Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 09:47

General

  • Target

    17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe

  • Size

    1.2MB

  • MD5

    34d850caf862d761d89d5b026c8cfa20

  • SHA1

    3c972ebbc6880e3cc53a9c0bb697ea5ab2453e30

  • SHA256

    17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80

  • SHA512

    2cad240d3175fe95e03aca9d8d902a4ce8cb3c947884543f251892d9792519f75eec66547318e50e664601e9ded9c0e585fdb28bbb411ac8972b0ffc0b013740

  • SSDEEP

    24576:GNoEYOvOSDvI5EJqbJSVEePoHDHZQdJY9WaChFeN5OFBy+p:GNmwOUhJqbJS+eQHjZ1YhqUyK

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 4 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 30 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 40 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\aaa.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3124
    • C:\Program Files\Win32Games\wingames.exe
      "C:\Program Files\Win32Games\wingames.exe" "http://reg.weiguan8.com/sqtxj"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:3280
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\doset.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 "C:\Program Files\Win32Games\URL.dll" helpme
        3⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1672
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 "C:\Program Files\Win32Games\URL.dll" doset
        3⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        PID:2416
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 syspowerues.dll /s
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2856
    • C:\Program Files\Win32Games\QvodSetupPlus3.exe
      "C:\Program Files\Win32Games\QvodSetupPlus3.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4112

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Win32Games\Config.ini

          Filesize

          1KB

          MD5

          deafb00b9e7bdeef9f28c8856cfd3fef

          SHA1

          aaa520a9d7e7d66d8cc9f46eaf8b7a22fc613405

          SHA256

          e506df6ed0400ebdc6881225f230fe8ebd9fc0cc4ca0f2fd8e8ce0d5a9baacec

          SHA512

          12d2b2b4a72e786a6118b1f0d04d45cbdc0781ec95508738375134c78833b07a21674c52ccf720199a43977de8fc570566ab84029eca3ead689415df6b01746e

        • C:\Program Files\Win32Games\Internet.vbs

          Filesize

          333B

          MD5

          1e09fbfc0cc38a82530c27c61f72f170

          SHA1

          89344f847e4f0261b1138de7cc6f92ab48b9d111

          SHA256

          23bc24a0e52be16cdab5895319e888efaff6b65606b3adafdc34d3871480f1bf

          SHA512

          d903fcb92d34b63348812ffd53b1e2b794f45ced2e59e3d8556b369395b96c4be240e6e9ecbcbbed226989b135804e581a6d4fae7f377d849c8f1c7a68100e41

        • C:\Program Files\Win32Games\QvodSetupPlus3.exe

          Filesize

          149KB

          MD5

          8da481acb7ce2508f68071da569ce84a

          SHA1

          8cbac6dd58a715f1618588e97ccd8889f8e6e976

          SHA256

          8faa31e39d329b8d86f4c7668832c6e7e557e24538fe57e097171db4516e16d4

          SHA512

          ede7b12bce408532c95f2a9a2224af2bcfdda340926a613d562ef8f1356cbfff07c62d6188b3a0de51fc0d5db28508e91a5e037c5d08798ad40d6a7c122654f6

        • C:\Program Files\Win32Games\URL.dll

          Filesize

          178KB

          MD5

          38fd3a889940f8d5160c0340cfc6a451

          SHA1

          6d78fdc78573cbc675d0f20f943cbe03c15f6557

          SHA256

          aedd37ac77dbffd56d4fc1fd4f72f58a7b575f51ab32845c32a55676609872af

          SHA512

          59b7bb1c066d9f85a93a2af7aefc90e1dcd217229cc8eb9e9764e01692b321570400b1dd33cfab161123f61cac06173dd7aa9c22f374ba58150094ed5b99a7c3

        • C:\Program Files\Win32Games\Xianjian.ico

          Filesize

          23KB

          MD5

          cdad1c273cbf6e059022029dfbd9bee6

          SHA1

          7fb484f24929070097237db926f240e887a23bd5

          SHA256

          c8eb519eb05ea06daf3c9e7d059266c53adda91611514ecf7904eebeb3297fc1

          SHA512

          1c631fe1a03f32513a451e2259387161637094be8b0eea0d636ecd8e35c85c13e6add5d05c2346a634ee9ec042efd2da73faf023d8f4636edd84a05883ec372c

        • C:\Program Files\Win32Games\aaa.bat

          Filesize

          103B

          MD5

          7391dc80d581fb94646d5ee534a77d1b

          SHA1

          1d67613f26b7cc4c01f407817ab80cb84b100115

          SHA256

          5b6c03e4940bd851aee7fdfe145b1b69f2d3519acb88b6210c5de6e2fbd74fed

          SHA512

          c4c15b149b0f5fe4be065acf604a68fd9e46fb81ddab98ee261c820f26e827c11281338c75616673b76cc0cf13f27aab88f81f262f389c87a17c05f17dbab92d

        • C:\Program Files\Win32Games\doset.bat

          Filesize

          297B

          MD5

          a7ed90b88fd89dfd6558ab3c9b610ed4

          SHA1

          b0f8b86e1546f8a1408b7f47a50208bca38b9b9c

          SHA256

          6fd3d63e5a2c5cb7e7a5fbdbf44681454175d29c7b29d39510a19429f6fd2e85

          SHA512

          89809a38e8fca2069f5c0b4428bdc731605db8114ca889db4316623be8de443b833f3e42f140102fd5bf63b84de76f34cce1348eb8a0979547c4593a92f78eec

        • C:\Program Files\Win32Games\minigame.vbs

          Filesize

          341B

          MD5

          2d1b6f4bccda34d2ea67f964e1807f31

          SHA1

          ef2944b0c437fe0fc2b7fd04a6522b8294180c6e

          SHA256

          8e18d19fbcbae7563fc69b71fa5fb3b88f51dc46c244f2c3f70d533368d8fe68

          SHA512

          64e6a7aab48141edfad71e23a14c47d5527e72c56e709b63f68d4f67d500d3f3dfe3fb2296f256a18a6591447e3bf6cc88d47888519c153c5239652a3db5e82b

        • C:\Program Files\Win32Games\taobao.vbs

          Filesize

          343B

          MD5

          1f8ba37a69e383b466921b0658c87a11

          SHA1

          6a334328b4c66eb35534411b004b7883e2cc2faf

          SHA256

          f03ea6fa8d3f042e8edbf6f7c90cde3bb183fc5ee1ce6461766dfccc67dfe72c

          SHA512

          9f8973019a2b586fd8335505ef70e7d18661942b260bb616ccd3e3755eafcd4c180aa7fbddc4ff2622ae5e97c654dff2491f2befe24be97521bb609fb6ff7ea1

        • C:\Program Files\Win32Games\url.txt

          Filesize

          29B

          MD5

          44fb4e7d1a22004c3d0459e3cc89d156

          SHA1

          e7ad2634c4cd7c00dd9447f3ae235d1ff3664c65

          SHA256

          0757723787c1c60d2312afc46790c4ea5794b4bd2810a4477003b485cc9be0d9

          SHA512

          274454707726b6a6cc29f78b7a46cf5c984b8222e28e15cd98c5bc3808e26208d18c13f0329b48894acb976cf6c850cac119fa1e6a11bf9ad76dba08f0818fe0

        • C:\Program Files\Win32Games\wingames.exe

          Filesize

          1.3MB

          MD5

          b63c3aab2e123fe96a4e7adac47913ec

          SHA1

          bc59745b880794d99d498c5917be23434de09440

          SHA256

          d9c65c2ac25b5ec22ddc699dca821e92838834d61f4bcbd4b795a416939afa3d

          SHA512

          29cd845a31cb46e941166fddc7e8cdb3f554743f76dac6ca1d6b7ebae922529adef3b92e1e9c668b4e3572fd7010af714cb260c928bce1ec03295a324ee723c0

        • C:\Users\Admin\Desktop\Intenet Exploer.ink

          Filesize

          1KB

          MD5

          e91ba28655bf00c2ed71a900f260a8b0

          SHA1

          e9e8c6c60f399ffac98857f051b30cb6806efb63

          SHA256

          579b390750bfaa77e052dde89631024b6ca0b425508d5c6f4741dcee0ac5e5d0

          SHA512

          b827816c20a4a51f2dea3e806ef256a1528679dd0b482d2f9853cdad16819f06828d551097267ea0645548f06586237a830a3b1ba5e2def2824e6d781d643072

        • C:\Windows\SysWOW64\syspowerues.dll

          Filesize

          443KB

          MD5

          4a463f93d431014383aef5af103aca5e

          SHA1

          4e45cfd382a61c684d502c606ccee63b8b3c0b5b

          SHA256

          895b4248d40e513b46931a4eb9f32990d14d4984d4bd7536280303c3f92a022d

          SHA512

          b5b64318c96bd61e25126fa936e325886d83b89af321a0bbc22a5a374f4e7057af7ee05d49397017bf3857c22d094d44a7bd3cfb8d471c92efe58a8a8756b8e5

        • memory/2416-84-0x0000000000C00000-0x0000000000C30000-memory.dmp

          Filesize

          192KB

        • memory/2856-122-0x0000000000650000-0x00000000006C4000-memory.dmp

          Filesize

          464KB

        • memory/3280-123-0x0000000000810000-0x0000000000811000-memory.dmp

          Filesize

          4KB

        • memory/3280-124-0x0000000000400000-0x000000000055B000-memory.dmp

          Filesize

          1.4MB

        • memory/3280-44-0x0000000000810000-0x0000000000811000-memory.dmp

          Filesize

          4KB

        • memory/4112-126-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4112-79-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4112-128-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4112-132-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4112-136-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4112-138-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4112-142-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4112-146-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4676-78-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB