Overview
overview
9Static
static
3FeStudio.Game.dll
windows7-x64
1FeStudio.Game.dll
windows10-2004-x64
1Newtonsoft.Json.dll
windows7-x64
1Newtonsoft.Json.dll
windows10-2004-x64
1System.Net...st.dll
windows7-x64
1System.Net...st.dll
windows10-2004-x64
1System.Net.Http.dll
windows7-x64
1System.Net.Http.dll
windows10-2004-x64
1Tsg.Net.dll
windows7-x64
1Tsg.Net.dll
windows10-2004-x64
1Tsg.Vip.exe
windows7-x64
9Tsg.Vip.exe
windows10-2004-x64
9�....url
windows7-x64
1�....url
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
FeStudio.Game.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
FeStudio.Game.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
System.Net.Http.WebRequest.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
System.Net.Http.WebRequest.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
System.Net.Http.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
System.Net.Http.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Tsg.Net.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Tsg.Net.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Tsg.Vip.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
Tsg.Vip.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
.url
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
.url
Resource
win10v2004-20241007-en
General
-
Target
Tsg.Vip.exe
-
Size
908KB
-
MD5
6141038eb5e98713b40bdada6189ecf5
-
SHA1
d64be40cf41b2230d7ec37561327f0989545a70f
-
SHA256
1e90b026a38dcd36d0c87394e87eb879cbbd1976dd84621d6b084678b7efd83e
-
SHA512
d2f1c96bb276edc777fd2b4c2da95ad94001a6a34ffc7b3c52638c7155dddab9471509d16038bbbf4068ad5ba20ef9f8a8617a112e26b2a8f4ed59ebd4a2bdf8
-
SSDEEP
24576:miXOGMIuyLvlk2xKu7FeiA8NNRPI9xer:nfqEKgFeirNnP/r
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Tsg.Vip.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine Tsg.Vip.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2072 Tsg.Vip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tsg.Vip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435225634" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5F73C1E1-8B90-11EF-B81F-6A951C293183} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2072 Tsg.Vip.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2072 Tsg.Vip.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2756 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2756 iexplore.exe 2756 iexplore.exe 1932 IEXPLORE.EXE 1932 IEXPLORE.EXE 1932 IEXPLORE.EXE 1932 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2756 2072 Tsg.Vip.exe 30 PID 2072 wrote to memory of 2756 2072 Tsg.Vip.exe 30 PID 2072 wrote to memory of 2756 2072 Tsg.Vip.exe 30 PID 2072 wrote to memory of 2756 2072 Tsg.Vip.exe 30 PID 2756 wrote to memory of 1932 2756 iexplore.exe 31 PID 2756 wrote to memory of 1932 2756 iexplore.exe 31 PID 2756 wrote to memory of 1932 2756 iexplore.exe 31 PID 2756 wrote to memory of 1932 2756 iexplore.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tsg.Vip.exe"C:\Users\Admin\AppData\Local\Temp\Tsg.Vip.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.wqu.com.cn/tsg2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1932
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eb4c2380fbf288d0557dbd5240333434
SHA108a4aaf1115db2d0f33bdc63a2fbe16c0048000f
SHA25683c9a857fa426b860f3a728dc62e0e877272421bb6fcd329e759d06a12baadc3
SHA512c5620bb15df744c025b76f41b606037bdadf027414941271ca3c84971d455e044bfabeb16d880ff5f9e74f0667a49c6996cd0439bc892fb678e0d384d01641c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD502d7947d4dd30f4fe2924b2781aa6ae8
SHA1ed220b10ebbf1f520634350073d8d3e7892e8aa8
SHA256dbb64e8aa28f9b702eee68e0dcd89830a33eda56149c0d7065e536dea288babf
SHA512fe40ffe2a75290dcda4e43b57c20a01d00e8afd8b195128849023f3a154c3a5eb113c72dd8ec87c99e98f03b8c0a11d633e70e5ff3c0d9095289f6bcd5ea5385
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55202821e4e58ce4280a45dd9efc03ca8
SHA1ad41238bba0bae227c2499759b695d7f02508c2c
SHA25608ece45e392b7d503ceefe0ffae6bdd9f4e70688f60affdf6b6ded077b78cf93
SHA512172f58a5405fe17fc44de2e0e6d774900b9f3175f23adfd2c839fca83d7c9cb71a10f7673dafc8822259ba284a1f64e9d8755ef8a9590875b10ef6f2d0553022
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5711d36fd5740d9b8c546039c4c6e61ba
SHA110a8505b8fe3a35f7c0d261439882b0e756d42cf
SHA256bc6e962efe5198ad35a5f03aaf20cf79ea8c51d34f3bc3a65cbf47e105f85867
SHA5128f62aea297ba8207aa07dbe6e948275c358790ca7090be5e753d675a6241897573b60b9fd9076141c3eff5dad70d1cf77c742172ed18070abae39f4e257a31c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab970f5436d7ded578d86345d0f25466
SHA1eebe523bca41ed21efc98d1d9e56b087c921345b
SHA25614ec75bd986439efe09de6d5b4759de1ed83659bd5a9528290f7db945eb15510
SHA512deb70e7bae3956b127233145e2d46700b266bcfab4c775ceb8df45a07aacae0e3033d368144cc5fa6b52995f5956b0257027848884c4b3b59ea7e01616986b68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578e341cdf024db856f9e81d8e82162d0
SHA1ae1a100299689fc48a3213fe16f7bb9eadc22504
SHA256c1b93628608f6d19dcccabf6e8e12dd35c6d7b62708b472c823927fab396dc0d
SHA5129aaea0d99d2c4e169c7f2c847ebf6a6bcbc894c75082744ffc7e1090f727ee1f38dad55c573c04d2a9ed8584b836e97797caa193e32fbdd285253ea282d4bb33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD598d98d7f6510eb33c79bb9ff93bb1528
SHA100adefc1aca41526b330d0dcc52a97a651ac554c
SHA2568beeb3054c83c57e99890c83d8a10113b55c37bc0b2821622bc86d785c962364
SHA5124421db36b81ddba4b1afbf2410c3083001e3af1d355f9139f2adf9eb2fb9fbffc9d6c9b81561deaf64682b22f1052c8f5b8ef551c5a0a6b7d9f2775a067c420a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e55feeef1a41f8d8fe4ddeddbf2d4cb9
SHA1c5b684e07b32618624fc89fa618cea9945f928c8
SHA256bd784b115aeb30fcf92ac80590a4bf5d530eff88943b12ccb3f7e0b1dd57cb31
SHA512df10e48dbaa4a39a873334f27af6199ae5dfdc987c0916b6f0b2432fe9cf8e6aa342c09ade4bf23c21776bf8441e45f800b8f4e4c3583078357d45fd6a026581
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e538db728fcaa0218d7644697cbd3978
SHA13f8e5105e29c79f97ac6a3bdaaca72ea5211ddc1
SHA25611075f0c0e55dbaadb585d809a3d600eb31918651cc02ad0a5b0bb5d4d02642e
SHA512e0f3cb93e7204a355e96b7f5885dde181418d169e3f9f560eafa65309621f13bfb91540953e652ab17d4717d88211152d5990de40189093efcaee1e7f4436ad4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b