Overview
overview
9Static
static
3release/BY...ed.exe
windows10-2004-x64
9release/ki...op.bat
windows10-2004-x64
8release/ki...er.bat
windows10-2004-x64
1ui/AEngine.dll
windows10-2004-x64
3ui/Android...En.exe
windows10-2004-x64
7ui/Start_G_En.bat
windows10-2004-x64
7ui/aow_drv.sys
windows10-2004-x64
1ui/aow_drv_x64.sys
windows10-2004-x64
1ui/aow_drv_x64_ev.sys
windows10-2004-x64
1ui/libaow.dll
windows10-2004-x64
5ui/libx264-148.dll
windows10-2004-x64
3ui/plugins...ce.dll
windows10-2004-x64
3ui/plugins...er.exe
windows10-2004-x64
7ui/plugins/TSSCom.dll
windows10-2004-x64
3ui/plugins/TStats.dll
windows10-2004-x64
3ui/plugins...ll.dll
windows10-2004-x64
3ui/plugins...86.dll
windows10-2004-x64
3ui/plugins...32.exe
windows10-2004-x64
7ui/plugins...ce.dll
windows10-2004-x64
3ui/plugins...ce.dll
windows10-2004-x64
3ui/plugins...er.exe
windows10-2004-x64
3ui/plugins...om.dll
windows10-2004-x64
3ui/plugins...86.dll
windows10-2004-x64
3ui/plugins...32.exe
windows10-2004-x64
7ui/plugins...ce.dll
windows10-2004-x64
3ui/tx_lsp/...sp.dll
windows10-2004-x64
3ui/tx_lsp/...p4.dll
windows10-2004-x64
3ui/tx_lsp/...in.dll
windows10-2004-x64
3Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
release/BYPASS_protected.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
release/kill_Gameloop.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
release/kill_browser.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
ui/AEngine.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ui/AndroidEmulatorEn.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
ui/Start_G_En.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ui/aow_drv.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
ui/aow_drv_x64.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ui/aow_drv_x64_ev.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
ui/libaow.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ui/libx264-148.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ui/plugins/GameService.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ui/plugins/TP3Helper.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
ui/plugins/TSSCom.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ui/plugins/TStats.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
ui/plugins/TesMonDrvDll.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ui/plugins/UniSecDistDll_x86.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
ui/plugins/Updater32.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ui/plugins/ace-trace.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
ui/pluginsen/GameService.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ui/pluginsen/TP3Helper.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
ui/pluginsen/TSSCom.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
ui/pluginsen/UniSecDistDll_x86.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
ui/pluginsen/Updater32.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
ui/pluginsen/ace-trace.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
ui/tx_lsp/QMProxyAccLsp.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
ui/tx_lsp/QMProxyAccLsp4.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
ui/tx_lsp/TGBAssistPlugin.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
ui/Start_G_En.bat
-
Size
103B
-
MD5
d06a07e37940fb16d135c6a082e24b04
-
SHA1
c0350a4aff54f7a1b4949c58f86e2414b27b53e2
-
SHA256
256015049d786a64cb4f55232b563d5b6c47bfa9ea8801c5b00d8b93887791fc
-
SHA512
003914544b31b9de527fa2687ef253dcea768417b8e39ee5a4ab199e8bb16a6476c32272a2f658bf06e9cc3266d26b081ce0c3c1d00637b63220890dceee1c65
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 1040 svchost.exe 2672 AndroidEmulatorEn.exe 4996 svchost.exe 1364 svchost.exe 4748 Updater32.exe -
Drops file in Program Files directory 51 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\dotnet\dotnet.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svchost.exe AndroidEmulatorEn.exe File created C:\Windows\svchost.exe Updater32.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updater32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AndroidEmulatorEn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AndroidEmulatorEn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updater32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1504 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2672 AndroidEmulatorEn.exe 2672 AndroidEmulatorEn.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1800 wrote to memory of 2864 1800 cmd.exe 82 PID 1800 wrote to memory of 2864 1800 cmd.exe 82 PID 1800 wrote to memory of 2864 1800 cmd.exe 82 PID 1800 wrote to memory of 1504 1800 cmd.exe 83 PID 1800 wrote to memory of 1504 1800 cmd.exe 83 PID 2864 wrote to memory of 1040 2864 AndroidEmulatorEn.exe 84 PID 2864 wrote to memory of 1040 2864 AndroidEmulatorEn.exe 84 PID 2864 wrote to memory of 1040 2864 AndroidEmulatorEn.exe 84 PID 1040 wrote to memory of 2672 1040 svchost.exe 85 PID 1040 wrote to memory of 2672 1040 svchost.exe 85 PID 1040 wrote to memory of 2672 1040 svchost.exe 85 PID 2672 wrote to memory of 452 2672 AndroidEmulatorEn.exe 87 PID 2672 wrote to memory of 452 2672 AndroidEmulatorEn.exe 87 PID 2672 wrote to memory of 452 2672 AndroidEmulatorEn.exe 87 PID 452 wrote to memory of 1364 452 Updater32.exe 88 PID 452 wrote to memory of 1364 452 Updater32.exe 88 PID 452 wrote to memory of 1364 452 Updater32.exe 88 PID 1364 wrote to memory of 4748 1364 svchost.exe 89 PID 1364 wrote to memory of 4748 1364 svchost.exe 89 PID 1364 wrote to memory of 4748 1364 svchost.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ui\Start_G_En.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\ui\AndroidEmulatorEn.exe"AndroidEmulatorEn.exe" -vm 1002⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\ui\AndroidEmulatorEn.exe" -vm 1003⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\ui\AndroidEmulatorEn.exe"C:\Users\Admin\AppData\Local\Temp\ui\AndroidEmulatorEn.exe" -vm 1004⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\ui\pluginsen\Updater32.exe"C:\Users\Admin\AppData\Local\Temp\ui\pluginsen\Updater32.exe"5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\ui\pluginsen\Updater32.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\ui\pluginsen\Updater32.exe"C:\Users\Admin\AppData\Local\Temp\ui\pluginsen\Updater32.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4748
-
-
-
-
-
-
-
C:\Windows\system32\timeout.exetimeout /t 42⤵
- Delays execution with timeout.exe
PID:1504
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.4MB
MD5ef1159cb9f26fd7308533a423c65ede3
SHA1ed002d46a58ed58ef8bbb8b1b4b453ba37524d79
SHA256b72325fe4c00e3fc530c95f45192f3d9659fe69c1f408453279e9c6f2d79e288
SHA51235645f28dbada62e60c47835439a302c8e38797f1a872f830f82d51139322af98c891692a441608ef906919fa12b8baee2dabcc32fefc31abbb11c55b0973b2c
-
Filesize
1.8MB
MD5e0fe52ae805335297f952a10deb97572
SHA16071995bb9ab585590fc03e34af97d99d23a070d
SHA256191d0ed838a87730c7670f580a0ecdc16b63244834ebd5548a19b19a5e5ec735
SHA5124abdcfc82110adf67f405b6282f130b65c9c7d85f2c27c72635464ac8cc761e597706e25b8bbe46a98221e316614637786157bb8679591685e6bb113b5be7229
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b