Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 05:41
Static task
static1
Behavioral task
behavioral1
Sample
d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe
Resource
win10v2004-20220812-en
General
-
Target
d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe
-
Size
160KB
-
MD5
60d0b75a083b93dac514126193445c7c
-
SHA1
1bd8d1cd4a244105c9ad4e11b727d88e8ec414da
-
SHA256
d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03
-
SHA512
2016dc7dd27e736bcf0fddb584a74d2a5828fa47b03c7639ed904dac2b8def2e826ef57f28c06aee3022a693c09b19be2928ededcce0490af4f148cc788ba339
-
SSDEEP
1536:OJwHa3E5YW/io2C+I4LQ54z2B814KX6hN2DDwRCPERKHOJ+O:jHaE5/io2C+I4LQ54z2C14KK3W8RChi
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
pid Process 4872 inlEF34.tmp -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2124 attrib.exe 3220 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation inlEF34.tmp -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\redload\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988311" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu549.site\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu549.site\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3934697731" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988311" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3927822059" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{15469884-440B-11ED-B696-E64E24383C5C} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu549.site\ = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988311" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3927822059" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu549.site IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu549.site IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\redload\\3.bat\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node reg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe Token: SeIncBasePriorityPrivilege 4872 inlEF34.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2992 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2992 iexplore.exe 2992 iexplore.exe 3552 IEXPLORE.EXE 3552 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1708 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe 84 PID 1752 wrote to memory of 1708 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe 84 PID 1752 wrote to memory of 1708 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe 84 PID 1708 wrote to memory of 4264 1708 cmd.exe 86 PID 1708 wrote to memory of 4264 1708 cmd.exe 86 PID 1708 wrote to memory of 4264 1708 cmd.exe 86 PID 4264 wrote to memory of 2768 4264 cmd.exe 88 PID 4264 wrote to memory of 2768 4264 cmd.exe 88 PID 4264 wrote to memory of 2768 4264 cmd.exe 88 PID 4264 wrote to memory of 4112 4264 cmd.exe 89 PID 4264 wrote to memory of 4112 4264 cmd.exe 89 PID 4264 wrote to memory of 4112 4264 cmd.exe 89 PID 4264 wrote to memory of 1520 4264 cmd.exe 90 PID 4264 wrote to memory of 1520 4264 cmd.exe 90 PID 4264 wrote to memory of 1520 4264 cmd.exe 90 PID 4264 wrote to memory of 4124 4264 cmd.exe 91 PID 4264 wrote to memory of 4124 4264 cmd.exe 91 PID 4264 wrote to memory of 4124 4264 cmd.exe 91 PID 4264 wrote to memory of 228 4264 cmd.exe 92 PID 4264 wrote to memory of 228 4264 cmd.exe 92 PID 4264 wrote to memory of 228 4264 cmd.exe 92 PID 4264 wrote to memory of 2124 4264 cmd.exe 93 PID 4264 wrote to memory of 2124 4264 cmd.exe 93 PID 4264 wrote to memory of 2124 4264 cmd.exe 93 PID 4264 wrote to memory of 3220 4264 cmd.exe 94 PID 4264 wrote to memory of 3220 4264 cmd.exe 94 PID 4264 wrote to memory of 3220 4264 cmd.exe 94 PID 4264 wrote to memory of 1212 4264 cmd.exe 95 PID 4264 wrote to memory of 1212 4264 cmd.exe 95 PID 4264 wrote to memory of 1212 4264 cmd.exe 95 PID 4264 wrote to memory of 728 4264 cmd.exe 96 PID 4264 wrote to memory of 728 4264 cmd.exe 96 PID 4264 wrote to memory of 728 4264 cmd.exe 96 PID 1212 wrote to memory of 4992 1212 rundll32.exe 97 PID 1212 wrote to memory of 4992 1212 rundll32.exe 97 PID 1212 wrote to memory of 4992 1212 rundll32.exe 97 PID 1752 wrote to memory of 4872 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe 98 PID 1752 wrote to memory of 4872 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe 98 PID 1752 wrote to memory of 4872 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe 98 PID 4992 wrote to memory of 5076 4992 runonce.exe 99 PID 4992 wrote to memory of 5076 4992 runonce.exe 99 PID 4992 wrote to memory of 5076 4992 runonce.exe 99 PID 4264 wrote to memory of 4448 4264 cmd.exe 104 PID 4264 wrote to memory of 4448 4264 cmd.exe 104 PID 4264 wrote to memory of 4448 4264 cmd.exe 104 PID 4448 wrote to memory of 2992 4448 cmd.exe 106 PID 4448 wrote to memory of 2992 4448 cmd.exe 106 PID 4448 wrote to memory of 4512 4448 cmd.exe 107 PID 4448 wrote to memory of 4512 4448 cmd.exe 107 PID 4448 wrote to memory of 4512 4448 cmd.exe 107 PID 2992 wrote to memory of 3552 2992 iexplore.exe 108 PID 2992 wrote to memory of 3552 2992 iexplore.exe 108 PID 2992 wrote to memory of 3552 2992 iexplore.exe 108 PID 1752 wrote to memory of 4536 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe 114 PID 1752 wrote to memory of 4536 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe 114 PID 1752 wrote to memory of 4536 1752 d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe 114 PID 4872 wrote to memory of 1072 4872 inlEF34.tmp 116 PID 4872 wrote to memory of 1072 4872 inlEF34.tmp 116 PID 4872 wrote to memory of 1072 4872 inlEF34.tmp 116 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2124 attrib.exe 3220 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe"C:\Users\Admin\AppData\Local\Temp\d4ca78167a5ab2e4f32adad0e970b5d650e5ea89dc705eedc6d83a71c453db03.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat3⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2768
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:4112
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f4⤵PID:1520
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f4⤵
- Modifies registry class
PID:4124
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f4⤵
- Modifies registry class
PID:228
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2124
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3220
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵PID:5076
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad4⤵PID:728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat4⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?821335⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3552
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf5⤵PID:4512
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlEF34.tmpC:\Users\Admin\AppData\Local\Temp\inlEF34.tmp2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlEF34.tmp > nul3⤵PID:1072
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D4CA78~1.EXE > nul2⤵PID:4536
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD550c4869874f2e659afac55ce4fc129a7
SHA1d83a6b42b847a9527c621ef251bdbdef4b9fec11
SHA2566c3bd61ca89c17c6787cdc89e4a6a6491989f0088811f3af7ffa63f2af74ba49
SHA5123600db6ac661b41c01cabb8702ab150327b76959086955248ca8516d2dd8dc4bab6325f760aba6e11e7ce35df39ab7d428107811c15603d75790494e3472088c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5afc3e2584b32e1e7c23c33e9534089a5
SHA1ea4e2266d010c300621d2287ea60fe3e9a9ee753
SHA25661597f5f937da250a5ed7b4b82867bebc546a5a35c0029982a003b1e9cbd2e7e
SHA512f0e0d20b15bc390292baf0d93d982315afc466ccd2d4e48152ed65af97aed573d5b9e65b2b50925cbcd2e736955dfec4f63de5739cdb1499eb2db5dfc3cc4fe6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5d179199bb4dfe465766971fdb97d2bb3
SHA1e9f00b1c751ae159e0da5a427a0d466b8b58da25
SHA25631729baf2dc354a778087fd651a383937b46be41108e748e0a338553f6971103
SHA512cb277572ee82121084869fc20ec1bf848762245811f16a5eafbf7a81b1b6ae6153ea7799ca3e982b6bb3969b8932f8e0bb59a9e9495a31977cc6ce36e9b8438b
-
Filesize
1KB
MD5c8a91c637070c72298702f03d79800fe
SHA1fc822939c477aedf969707e1fd44ef6ba0487d34
SHA25611658576f3753587609faee69fb7aa3959282d9de7c93ee1313bd473c5cf7808
SHA5121ed688aff8482a2ad916063e2b5a17750b43d8a6505af580486c26f7ccdf99b8f6f64c8daafc43426c88406cb1ada579bb0e5e92bb22c48cce2c7d24558878d5
-
Filesize
791B
MD51706b41fd446b5718a8419c0fcb35d55
SHA1d9bb8df22acdc60c754ac14982cf795df3b1b815
SHA2565c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943
SHA51268c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e
-
Filesize
57.2MB
MD5c9995667e5e9bf095e74e5223e298016
SHA1844f98cbbcb1628e34b942a989bc51ad9b99d1a3
SHA25688135304485655805f971c4a70738f25993a708b49ef68031d82b72fe1f2cca0
SHA5128a7a554321d5bb5cd5fd77c92acf74b511958ecf5ac688e6b2c754d2fbf8b7b24cd20f39cd5e140db21be8a9031bab3df51ceb5211a8856b04c1d5db4e0c26cf
-
Filesize
57.2MB
MD5c9995667e5e9bf095e74e5223e298016
SHA1844f98cbbcb1628e34b942a989bc51ad9b99d1a3
SHA25688135304485655805f971c4a70738f25993a708b49ef68031d82b72fe1f2cca0
SHA5128a7a554321d5bb5cd5fd77c92acf74b511958ecf5ac688e6b2c754d2fbf8b7b24cd20f39cd5e140db21be8a9031bab3df51ceb5211a8856b04c1d5db4e0c26cf
-
Filesize
54B
MD5504490369970f1c0eb580afbcdf91618
SHA1b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971
SHA256a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43
SHA5125495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad
-
Filesize
3KB
MD5493c22f6b15f9766ae7c23794fc77da0
SHA143723ba660dbc1486f717441b58298d33b9f2048
SHA256478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182
SHA512662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD55ea8e400d1f6ea0deb83ace9c6905dc0
SHA13d15c081f2f7f71457897153c41e71a488a5a798
SHA256324a39a9c4cd4b085bd684bebacc2e1a711253557c031927cdf60b2cd4d18fde
SHA5121fae275277dff9f4755795d7bd520c691633e9a08c0e0b9c4f54a41984578142783553cfe7d0f785fd1e5855518bf5fc0211d49a975a27dd8b1b779cb7cbd45f
-
Filesize
248B
MD52197ffb407fb3b2250045c084f73b70a
SHA13d0efbacba73ac5e8d77f0d25d63fc424511bcf6
SHA256a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591
SHA512b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe
-
Filesize
5.8MB
MD550c4869874f2e659afac55ce4fc129a7
SHA1d83a6b42b847a9527c621ef251bdbdef4b9fec11
SHA2566c3bd61ca89c17c6787cdc89e4a6a6491989f0088811f3af7ffa63f2af74ba49
SHA5123600db6ac661b41c01cabb8702ab150327b76959086955248ca8516d2dd8dc4bab6325f760aba6e11e7ce35df39ab7d428107811c15603d75790494e3472088c