Overview
overview
7Static
static
7vpnclient/28ip.html
windows7-x64
3vpnclient/28ip.html
windows10-2004-x64
3vpnclient/gonggao.htm
windows7-x64
3vpnclient/gonggao.htm
windows10-2004-x64
3vpnclient/ip.html
windows7-x64
3vpnclient/ip.html
windows10-2004-x64
3vpnclient/ssm.html
windows7-x64
3vpnclient/ssm.html
windows10-2004-x64
3vpnclient/top.htm
windows7-x64
3vpnclient/top.htm
windows10-2004-x64
3vpnclient/...p.html
windows7-x64
3vpnclient/...p.html
windows10-2004-x64
3vpnclient2/28vpn.exe
windows7-x64
7vpnclient2/28vpn.exe
windows10-2004-x64
7vpnclient2....0.exe
windows7-x64
7vpnclient2....0.exe
windows10-2004-x64
vpnclient2....0.exe
windows7-x64
7vpnclient2....0.exe
windows10-2004-x64
7vpnclient2...ao.htm
windows7-x64
3vpnclient2...ao.htm
windows10-2004-x64
3vpnclient2/top.htm
windows7-x64
3vpnclient2/top.htm
windows10-2004-x64
3top.htm
windows7-x64
3top.htm
windows10-2004-x64
3vpnclient2...t2.lnk
windows7-x64
3vpnclient2...t2.lnk
windows10-2004-x64
6vpnclient2...op.htm
windows7-x64
3vpnclient2...op.htm
windows10-2004-x64
3vpnclient2...op.htm
windows7-x64
3vpnclient2...op.htm
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 19:22
Behavioral task
behavioral1
Sample
vpnclient/28ip.html
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
vpnclient/28ip.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
vpnclient/gonggao.htm
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
vpnclient/gonggao.htm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
vpnclient/ip.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
vpnclient/ip.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
vpnclient/ssm.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
vpnclient/ssm.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
vpnclient/top.htm
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral10
Sample
vpnclient/top.htm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
vpnclient/yyvpnip.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
vpnclient/yyvpnip.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
vpnclient2/28vpn.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
vpnclient2/28vpn.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
vpnclient2/28vpn_en_5.0.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
vpnclient2/28vpn_en_5.0.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
vpnclient2/28vpn_zh_5.0.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
vpnclient2/28vpn_zh_5.0.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
vpnclient2/gonggao.htm
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
vpnclient2/gonggao.htm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
vpnclient2/top.htm
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
vpnclient2/top.htm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
top.htm
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
top.htm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
vpnclient2/vpnclient2.lnk
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
vpnclient2/vpnclient2.lnk
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
vpnclient2/复件 (2) top.htm
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
vpnclient2/复件 (2) top.htm
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
vpnclient2/复件 top.htm
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
vpnclient2/复件 top.htm
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
vpnclient2/vpnclient2.lnk
-
Size
492B
-
MD5
8b580b24abb39773c1f176f7c7a700fb
-
SHA1
765c0c134ca060ddd8a13b0e06610b752385bfcd
-
SHA256
34ed0d06af02a1f809ce973a819288a7fae41487978bd241eba29be21a379aab
-
SHA512
c6230280f40ac39cb6725471d6acc57679ce8e43a3e2f0935774d770bcc696b4b95e53bd607b9d62eed17633a3b078eed87424384c2220f9a6f31ec9cf8988a3
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 27 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000002359e82a10204c6f63616c00380008000400efbe2359ad292359e82a2a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000 cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5a003100000000002d59ca9a102056504e434c497e320000420008000400efbe2d59ca9a2d59ca9a2a0000001c870100000005000000000000000000000000000000760070006e0063006c00690065006e0074003200000018000000 cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000002359ad29122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe2359ad292359ad292a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000042000000 cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a003100000000002d59ca9a102054656d700000360008000400efbe2359ad292d59ca9a2a00000001020000000002000000000000000000000000000000540065006d007000000014000000 cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff cmd.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff cmd.exe