f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593

Analysis

max time kernel
38s
max time network
41s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Size

5.3MB
MD5

fbd9ad001bb2719f574c0705c5de05fb
SHA1

d07e77a490ad677935ac8213b88237e94440e791
SHA256

f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593
SHA512

5724e3f858ae7ea92ba4ce325f3f8f4b90ecc6d7c19476e2888c4b09f0913463191b977f71314300918cceb0a6ae0b80e29d3c70891e8aeb9314da233a929e96
SSDEEP

98304:oeZOuRuvqAgef1ndGaX6tJJQv2FKA75OpVclc02vDRZTEB:1ZOPNdo3u0jc02vVZoB

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Drops file in Program Files directory 1 IoCs

Processes:

nemu-downloader.exe

description ioc process

File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\1.txt nemu-downloader.exe

description	ioc	process
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\1.txt	nemu-downloader.exe

Executes dropped EXE 7 IoCs

Processes:

nemu-downloader.exeColaBoxChecker.exeHyperVChecker.exeHyperVChecker.exeHyperVChecker.exeMuMuDownloader.exe7z.exe

pid	process
1340	nemu-downloader.exe
2712	ColaBoxChecker.exe
2928	HyperVChecker.exe
1384	HyperVChecker.exe
2044	HyperVChecker.exe
296	MuMuDownloader.exe
1356	7z.exe

Loads dropped DLL 25 IoCs

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exenemu-downloader.exeColaBoxChecker.exeMuMuDownloader.exe7z.exe

pid	process
2932	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
1340	nemu-downloader.exe
1340	nemu-downloader.exe
1340	nemu-downloader.exe
1340	nemu-downloader.exe
1340	nemu-downloader.exe
2712	ColaBoxChecker.exe
2712	ColaBoxChecker.exe
1340	nemu-downloader.exe
2916
1340	nemu-downloader.exe
1684
1340	nemu-downloader.exe
1496
1340	nemu-downloader.exe
1340	nemu-downloader.exe
296	MuMuDownloader.exe
296	MuMuDownloader.exe
1340	nemu-downloader.exe
1340	nemu-downloader.exe
1340	nemu-downloader.exe
1340	nemu-downloader.exe
1356	7z.exe
1356	7z.exe
1356	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exenemu-downloader.exeColaBoxChecker.exeMuMuDownloader.exeIEXPLORE.EXE7z.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nemu-downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColaBoxChecker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\easebar.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mumuplayer.com\ = "47"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\mumuplayer.com\Total = "47"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "77"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\research.easebar.com\ = "11"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mumuplayer.com\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "47"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\mumuplayer.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\mumuplayer.com\Total = "77"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\easebar.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "88"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\easebar.com\Total = "11"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\easebar.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mumuplayer.com\ = "77"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\research.easebar.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\research.easebar.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\mumuplayer.com\Total = "29"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1E15F01-56A9-11EF-AB1A-5A9C960EEF88} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\mumuplayer.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mumuplayer.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

nemu-downloader.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	nemu-downloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	nemu-downloader.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

nemu-downloader.exe

pid process

1340 nemu-downloader.exe
1340 nemu-downloader.exe
1340 nemu-downloader.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

472
472
472
472
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7z.exe

description pid process

Token: SeRestorePrivilege 1356 7z.exe
Token: 35 1356 7z.exe
Token: SeSecurityPrivilege 1356 7z.exe
Token: SeSecurityPrivilege 1356 7z.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

532 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

532 iexplore.exe
532 iexplore.exe
1424 IEXPLORE.EXE
1424 IEXPLORE.EXE

pid	process
472
472
472
472

description	pid	process
Token: SeRestorePrivilege	1356	7z.exe
Token: 35	1356	7z.exe
Token: SeSecurityPrivilege	1356	7z.exe
Token: SeSecurityPrivilege	1356	7z.exe

pid	process
532	iexplore.exe

pid	process
532	iexplore.exe
532	iexplore.exe
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exenemu-downloader.exeiexplore.exe

description	pid	process	target process
PID 2932 wrote to memory of 1340	2932	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2932 wrote to memory of 1340	2932	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2932 wrote to memory of 1340	2932	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2932 wrote to memory of 1340	2932	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2932 wrote to memory of 1340	2932	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2932 wrote to memory of 1340	2932	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2932 wrote to memory of 1340	2932	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 1340 wrote to memory of 2712	1340	nemu-downloader.exe	ColaBoxChecker.exe
PID 1340 wrote to memory of 2712	1340	nemu-downloader.exe	ColaBoxChecker.exe
PID 1340 wrote to memory of 2712	1340	nemu-downloader.exe	ColaBoxChecker.exe
PID 1340 wrote to memory of 2712	1340	nemu-downloader.exe	ColaBoxChecker.exe
PID 1340 wrote to memory of 2712	1340	nemu-downloader.exe	ColaBoxChecker.exe
PID 1340 wrote to memory of 2712	1340	nemu-downloader.exe	ColaBoxChecker.exe
PID 1340 wrote to memory of 2712	1340	nemu-downloader.exe	ColaBoxChecker.exe
PID 1340 wrote to memory of 2928	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 2928	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 2928	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 2928	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 1384	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 1384	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 1384	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 1384	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 2044	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 2044	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 2044	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 2044	1340	nemu-downloader.exe	HyperVChecker.exe
PID 1340 wrote to memory of 296	1340	nemu-downloader.exe	MuMuDownloader.exe
PID 1340 wrote to memory of 296	1340	nemu-downloader.exe	MuMuDownloader.exe
PID 1340 wrote to memory of 296	1340	nemu-downloader.exe	MuMuDownloader.exe
PID 1340 wrote to memory of 296	1340	nemu-downloader.exe	MuMuDownloader.exe
PID 1340 wrote to memory of 296	1340	nemu-downloader.exe	MuMuDownloader.exe
PID 1340 wrote to memory of 296	1340	nemu-downloader.exe	MuMuDownloader.exe
PID 1340 wrote to memory of 296	1340	nemu-downloader.exe	MuMuDownloader.exe
PID 1340 wrote to memory of 532	1340	nemu-downloader.exe	iexplore.exe
PID 1340 wrote to memory of 532	1340	nemu-downloader.exe	iexplore.exe
PID 1340 wrote to memory of 532	1340	nemu-downloader.exe	iexplore.exe
PID 1340 wrote to memory of 532	1340	nemu-downloader.exe	iexplore.exe
PID 1340 wrote to memory of 1356	1340	nemu-downloader.exe	7z.exe
PID 1340 wrote to memory of 1356	1340	nemu-downloader.exe	7z.exe
PID 1340 wrote to memory of 1356	1340	nemu-downloader.exe	7z.exe
PID 1340 wrote to memory of 1356	1340	nemu-downloader.exe	7z.exe
PID 1340 wrote to memory of 1356	1340	nemu-downloader.exe	7z.exe
PID 1340 wrote to memory of 1356	1340	nemu-downloader.exe	7z.exe
PID 1340 wrote to memory of 1356	1340	nemu-downloader.exe	7z.exe
PID 532 wrote to memory of 1424	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1424	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1424	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1424	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1424	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1424	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1424	532	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\nemu-downloader.exe
C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\nemu-downloader.exe
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\ColaBoxChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\ColaBoxChecker.exe" checker /baseboard
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2712

C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:2928

C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:1384

C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:2044

C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\MuMuDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\MuMuDownloader.exe" --log="C:\Users\Admin\AppData\Local\Temp\nemu-downloader-aria.log" --log-level=notice --check-certificate=false --enable-rpc=true --rpc-listen-port=49290 --continue --max-concurrent-downloads=10 --max-connection-per-server=5 --async-dns=false --file-allocation=prealloc --enable-mmap=true --connect-timeout=5 --rpc-max-request-size=1024M --stop-with-process=1340
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mumuglobal.com/problem/q58/?lang=en
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:532 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\T5LRWQBC\research.easebar[1].xml
Filesize
85B

MD5
c31f710fa324ec7e662ce651b2283401

SHA1
1db86ecba00bcc7172185d6dee4af72fb03fcce6

SHA256
8ed76c6041f8aec7de0bdd91fc7695308476f8955e4aff21b2185896f08ca1e4

SHA512
a2e4a2ae54acd4c8c5d48fa6694c44528a278e7f9a42835056eca3422f8c643725f1ede5cb25620fac4fd4e7057e99896c06cc153772ada32db0f4b07eb8d050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\T5LRWQBC\research.easebar[1].xml
Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\7z.exe
Filesize
292KB

MD5
97b382235264f18a53eff8e891997920

SHA1
cc0f3ad9411f54f70a2b1a1705e24048b06ea65c

SHA256
bf42783c293279c65b00e4f8b72be39e1cb0fcbe14d6679151b0d5e27fd8572d

SHA512
1e780698dbc0963ccbd73976da6898b3c0dc4b4e655a80563585518abd37a1a5561a980d035123011213a83c76320de6c08541caa71bfd6582eb93ff57672a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\ColaBoxChecker.exe
Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\HyperVChecker.exe
Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\baseboard
Filesize
114B

MD5
10824343c98c1c3dd3ae6584b70b1026

SHA1
468937645853ce5b10794a800c3b71932bf3aae9

SHA256
238e0b51945564acebd26f9c1dd206ad7cfd48992c6e434dbb6492b4d865e42d

SHA512
39fba7064b3714a62552cb87670a9f140a20484d80fbaf9d1c6814345179f7da5c6cbd9a25fee81737d7d229d605135ef69c5283d583ddca93b306cd1a3b241d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\config.ini
Filesize
346B

MD5
d00fb4c61a255b58ff09886c6c72461b

SHA1
4e4f7d7ae36f67a4d6fc8479f8400b3eb769e978

SHA256
77dec4d79e1e844a2156f101defc0fc81c138a989e8ba1c722c58feb91b3cd4a

SHA512
8494ab9fe0594f3ff7b0893ca3e25d6d0a706e546e92c5b662aa864affcefe5f9721a6a95f37f40cdacf39d27a23e2b3cd5dbca4d7b8909cd7c186209d4b46db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6C1BCB74\skin.zip
Filesize
509KB

MD5
ecb43530caf9566c1b76d5af8d2097f1

SHA1
34562ada66cd1501fcb7411a1e1d86729fd7fdc0

SHA256
a12381f97aee2d91568f44b23e866ccc99f0ae5e5961f318ed24b72f4f5da80a

SHA512
4a243c0bc4dbaf892bee91ea7eff9e6a7732d3aa2df5bebd9a4bea2859a30a8511945ce3bb823f7ef921f2e1a98906fb676fce85f25fd5908646b3a2f5d02563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux.zip
Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFC56BB0958BF1A023.TMP
Filesize
16KB

MD5
6e17b07931920479571cf6d56f07169d

SHA1
b149cb11d1d6acf139d9b6e8acc6d4554ed24ce9

SHA256
1fb249154127d60d86f4d9437fc3310844f5d987083bb1510dc1c9c6a3ae5f74

SHA512
12ee9776cf65393b5d5c1635088dc8fe9570358496d17a23363f7c0aec06edd88df331ca6f2e5faaea5f169d7878804c5d3e30de0ce21db56a3f7335e6b253eb

Download Submit
\Users\Admin\AppData\Local\Temp\7z6C1BCB74\7z.dll
Filesize
1.1MB

MD5
0ffa2bff9e56e6122aec80d3c1119d83

SHA1
09b7eb124b8c83469ae7de6447d1b8a7f5c98c61

SHA256
609cba3a8704aa6f5e2623858402bc048de7198a3567a53183bf97de091a3e48

SHA512
42522bf850156577de397e527b8515b1bf0bdeceb170efae71d87c39a25c72c155a2fec6a88b5c3ae443752046f8840cd8afac9c42ed7bcf67aeb9e78aeb5f2e

Download Submit
\Users\Admin\AppData\Local\Temp\7z6C1BCB74\MuMuDownloader.exe
Filesize
5.7MB

MD5
2f3d77b4f587f956e9987598b0a218eb

SHA1
c067432f3282438b367a10f6b0bc0466319e34e9

SHA256
2f980c56d81f42ba47dc871a04406976dc490ded522131ce9a2e35c40ca8616e

SHA512
a63afc6d708e3b974f147a2d27d90689d8743acd53d60ad0f81a3ab54dfa851d73bcb869d1e476035abc5e234479812730285c0826a2c3da62f39715e315f221

Download Submit
\Users\Admin\AppData\Local\Temp\7z6C1BCB74\nemu-downloader.exe
Filesize
3.2MB

MD5
cdf8047ceae80d9cd9eb798a57bf6084

SHA1
8e7971401fada3099aed61849745fda37e1c0d32

SHA256
1f01a9abac64fae72e0a253ad9ffe2d62cd2967c1c2bc90fb956ac446fe2b11e

SHA512
ac366f38f39b935110192d1355147392ced5a21966cc22386804356dce24b2da7971a6a60d675689f93d74014d961bfb3b0c13cf06809b9f9feef580045e20dc

Download Submit
memory/296-94-0x00000000003D0000-0x0000000000985000-memory.dmp

Filesize
5.7MB

Download
memory/296-235-0x00000000003D0000-0x0000000000985000-memory.dmp

Filesize
5.7MB

Download