HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\Command

Win_Registry

HKLM\SOFTWARE\WOW6432Node\kingsoft\antivirus\Windhunter    WindhunterLevel

Win_Registry

HKEY_CURRENT_USER\Software\Tencent\Wechat

Win_Registry

HKLM\SOFTWARE\WOW6432Node\kingsoft\antivirus\KAVReport    AutoStart

Win_Registry

d33f351a4aeea5e608853d1a56661059

MD5

1235419877ccc1f1820cc75e773fe79f9ad0296dd8eea9aa44f511a7b6348cfd

SHA-256

7172dff66af9c34958a3b095210664c26a934b5f734b64ea3170f1507a120503

SHA-256

HKEY_CURRENT_USER\Console\1

Win_Registry

8b7d3de2c77c59663ec5d8969b688530a3c9228b72807bc17a9822d558c42ee8

SHA-256

17ff585fadcf40e25ad9d09cf007d20f6691ccf31d93a5d48d25f7e811cb0ca4

SHA-256

HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\Command to the said file path. This is to complete the autostart mechanism partially set up by the beaconing module mentioned earlier. This effectively allows the new Loader component to run automatically when the user logs in. Updated Loader Updater At the time of analysis

Win_Registry

a47423b59d75e228198450f7a9a2e051eeca6388028a6deb8e9843951bf21575

SHA-256

HKLM\SOFTWARE\WOW6432Node\kingsoft\antivirus\KSetting    kxesc

Win_Registry

8378960ee2bfc32930e19f762f561f4a6448160de2bde6ce330309326d745f89

SHA-256

14bf52de60e60a526141ffe61ef5afc2a3bc7d60d4086e644ec80e67513d2684

SHA-256

HKEY_CURRENT_USER\Software\Console\IpDate

Win_Registry

ce8224de916a5eb0c76c9ba7acc3833f8cdc7f7d31a72dfbe69d2be1f8b7cc48

SHA-256

b50ad87cd7ce19ae30cb709ea3ceb7107b129c64ec9c314157fc6a8df079262b

SHA-256

HKEY_CURRENT_USER\Software\Dingtalk Obfuscated Embedded Payload While the first-stage loader uses the AES-256 algorithm to encrypt the shellcode

Win_Registry

HKCU\Software\Classes\.pwn\Shell\Open\command and sets its default value to the malware path. Next

Win_Registry

72542f81546656de73e009b541ed12cbcc9feced4f6ab79f9e9a0ee9df148b6a

SHA-256

24a871b7b837b217d271747337381fbbcff61edfe44e087c55921564b170a8c9

SHA-256

HKLM\SOFTWARE\WOW6432Node\Tencent\QQPCMgr   autostart

Win_Registry

HKEY_CURRENT_USER\Software\Console\ IpDateInfo

Win_Registry

c486ca7291799a7474196c7cf60158421a2d81697e24e693e76cd1da06b9bf1c

SHA-256

d208b80a6608c72c3c590f86d93b074533c0c4ef8a46b6d36ed52cc2b4c179d5

SHA-256

CVE-2017-0199

CVE

HKCU\Software\Classes\ms-settings\CurVer

Win_Registry

ebd3a506c226e98dcedc1b882a11addd25ded8ee5110249b5b1a391e4d77d327

SHA-256

02aed2b21a90c82d2ca597340aabfa1d6c52302b08aa9f58e87893f6997c2681

SHA-256

d63792ee67c6f1702188695387c64991029dabd702d48eac3ea3f0eef280d4a1

SHA-256

ad753becec205160b78de45c11ed42f3da707c9cee0688fa4190233a9b4f1379

SHA-256

ad9bd41e73eff193caab25960b6a990641ea8d412b5ba456b64ad165b7216c48

SHA-256

76b1c8b026ac9e72ffe8ac1dd8d18abfbb4eb9c23bccb42ab9af2580ed72b7ad

SHA-256

22bfdc52a65905088b8b897a630c66c16ec5c2eba992c1c0722e5c8da9afa181

SHA-256

8790506401a3bac69f6669a3dd832650e4752ff68dd6f0cef35b43e6ad59d7df

SHA-256

HKEY_CURRENT_USER\Software\Console\IpDateInfo It then stores the IP and the port of the Command and Control

Win_Registry

154.92.19.81

IPv4

7b98622db7a62ace626dcc8af5bb7ac3726a968241c94612c5b9cb906175f5f3

SHA-256

aae7f34bdc0aa362bb42eb5e4cff69b60d67f7f155a3e2b9b905c90a1cc2aac4

SHA-256

fb73e089d0a276617b9a213080f84d0e411592c7db5548790e3fe1c53295f5a3

SHA-256

0a971e606e839e7d5e72dcea0a8a3d081c951250ce25b0ddaf2429bad87ebe3d

SHA-256

a676c7490086a4112f920936e57ee49e213aaffd12bb38bc433a073ddfae0f24

SHA-256

8a6b352c45e48e3564e259ade4f544d01900e8c3f9a74e52ae3bc62f74ddf013

SHA-256

12ae203fa199291754649a4e592fb0880339c88b07f1d69798114afca06b8061

SHA-256

02c8f22e9d2df7e051fffc49c7d2d240787fbe8395b4c3c96be40b5a111a03ce

SHA-256

47d7ce4ce72ca7e0cebab472e2165a1ebbd9395a60d7478990fd4dbec2eb195f

SHA-256

583001d3d4dc0a72c92cf27a390e95e1fad6229d18ab255b625985939eb4b90f

SHA-256

1ded5a6c54a7b10365c41bc850ce41f18d86435fbe9315c37bd767ecdf255135

SHA-256

154.82.85.12

IPv4