269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f

Analysis

max time kernel
186s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe
Size

59KB
MD5

6a1fcbe6ac7fc091844a1257c7fd135f
SHA1

2247ad4f1d3c8c9d0dbe1015aa1aa88b71dfb050
SHA256

269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f
SHA512

a01ec5857eec66cba3f6c4afc818a6423558fa9df1e74cb4def25c0eabcab894d14dea96ba2bcd254c82fc5299d7d4a5cf38aaa519e63fb45a2840703a53e387
SSDEEP

1536:+fomE60xemL6jBBFqcH5AXbHqqt3CI7S5Nr4kRaAg2YC6:+wmx+emLwBBFqcQbLtzsF4cc236

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3752	inlBFC8.tmp

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4560	attrib.exe
3576	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	inlBFC8.tmp

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "290236608"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990282"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372516160"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3B20795C-4BBD-11ED-B696-CA2A13AD51D0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu4444.site\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990282"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu4444.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu4444.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu4444.site\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "294766331"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "294766331"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "290236608"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990282"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu4444.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990282"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe
Token: SeIncBasePriorityPrivilege	3752	inlBFC8.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2016	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2016	iexplore.exe
2016	iexplore.exe
4524	IEXPLORE.EXE
4524	IEXPLORE.EXE
4524	IEXPLORE.EXE
4524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4564	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe	80
PID 4680 wrote to memory of 4564	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe	80
PID 4680 wrote to memory of 4564	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe	80
PID 4564 wrote to memory of 620	4564	cmd.exe	82
PID 4564 wrote to memory of 620	4564	cmd.exe	82
PID 4564 wrote to memory of 620	4564	cmd.exe	82
PID 620 wrote to memory of 2016	620	cmd.exe	84
PID 620 wrote to memory of 2016	620	cmd.exe	84
PID 620 wrote to memory of 2088	620	cmd.exe	85
PID 620 wrote to memory of 2088	620	cmd.exe	85
PID 620 wrote to memory of 2088	620	cmd.exe	85
PID 620 wrote to memory of 616	620	cmd.exe	86
PID 620 wrote to memory of 616	620	cmd.exe	86
PID 620 wrote to memory of 616	620	cmd.exe	86
PID 616 wrote to memory of 208	616	cmd.exe	88
PID 616 wrote to memory of 208	616	cmd.exe	88
PID 616 wrote to memory of 208	616	cmd.exe	88
PID 616 wrote to memory of 320	616	cmd.exe	89
PID 616 wrote to memory of 320	616	cmd.exe	89
PID 616 wrote to memory of 320	616	cmd.exe	89
PID 616 wrote to memory of 2644	616	cmd.exe	90
PID 616 wrote to memory of 2644	616	cmd.exe	90
PID 616 wrote to memory of 2644	616	cmd.exe	90
PID 616 wrote to memory of 3196	616	cmd.exe	91
PID 616 wrote to memory of 3196	616	cmd.exe	91
PID 616 wrote to memory of 3196	616	cmd.exe	91
PID 616 wrote to memory of 4704	616	cmd.exe	92
PID 616 wrote to memory of 4704	616	cmd.exe	92
PID 616 wrote to memory of 4704	616	cmd.exe	92
PID 616 wrote to memory of 4560	616	cmd.exe	93
PID 616 wrote to memory of 4560	616	cmd.exe	93
PID 616 wrote to memory of 4560	616	cmd.exe	93
PID 4680 wrote to memory of 3752	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe	94
PID 4680 wrote to memory of 3752	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe	94
PID 4680 wrote to memory of 3752	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe	94
PID 616 wrote to memory of 3576	616	cmd.exe	95
PID 616 wrote to memory of 3576	616	cmd.exe	95
PID 616 wrote to memory of 3576	616	cmd.exe	95
PID 616 wrote to memory of 4460	616	cmd.exe	96
PID 616 wrote to memory of 4460	616	cmd.exe	96
PID 616 wrote to memory of 4460	616	cmd.exe	96
PID 616 wrote to memory of 1572	616	cmd.exe	98
PID 616 wrote to memory of 1572	616	cmd.exe	98
PID 616 wrote to memory of 1572	616	cmd.exe	98
PID 4460 wrote to memory of 1432	4460	rundll32.exe	97
PID 4460 wrote to memory of 1432	4460	rundll32.exe	97
PID 4460 wrote to memory of 1432	4460	rundll32.exe	97
PID 4680 wrote to memory of 4336	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe	99
PID 4680 wrote to memory of 4336	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe	99
PID 4680 wrote to memory of 4336	4680	269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe	99
PID 2016 wrote to memory of 4524	2016	iexplore.exe	101
PID 2016 wrote to memory of 4524	2016	iexplore.exe	101
PID 2016 wrote to memory of 4524	2016	iexplore.exe	101
PID 1432 wrote to memory of 860	1432	runonce.exe	102
PID 1432 wrote to memory of 860	1432	runonce.exe	102
PID 1432 wrote to memory of 860	1432	runonce.exe	102
PID 3752 wrote to memory of 1304	3752	inlBFC8.tmp	110
PID 3752 wrote to memory of 1304	3752	inlBFC8.tmp	110
PID 3752 wrote to memory of 1304	3752	inlBFC8.tmp	110

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3576	attrib.exe
4560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe
"C:\Users\Admin\AppData\Local\Temp\269d876a8d8d56515a16699df6245f137c20e49c52c791200fbb1e2533f8124f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmwarefusion4.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4524
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:208
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:320
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:3196
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:4704
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4560
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3576
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:860
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:1572
- C:\Users\Admin\AppData\Local\Temp\inlBFC8.tmp
  C:\Users\Admin\AppData\Local\Temp\inlBFC8.tmp
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlBFC8.tmp > nul
    3⤵
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\269D87~1.EXE > nul
  2⤵
  PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
d4d443a25ea0e792142718c16af91a0f

SHA1
26548c59a5086269e51679a3dca3e7bd83daea28

SHA256
b0f96f3b571b7eff330f0109ab82447af0108562bf3937e530028d429adfd3b5

SHA512
7f49020d73b47a57fc14e4e3f2346b4b7595070fded5fbce9768310c8ab32837b3a4621f51d36798059df56317aca3e36ff4bbdffaaebb4dd921be5c9239848a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
8ceec86c59a3223ee938871aad13abbf

SHA1
e6f2433ee94384aa305060da49616abd401a36b0

SHA256
c0fec851d3dfc22d2a3c0b70f50db68a34719f3b1b431c2e52111016c151ac9e

SHA512
29c6cbd2c143761d3590a17455b3338d6e561b78006507fdd21819c91af5fce20f1b89b5d4474cc5ee6dfea6d32bf674db6d396ec8b9cf2aed6e535d59b9dae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

Filesize
1KB

MD5
6a57c212024e306f611e5e4ede04e678

SHA1
cd9d321378c43d6d0063d67fdef10514c0f8aa42

SHA256
97e220291325a745c26f0dae386d735dfb7a4d87175df6b9666b6fa5cb0ba9ce

SHA512
2f000b7f9e7ee7f75e1deaef8668d4a674de02dfb848129547ad370e1f6fafb6b63967b17011bc09f06d0814c24aff21b6b3690b1218c322e146155d91977c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlBFC8.tmp

Filesize
57.2MB

MD5
d66e2defb685fee9d4aa6055c232be04

SHA1
1ffa34ce25ee7f8de6d8788b1ff2307ca2d9a8e6

SHA256
c08b3b73bb2dd2a29f7a14bd15709400b8ae0cad5c1a548507bbbe9af632a001

SHA512
a04ce38520297c7906882249fcbf38aeb4e5b70de6afc26d69641a43646e46bdc028e072b585487ad7fc8c95bfdbf25b9c98b1d785ddd19edc7832bcd3036e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlBFC8.tmp

Filesize
57.2MB

MD5
d66e2defb685fee9d4aa6055c232be04

SHA1
1ffa34ce25ee7f8de6d8788b1ff2307ca2d9a8e6

SHA256
c08b3b73bb2dd2a29f7a14bd15709400b8ae0cad5c1a548507bbbe9af632a001

SHA512
a04ce38520297c7906882249fcbf38aeb4e5b70de6afc26d69641a43646e46bdc028e072b585487ad7fc8c95bfdbf25b9c98b1d785ddd19edc7832bcd3036e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmwarefusion4.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
660B

MD5
d980f89e4088711df685a0aa09e8f5a7

SHA1
dde805f4fa5e016e122e4240e20ff844113717d7

SHA256
28f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09

SHA512
fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
286fe459674aef6eee17f6ac79a15fdb

SHA1
233dc43099c575a67b05fc1076e676324fd6e63d

SHA256
872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2

SHA512
c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
d4917ae9072a10d8e12ef3b282b25b3b

SHA1
bd9ec6c6395997525ec7c15ecca2f115573cc14c

SHA256
6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b

SHA512
c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
5.8MB

MD5
227324d12aff22c56ddc46d75e30e933

SHA1
8732ef1eb52341dd4ef71953acd57b4c60d233c5

SHA256
27ef2c0f3fa548835add2bdba4253d0f7c2a97770f9f8527157315b9f3d8f101

SHA512
84d18ccc419b9b266fc05125510e681ef41ea26b635eb834e7b14080c3ad2d326222c9706099c4b8261c6028e36f624ef9cdfa32756ca8b14edbf29cd2537aff

Download Submit
memory/2016-178-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-195-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-150-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-223-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-158-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-222-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-148-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-217-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-165-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-166-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-167-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-210-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-168-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-169-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-170-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-161-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-212-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-177-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-214-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-181-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-180-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-183-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-188-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-189-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-190-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-187-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-216-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-194-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-213-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-200-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-201-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-202-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-196-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-193-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-204-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-203-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-209-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-191-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-185-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-179-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-211-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-174-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-172-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/2016-160-0x00007FFB943A0000-0x00007FFB9440E000-memory.dmp

Filesize
440KB

Download
memory/4680-132-0x0000000000F60000-0x0000000000F87000-memory.dmp

Filesize
156KB

Download
memory/4680-176-0x0000000000F60000-0x0000000000F87000-memory.dmp

Filesize
156KB

Download
memory/4680-133-0x0000000000E60000-0x0000000000E63000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads