Overview
overview
8Static
static
1wl_gx-juyu...cn.url
windows7-x64
6wl_gx-juyu...cn.url
windows10-2004-x64
3wl_gx-juyu...cn.url
windows7-x64
1wl_gx-juyu...cn.url
windows10-2004-x64
1wl_gx-juyu...��.exe
windows7-x64
8wl_gx-juyu...��.exe
windows10-2004-x64
8wl_gx-juyu...��.htm
windows7-x64
3wl_gx-juyu...��.htm
windows10-2004-x64
3wl_gx-juyu...��.htm
windows7-x64
3wl_gx-juyu...��.htm
windows10-2004-x64
3Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 23:12
Static task
static1
Behavioral task
behavioral1
Sample
wl_gx-juyuwanghewuqi2011/HiCode.cn.url
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
wl_gx-juyuwanghewuqi2011/HiCode.cn.url
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
wl_gx-juyuwanghewuqi2011/局域亡核武器 v2011超级版/HiCode.cn.url
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
wl_gx-juyuwanghewuqi2011/局域亡核武器 v2011超级版/HiCode.cn.url
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
wl_gx-juyuwanghewuqi2011/局域亡核武器 v2011超级版/局域亡核武器 v2011超级版.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
wl_gx-juyuwanghewuqi2011/局域亡核武器 v2011超级版/局域亡核武器 v2011超级版.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
wl_gx-juyuwanghewuqi2011/局域亡核武器 v2011超级版/请先读我.htm
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
wl_gx-juyuwanghewuqi2011/局域亡核武器 v2011超级版/请先读我.htm
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
wl_gx-juyuwanghewuqi2011/请先读我.htm
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
wl_gx-juyuwanghewuqi2011/请先读我.htm
Resource
win10v2004-20240802-en
General
-
Target
wl_gx-juyuwanghewuqi2011/局域亡核武器 v2011超级版/局域亡核武器 v2011超级版.exe
-
Size
1.7MB
-
MD5
6e26256749925faa15e430a680247e21
-
SHA1
8d7a2c622cb99858d155b5223f6623f82207a8e0
-
SHA256
a6ec610c8be2d2c568f7e59c239bdbcddb4848f890cdacf1e2feec518586fe40
-
SHA512
5b620faeb096eeef21180765b9632777229cc57ee880ce4fa0b461ae127093fcd74ff777c82199b6662e41ae958ce678feb77211828de2792a2ddbc37f1add60
-
SSDEEP
24576:sfnuo8sAjfXL7SjqDCaZv0c4VxIvT+r5F3cUMRr5yjkZNVbAA8VJnOrWJPvVPWq:wQfXvCA4xIvTq3VMRdygAtOSlVuq
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{f92B23AB-A707-22d2-9CBD-0000F87A469H} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{f92B23AB-A707-22d2-9CBD-0000F87A469H}\StubPath = "D:\\SoftMgr\\SoftManager.exe" regedit.exe -
Executes dropped EXE 1 IoCs
pid Process 3112 NB.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\NB.exe 局域亡核武器 v2011超级版.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 局域亡核武器 v2011超级版.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2892 regedit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4048 局域亡核武器 v2011超级版.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4048 wrote to memory of 3112 4048 局域亡核武器 v2011超级版.exe 82 PID 4048 wrote to memory of 3112 4048 局域亡核武器 v2011超级版.exe 82 PID 4048 wrote to memory of 3112 4048 局域亡核武器 v2011超级版.exe 82 PID 4048 wrote to memory of 2892 4048 局域亡核武器 v2011超级版.exe 83 PID 4048 wrote to memory of 2892 4048 局域亡核武器 v2011超级版.exe 83 PID 4048 wrote to memory of 2892 4048 局域亡核武器 v2011超级版.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\wl_gx-juyuwanghewuqi2011\局域亡核武器 v2011超级版\局域亡核武器 v2011超级版.exe"C:\Users\Admin\AppData\Local\Temp\wl_gx-juyuwanghewuqi2011\局域亡核武器 v2011超级版\局域亡核武器 v2011超级版.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Program Files\NB.exe"C:\Program Files\NB.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3112
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\hh.reg2⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD58dd3d88aa2cdd6cd3e770f4cd8443813
SHA164d9db4be810a789aa3138573e9f3be007b4b77b
SHA256885679a3b7855678313292d5b308618eaffe6a8bd14d41d8e05bddf0eb908a96
SHA51248ea4b18807ce73c46a0af5e89d6f1cbe5bb19b6f06c4f42a379ef36cdba0cf49e9d91bcd05dbc77d92901c6efdaf5ff978709ee1a20d788e98ec6e756f6bf01
-
Filesize
400B
MD50803863f7873257eecaafbca7ed40cd3
SHA1670e8b83316f50a75acb68182942770923514eab
SHA2569f4e0a6d40d1dc8fb524dc6c10f4d823f727f1fabc14bd8e739a165f7daa69d5
SHA512958caaa19e6b1295b4dc9351292e936f4c491ea39b54502988b499105f3d82e9a84cf04603e812960f2db7130de797e0c66d613f4ff02bce2213bebdef1fb933