File name:

02322339_2

Full analysis: https://app.any.run/tasks/08e9b64e-6f98-47b5-a2dc-b8b008ad3112
Verdict: Malicious activity
Analysis date: November 30, 2020, 01:05:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

27527EAE13155667B4DFF4F5CE8868F4

SHA1:

EB8200DEFD9CAC2087AED54EAF875F4184F9C7FB

SHA256:

9CD541BC6FB15931AED14CF8EC3E2FD797D27B9F53BEE069E3DB500394A300D4

SSDEEP:

98304:a8tNw4DU2IIfn5P3NMdtRt0yYvI1hnf4icH:9waUcf5P3NMvsxEhfc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • 02322339_2.exe (PID: 2844)

    • Loads dropped or rewritten executable

      • 02322339_2.exe (PID: 2844)
      • cjzg.exe (PID: 3552)

  • SUSPICIOUS

    • Drops a file that was compiled in debug mode

      • 02322339_2.exe (PID: 2844)

    • Drops a file with a compile date too recent

      • 02322339_2.exe (PID: 2844)

    • Reads internet explorer settings

      • cjzg.exe (PID: 3552)

    • Creates files in the user directory

      • 02322339_2.exe (PID: 2844)

    • Starts itself from another location

      • 02322339_2.exe (PID: 2844)

    • Changes IE settings (feature browser emulation)

      • cjzg.exe (PID: 3552)
      • 02322339_2.exe (PID: 2844)

    • Executable content was dropped or overwritten

      • 02322339_2.exe (PID: 2844)

    • Creates a software uninstall entry

      • 02322339_2.exe (PID: 2844)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:06:08 13:09:44+02:00
PEType: PE32
LinkerVersion: 14.16
CodeSize: 937472
InitializedDataSize: 2706432
UninitializedDataSize: -
EntryPoint: 0xa05fa
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.2.30.608
ProductVersionNumber: 2.2.30.608
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileDescription: 游戏微端
FileVersion: 2.2.30.608
InternalName: LiteGameBox2_externel
LegalCopyright: 版权所有 (C) 2008-2020 www.ludashi.com
OriginalFileName: LiteGameBox2
ProductName: 游戏微端
ProductVersion: 2.2.30.608
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 02322339_2.exe cjzg.exe

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Users\admin\AppData\Local\Temp\02322339_2.exe" C:\Users\admin\AppData\Local\Temp\02322339_2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
游戏微端
Exit code:
0
Version:
2.2.30.608
Modules
Images
c:\users\admin\appdata\local\temp\02322339_2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3552"C:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.exe" C:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.exe
02322339_2.exe
User:
admin
Integrity Level:
MEDIUM
Description:
游戏微端
Exit code:
0
Version:
2.2.30.608
Modules
Images
c:\users\admin\appdata\roaming\litegamebox_cjzg\cjzg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
562
Read events
507
Write events
55
Delete events
0

Modification events

(PID) Process:(2844) 02322339_2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:writeName:02322339_2.exe
Value:
11001
(PID) Process:(2844) 02322339_2.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2844) 02322339_2.exeKey:HKEY_CURRENT_USER\Software\LDSLiteGameBox\cjzg
Operation:writeName:InstallDir
Value:
C:\Users\admin\AppData\Roaming\LiteGameBox_cjzg
(PID) Process:(2844) 02322339_2.exeKey:HKEY_CURRENT_USER\Software\LDSLiteGameBox\cjzg
Operation:writeName:InstallTime
Value:
2020-11-30 01:06:02
(PID) Process:(2844) 02322339_2.exeKey:HKEY_CURRENT_USER\Software\LDSLiteGameBox\cjzg
Operation:writeName:ExePath
Value:
C:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.exe
(PID) Process:(2844) 02322339_2.exeKey:HKEY_CURRENT_USER\Software\LDSLiteGameBox\cjzg
Operation:writeName:DisplayName
Value:
裁决战歌
(PID) Process:(2844) 02322339_2.exeKey:HKEY_CURRENT_USER\Software\LDSLiteGameBox\cjzg
Operation:writeName:Version
Value:
2.2.30.608
(PID) Process:(2844) 02322339_2.exeKey:HKEY_CURRENT_USER\Software\LDSLiteGameBox\cjzg
Operation:writeName:PID
Value:
lds
(PID) Process:(2844) 02322339_2.exeKey:HKEY_CURRENT_USER\Software\LDSLiteGameBox\cjzg
Operation:writeName:SubPID
Value:
qh
(PID) Process:(2844) 02322339_2.exeKey:HKEY_CURRENT_USER\Software\LDSLiteGameBox\cjzg
Operation:writeName:Channel
Value:
lds
Executable files
3
Suspicious files
7
Text files
30
Unknown types
5

Dropped files

PID
Process
Filename
Type
284402322339_2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\裁决战歌.lnklnk
MD5:
SHA256:
284402322339_2.exeC:\Users\admin\AppData\Local\Temp\LiteGameBox_cjzg\cjzg.icoimage
MD5:
SHA256:
284402322339_2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.icoimage
MD5:
SHA256:
284402322339_2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.jsontext
MD5:
SHA256:
3552cjzg.exeC:\Users\admin\AppData\Local\Temp\LiteGameBox2Run_cjzg\cjzg.uicompressed
MD5:
SHA256:
284402322339_2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.uicompressed
MD5:
SHA256:
3552cjzg.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\upload[1].jpgimage
MD5:
SHA256:
3552cjzg.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\main[1].csstext
MD5:
SHA256:
3552cjzg.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\nav[1].pngimage
MD5:
SHA256:
284402322339_2.exeC:\Users\admin\Desktop\裁决战歌.lnklnk
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
9
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/reg.png?t=20200105
CN
image
167 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/upload.jpg
CN
image
37.0 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/nav.png
CN
image
16.5 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/bg.png?t=20200105
CN
image
149 Kb
suspicious
3552
cjzg.exe
GET
200
139.129.105.182:80
http://wan.ludashi.com/micro/cjzg/index_lds.html?channel=mnds&from=mnds_wd_cjzg
CN
html
3.04 Kb
unknown
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/checkbox.png?t=20191021
CN
image
867 b
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/log_btn.png?t=20191021
CN
image
61.2 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/input_reg_code.png?t=20191021
CN
image
1.79 Kb
suspicious
3552
cjzg.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAilokbNS1yMg9cCtLurU0k%3D
US
der
471 b
whitelisted
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/assets/jquery/jquery183.js
CN
text
37.8 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3552
cjzg.exe
101.226.26.228:80
cdn-file.ludashi.com
China Telecom (Group)
CN
unknown
3552
cjzg.exe
180.163.121.216:80
cdn-wan.ludashi.com
China Telecom (Group)
CN
unknown
3552
cjzg.exe
139.129.105.182:80
wan.ludashi.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3552
cjzg.exe
101.226.26.230:443
cdn-file.ludashi.com
China Telecom (Group)
CN
unknown
3552
cjzg.exe
120.27.82.56:80
i.ludashi.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3552
cjzg.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
wan.ludashi.com
  • 139.129.105.182
unknown
cdn-file.ludashi.com
  • 101.226.26.228
  • 101.226.26.233
  • 101.226.26.229
  • 101.226.26.227
  • 101.226.26.230
  • 101.226.26.226
  • 101.226.26.232
  • 101.226.26.231
suspicious
cdn-wan.ludashi.com
  • 180.163.121.216
  • 101.226.26.175
  • 101.227.0.230
  • 114.80.24.212
  • 180.163.121.217
  • 101.226.26.176
  • 101.227.0.231
  • 114.80.24.213
  • 180.163.121.218
  • 101.226.26.177
  • 101.227.0.232
  • 114.80.24.206
  • 180.163.121.219
  • 101.226.26.178
  • 101.227.0.233
  • 114.80.24.207
suspicious
cdn-ssl-wan.ludashi.com
  • 101.226.26.230
  • 101.226.26.229
  • 101.226.26.228
  • 101.226.26.233
  • 101.226.26.227
  • 101.226.26.226
  • 101.226.26.231
  • 101.226.26.232
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
status.rapidssl.com
  • 93.184.220.29
shared
i.ludashi.com
  • 120.27.82.56
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
02322339_2