Overview

overview

8

Static

static

1

wl_gx-juyu...cn.url

windows7-x64

6

wl_gx-juyu...cn.url

windows10-2004-x64

3

wl_gx-juyu...cn.url

windows7-x64

1

wl_gx-juyu...cn.url

windows10-2004-x64

1

wl_gx-juyu...��.exe

windows7-x64

8

wl_gx-juyu...��.exe

windows10-2004-x64

8

wl_gx-juyu...��.htm

windows7-x64

3

wl_gx-juyu...��.htm

windows10-2004-x64

3

wl_gx-juyu...��.htm

windows7-x64

3

wl_gx-juyu...��.htm

windows10-2004-x64

3

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wl_gx-juyuwanghewuqi2011/局域亡核武器 v2011超级版/局域亡核武器 v2011超级版.exe

  • Size

    1.7MB

  • MD5

    6e26256749925faa15e430a680247e21

  • SHA1

    8d7a2c622cb99858d155b5223f6623f82207a8e0

  • SHA256

    a6ec610c8be2d2c568f7e59c239bdbcddb4848f890cdacf1e2feec518586fe40

  • SHA512

    5b620faeb096eeef21180765b9632777229cc57ee880ce4fa0b461ae127093fcd74ff777c82199b6662e41ae958ce678feb77211828de2792a2ddbc37f1add60

  • SSDEEP

    24576:sfnuo8sAjfXL7SjqDCaZv0c4VxIvT+r5F3cUMRr5yjkZNVbAA8VJnOrWJPvVPWq:wQfXvCA4xIvTq3VMRdygAtOSlVuq

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wl_gx-juyuwanghewuqi2011\局域亡核武器 v2011超级版\局域亡核武器 v2011超级版.exe
    "C:\Users\Admin\AppData\Local\Temp\wl_gx-juyuwanghewuqi2011\局域亡核武器 v2011超级版\局域亡核武器 v2011超级版.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Program Files\NB.exe
      "C:\Program Files\NB.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3112
    • C:\Windows\SysWOW64\regedit.exe
      regedit /s C:\hh.reg
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • System Location Discovery: System Language Discovery
      • Runs .reg file with regedit
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\NB.exe
    Filesize

    224KB

    MD5

    8dd3d88aa2cdd6cd3e770f4cd8443813

    SHA1

    64d9db4be810a789aa3138573e9f3be007b4b77b

    SHA256

    885679a3b7855678313292d5b308618eaffe6a8bd14d41d8e05bddf0eb908a96

    SHA512

    48ea4b18807ce73c46a0af5e89d6f1cbe5bb19b6f06c4f42a379ef36cdba0cf49e9d91bcd05dbc77d92901c6efdaf5ff978709ee1a20d788e98ec6e756f6bf01

    Download Submit

  • C:\hh.reg
    Filesize

    400B

    MD5

    0803863f7873257eecaafbca7ed40cd3

    SHA1

    670e8b83316f50a75acb68182942770923514eab

    SHA256

    9f4e0a6d40d1dc8fb524dc6c10f4d823f727f1fabc14bd8e739a165f7daa69d5

    SHA512

    958caaa19e6b1295b4dc9351292e936f4c491ea39b54502988b499105f3d82e9a84cf04603e812960f2db7130de797e0c66d613f4ff02bce2213bebdef1fb933

    Download Submit