Overview
overview
6Static
static
3AutoUpdate.exe
windows7-x64
3AutoUpdate.exe
windows10-2004-x64
3TheWorld.exe
windows7-x64
6TheWorld.exe
windows10-2004-x64
6plugin/Exp...ee.dll
windows7-x64
3plugin/Exp...ee.dll
windows10-2004-x64
3plugin/Sys...te.dll
windows7-x64
3plugin/Sys...te.dll
windows10-2004-x64
3plugin/rss...ew.dll
windows7-x64
3plugin/rss...ew.dll
windows10-2004-x64
3plugin/sti...er.exe
windows7-x64
3plugin/sti...er.exe
windows10-2004-x64
3twtweaker.exe
windows7-x64
3twtweaker.exe
windows10-2004-x64
3安装说明.url
windows7-x64
1安装说明.url
windows10-2004-x64
1Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 17:13
Static task
static1
Behavioral task
behavioral1
Sample
AutoUpdate.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
AutoUpdate.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
TheWorld.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
TheWorld.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
plugin/ExplorerTree/ExplorerTree.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
plugin/ExplorerTree/ExplorerTree.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
plugin/SysState/SysState.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
plugin/SysState/SysState.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
plugin/rssview/RssView.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
plugin/rssview/RssView.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
plugin/sticker/Sticker.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
plugin/sticker/Sticker.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
twtweaker.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
twtweaker.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
安装说明.url
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
安装说明.url
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
twtweaker.exe
-
Size
212KB
-
MD5
2f2223134162cfc357893c1470495268
-
SHA1
632cd452be17fa1cd702a229566d0c081f1fc192
-
SHA256
0f9caeaf12e8fcc4025fd82135a4067e8e6fe98db5eae4b56a81f814e1beda90
-
SHA512
b34f18037ea7fb27d87b1eb85aa9594e58ce0a769f7acae970b79be9c79f617040602b945ec0102ea4106aa1dda483841eec2448b9a5671a9835b539bc2d0163
-
SSDEEP
6144:k8uB1VoNKqoEE7aAqH9dR1II82nMhkE9mU:k8GSMkE7aT92ILMhkE1
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language twtweaker.exe -
Modifies registry class 41 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "htmlfile" twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.shtm twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\internet explorer\\iexplore.exe\" \"%1\"" twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.URL\ = "InternetShortcut" twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\command twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\ = "open" twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\ = "htmlfile" twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.url twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\open\command\ = "\"C:\\Program Files (x86)\\internet explorer\\iexplore.exe\" \"%1\"" twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\ = "open" twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\internet explorer\\iexplore.exe\" \"%1\"" twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\open twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.html twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtm\ = "htmlfile" twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "open" twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\ = "mhtmlfile" twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\ = "open" twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files (x86)\\internet explorer\\iexplore.exe\" \"%1\"" twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files (x86)\\internet explorer\\iexplore.exe\" \"%1\"" twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\ = "open" twtweaker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\open\command twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "htmlfile" twtweaker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\ = "mhtmlfile" twtweaker.exe