dll	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\GroupBox.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\ToolBar.qml	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe

Executes dropped EXE 7 IoCs

pid	Process
1516	nemu-downloader.exe
2952	ColaBoxChecker.exe
3664	HyperVChecker.exe
2356	HyperVChecker.exe
924	HyperVChecker.exe
2920	MuMuDownloader.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4880	sc.exe

Loads dropped DLL 62 IoCs

pid	Process
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nemu-downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColaBoxChecker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1516	nemu-downloader.exe
1516	nemu-downloader.exe
1516	nemu-downloader.exe
1516	nemu-downloader.exe
1516	nemu-downloader.exe
1516	nemu-downloader.exe
1516	nemu-downloader.exe
1516	nemu-downloader.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeRestorePrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
Token: SeTakeOwnershipPrivilege	4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4696	MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 1516	3940	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	85
PID 3940 wrote to memory of 1516	3940	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	85
PID 3940 wrote to memory of 1516	3940	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	85
PID 1516 wrote to memory of 2952	1516	nemu-downloader.exe	86
PID 1516 wrote to memory of 2952	1516	nemu-downloader.exe	86
PID 1516 wrote to memory of 2952	1516	nemu-downloader.exe	86
PID 1516 wrote to memory of 3664	1516	nemu-downloader.exe	90
PID 1516 wrote to memory of 3664	1516	nemu-downloader.exe	90
PID 1516 wrote to memory of 2356	1516	nemu-downloader.exe	92
PID 1516 wrote to memory of 2356	1516	nemu-downloader.exe	92
PID 1516 wrote to memory of 924	1516	nemu-downloader.exe	94
PID 1516 wrote to memory of 924	1516	nemu-downloader.exe	94
PID 1516 wrote to memory of 2920	1516	nemu-downloader.exe	100
PID 1516 wrote to memory of 2920	1516	nemu-downloader.exe	100
PID 1516 wrote to memory of 2920	1516	nemu-downloader.exe	100
PID 1516 wrote to memory of 4696	1516	nemu-downloader.exe	106
PID 1516 wrote to memory of 4696	1516	nemu-downloader.exe	106
PID 1516 wrote to memory of 4696	1516	nemu-downloader.exe	106

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\nemu-downloader.exe
  C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\nemu-downloader.exe
  2⤵
  - Enumerates connected drives
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\ColaBoxChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\ColaBoxChecker.exe" checker /baseboard
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:3664
- - C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:924
- - C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\MuMuDownloader.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\MuMuDownloader.exe" --log="C:\Users\Admin\AppData\Local\Temp\nemu-downloader-aria.log" --log-level=notice --check-certificate=false --enable-rpc=true --rpc-listen-port=59077 --continue --max-concurrent-downloads=10 --max-connection-per-server=5 --async-dns=false --file-allocation=prealloc --enable-mmap=true --connect-timeout=5 --rpc-max-request-size=1024M --stop-with-process=1516
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe
    "C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.18.2845-overseas-0417125205.exe" /S /auto_start=false /fchannel=yx-gl-codex /D=C:\Program Files\Netease\MuMuPlayerGlobal-12.0
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4696
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\ColaBoxChecker.exe

Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\HyperVChecker.exe

Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\MuMuDownloader.exe

Filesize
5.7MB

MD5
2f3d77b4f587f956e9987598b0a218eb

SHA1
c067432f3282438b367a10f6b0bc0466319e34e9

SHA256
2f980c56d81f42ba47dc871a04406976dc490ded522131ce9a2e35c40ca8616e

SHA512
a63afc6d708e3b974f147a2d27d90689d8743acd53d60ad0f81a3ab54dfa851d73bcb869d1e476035abc5e234479812730285c0826a2c3da62f39715e315f221

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\baseboard

Filesize
114B

MD5
d3d799b9fab2cb2ca0ac10dceb395ef9

SHA1
009dfc2ff384637f0b0e25c4489875d6e8d1faa8

SHA256
aa6b88e8ba3db9eae18b758a90d8b51e14168121ca688572e9cb44b655f1db65

SHA512
f3e0947c2cae973be05907c347d2322262b7385a327528a1fe5207180dcd927421287dcde098db63869a008c3ec5f796af5b032129186f168c06c0301d8bba4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\config.ini

Filesize
342B

MD5
048404eeb7f19ff7aea3e0e282b2668f

SHA1
4ee3a5f86c9cc6a0f2fd597e41264249d49d7e30

SHA256
536276708fd9e141dc5036a7feb791a2467c667bb16d7ce90bf2917a68a772a2

SHA512
6fe975bfc6994edb1fddab0fa635a6d34d5624836fa7f77f6029c13ff633ee0af49fe513f1bb24d7c3cc90e83fcba837d82c8e593ca6e68e8101d4f44cf43b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\nemu-downloader.exe

Filesize
3.2MB

MD5
b311535e3673c225b4095f77ca7ea4f5

SHA1
4206e1cbe58428fdbc9b319b8919373646807583

SHA256
7662f1e4e1b4a52cce2fb8c57ffdd4ec8654f3bd1a830814845e75fdcd3f1735

SHA512
57d9d6e592a6cdc3a8ffd514ad21729de15fcdd8b4fd321ce013c9541e08ad6cf3a11bf1479464b5b0fff771552c19ccad2720239779fcd25290c436a287b6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7CE70F64\skin.zip

Filesize
509KB

MD5
d59a09fb475ed8cd967e1a5366d7884d

SHA1
8636b3f7d18482ce940607af9d0e51232d8491d4

SHA256
45a97dba97f3613ec8f357d9a36fe336c2795ead0f32081856b9b2dad4620ce1

SHA512
39a667a970f66ba6c28351a038c23bb4f4427e1b584a2cabf962711c64ad7540f09a00b2771c01c965d59f69b5b707e9659349aaf68b6f675695e9e83cf40e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh20D8.tmp\AccessControl.dll

Filesize
23KB

MD5
bb0f26c7a18434ee1d648c7e6743d1fe

SHA1
f7503b348aa7c7691668fbb64ccd541e247f87e5

SHA256
1b4d25f2f544f520c20493ee1e9ac7b3043aab88e4ff87953390d357de4c2096

SHA512
4311e960a4f8f441b25c5ec9a82d64112016ff9c4510dfb082a0c1bcce2d03cb2871912dcaafc5d00f07ed9ac4d6d7998cdcea2bfc84f7180b2f62a2cf24e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh20D8.tmp\LogEx.dll

Filesize
52KB

MD5
6eba32325d2db645c958c551f0aa2e31

SHA1
b116cc9ff0369af681ebf805a1a3befedd9ab868

SHA256
cf7b45a69a13551db95dcdefc8bfdd4128e1c1db67198347b43469b69c36b844

SHA512
6c48038341bb16ce50b01c99f8ebfc919adfce61008d9718c06d55e92e54625ed2ab6ac850592e847bca61d7d57809dd531afeea4f0fb0c8310cfe1710f37927

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh20D8.tmp\System.dll

Filesize
12KB

MD5
283555de06751c261b66243bbb1558da

SHA1
4532ed4e255ad0163494a02081b45e893ad666f9

SHA256
b6298637fea88a44e4de3f6b7fe254fb73857c08f1dcd8bd1af6f9eb5e6e7e3c

SHA512
469dbb4b7cc0d4f59d903415fbb7ea6417323f0daa2aeb2945a9744668f3d9fa95eb34a9d64a647835b563c74c3484c6d4b823a75119599aa5f975dbe471d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh20D8.tmp\UAC.dll

Filesize
22KB

MD5
b7e1d609915cf0b3f9dfee488a92fc91

SHA1
d9c873b39e3cac648742568378fe788b2cae6e84

SHA256
fa3bb333f615689691ff98527dc3341e3b8ffee4bf97c6128820bf0d303930e7

SHA512
ae4a00659f522996600bd0754b2f2706e297939ea616ada66e590409c6c2f28ed7ed39b67a078ae72e9b472a97291c7f3da42339051ef1a3d1941b0368b2e775

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh20D8.tmp\UserInfo.dll

Filesize
3KB

MD5
cb310d97bd72a6ae8fc6e44c88ef9e8c

SHA1
ed935c8f17340fecb7021dddd9dc7de0e23bf487

SHA256
d6fae2e57c84b25b73fe942fb7ba725158b21ec81c9d989845b64ba1ee337c27

SHA512
8351004d0bf86c5577940613cee26803d797b2375038726ce31827d66038664aaf74399d7d5e11c6487012942fb4f147b7021d6e887ac09c39f541991f594f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh20D8.tmp\nsProcess.dll

Filesize
12KB

MD5
b6cd62358973125f52d756d6d3aee8b2

SHA1
7c9fcfa85a88c507517a659f778355b56cef921f

SHA256
44c14f1edfe7deef518264675e3e4edb6991d5ea0d50f0f6b18a819dc31bbcba

SHA512
a5b756e3e1a31ad7ad9026bc492de2ef8983385e7c920a2e3eea363df3c6d112cea2a0373cd9bd8be1fb3536ee9623c6844b3c7a92d8cf6ee050aeec7cee76bb

Download Submit
memory/2920-89-0x0000000000730000-0x0000000000CE5000-memory.dmp

Filesize
5.7MB

Download
memory/2920-86-0x0000000000730000-0x0000000000CE5000-memory.dmp

Filesize
5.7MB

Download
memory/2920-79-0x0000000000730000-0x0000000000CE5000-memory.dmp

Filesize
5.7MB

Download