Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe
Resource
win10v2004-20220901-en
General
-
Target
589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe
-
Size
74KB
-
MD5
90f1387a390e2cc443a1df898f863f90
-
SHA1
e225943018d86801be6a62483b7c55d33ef0428d
-
SHA256
589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9
-
SHA512
f898a756da01379718c635cf3333344bdf3beeb7bb370eea6f7583bf08dfdaaf33f59a9e9f7e1b6f7bce8e7017124774c84a12a19ab1edd7be945a741d38be46
-
SSDEEP
1536:cpeGYbmuaka3H0/sVJsyBgiXYuieehkp2KdNlpQquU+u:1bmSaasrjBT0Kcbu
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 2 IoCs
pid Process 4896 loader.tmp 1824 inl7BF8.tmp -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4836 attrib.exe 1580 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation inl7BF8.tmp -
Loads dropped DLL 1 IoCs
pid Process 4908 rundll32.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\PROGRA~1\\FREERA~1\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files\FreeRapid\4.bat 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\3.bat cmd.exe File opened for modification C:\Program Files (x86)\TheWorld 3\TheWorld.ini rundll32.exe File created C:\Program Files\FreeRapid\2.bat 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe File created C:\Program Files\FreeRapid\loader.tmp 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe File opened for modification C:\PROGRA~1\FREERA~1\░╦╪╘╔½═╝.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\╠╘▒ª╣║╬∩.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\1.inf cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E} attrib.exe File opened for modification C:\PROGRA~1\FREERA~1\tmp attrib.exe File opened for modification C:\PROGRA~1\FREERA~1\2.inf cmd.exe File created C:\Program Files\FreeRapid\1.bin 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe File created C:\Program Files\FreeRapid\1.bat 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe File opened for modification C:\PROGRA~1\FREERA~1\├└┼«└╓╘░.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\╟º═┼═┼╣║.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\┐┤┐┤╡τ╙░.url cmd.exe File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\windows\Comres.dll loader.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu3333.site\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu3333.site\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991332" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu3333.site IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4258900807" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4277652227" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991332" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4258900807" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{28E11212-4FD8-11ED-A0EE-46E60354FB13} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372967519" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991332" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu3333.site IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu3333.site\ = "63" IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\PROGRA~1\\FREERA~1\\3.bat\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A loader.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967 loader.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4896 loader.tmp 4896 loader.tmp -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 4896 loader.tmp Token: SeRestorePrivilege 4896 loader.tmp Token: SeIncBasePriorityPrivilege 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe Token: SeIncBasePriorityPrivilege 1824 inl7BF8.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4128 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4128 iexplore.exe 4128 iexplore.exe 4268 IEXPLORE.EXE 4268 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4996 wrote to memory of 4896 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 92 PID 4996 wrote to memory of 4896 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 92 PID 4996 wrote to memory of 4896 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 92 PID 4896 wrote to memory of 3236 4896 loader.tmp 93 PID 4896 wrote to memory of 3236 4896 loader.tmp 93 PID 4896 wrote to memory of 3236 4896 loader.tmp 93 PID 4996 wrote to memory of 4656 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 95 PID 4996 wrote to memory of 4656 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 95 PID 4996 wrote to memory of 4656 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 95 PID 4656 wrote to memory of 4288 4656 cmd.exe 97 PID 4656 wrote to memory of 4288 4656 cmd.exe 97 PID 4656 wrote to memory of 4288 4656 cmd.exe 97 PID 4288 wrote to memory of 4128 4288 cmd.exe 99 PID 4288 wrote to memory of 4128 4288 cmd.exe 99 PID 4288 wrote to memory of 4612 4288 cmd.exe 100 PID 4288 wrote to memory of 4612 4288 cmd.exe 100 PID 4288 wrote to memory of 4612 4288 cmd.exe 100 PID 4996 wrote to memory of 1824 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 101 PID 4996 wrote to memory of 1824 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 101 PID 4996 wrote to memory of 1824 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 101 PID 4996 wrote to memory of 3636 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 102 PID 4996 wrote to memory of 3636 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 102 PID 4996 wrote to memory of 3636 4996 589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe 102 PID 4288 wrote to memory of 448 4288 cmd.exe 103 PID 4288 wrote to memory of 448 4288 cmd.exe 103 PID 4288 wrote to memory of 448 4288 cmd.exe 103 PID 4128 wrote to memory of 4268 4128 iexplore.exe 106 PID 4128 wrote to memory of 4268 4128 iexplore.exe 106 PID 4128 wrote to memory of 4268 4128 iexplore.exe 106 PID 448 wrote to memory of 3168 448 cmd.exe 107 PID 448 wrote to memory of 3168 448 cmd.exe 107 PID 448 wrote to memory of 3168 448 cmd.exe 107 PID 448 wrote to memory of 3564 448 cmd.exe 108 PID 448 wrote to memory of 3564 448 cmd.exe 108 PID 448 wrote to memory of 3564 448 cmd.exe 108 PID 448 wrote to memory of 4192 448 cmd.exe 109 PID 448 wrote to memory of 4192 448 cmd.exe 109 PID 448 wrote to memory of 4192 448 cmd.exe 109 PID 448 wrote to memory of 424 448 cmd.exe 110 PID 448 wrote to memory of 424 448 cmd.exe 110 PID 448 wrote to memory of 424 448 cmd.exe 110 PID 448 wrote to memory of 2816 448 cmd.exe 111 PID 448 wrote to memory of 2816 448 cmd.exe 111 PID 448 wrote to memory of 2816 448 cmd.exe 111 PID 448 wrote to memory of 4836 448 cmd.exe 112 PID 448 wrote to memory of 4836 448 cmd.exe 112 PID 448 wrote to memory of 4836 448 cmd.exe 112 PID 448 wrote to memory of 1580 448 cmd.exe 113 PID 448 wrote to memory of 1580 448 cmd.exe 113 PID 448 wrote to memory of 1580 448 cmd.exe 113 PID 448 wrote to memory of 5016 448 cmd.exe 114 PID 448 wrote to memory of 5016 448 cmd.exe 114 PID 448 wrote to memory of 5016 448 cmd.exe 114 PID 448 wrote to memory of 4908 448 cmd.exe 115 PID 448 wrote to memory of 4908 448 cmd.exe 115 PID 448 wrote to memory of 4908 448 cmd.exe 115 PID 5016 wrote to memory of 4904 5016 rundll32.exe 116 PID 5016 wrote to memory of 4904 5016 rundll32.exe 116 PID 5016 wrote to memory of 4904 5016 rundll32.exe 116 PID 4904 wrote to memory of 5036 4904 runonce.exe 117 PID 4904 wrote to memory of 5036 4904 runonce.exe 117 PID 4904 wrote to memory of 5036 4904 runonce.exe 117 PID 1824 wrote to memory of 4004 1824 inl7BF8.tmp 120 PID 1824 wrote to memory of 4004 1824 inl7BF8.tmp 120 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4836 attrib.exe 1580 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe"C:\Users\Admin\AppData\Local\Temp\589bc94cdc57903318d61d2f63fe9b90fa448af2f2fce71dc352fb8ef12916a9.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Program Files\FreeRapid\loader.tmp"C:\Program Files\FreeRapid\loader.tmp"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat3⤵PID:3236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\apeflacmp3.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4128 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4268
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf4⤵PID:4612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:3168
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:3564
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵PID:4192
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
PID:424
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f5⤵
- Modifies registry class
PID:2816
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:4836
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp5⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1580
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵PID:5036
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Progra~1\FreeRapid\1.bin,MainLoad5⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:4908
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl7BF8.tmpC:\Users\Admin\AppData\Local\Temp\inl7BF8.tmp2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl7BF8.tmp > nul3⤵PID:4004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\589BC9~1.EXE > nul2⤵PID:3636
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD5d6ad3ea7acbeea6fad7d1991f40e2f97
SHA11a165c03f5c95792c9a95fcf5b19c3a439fd36ea
SHA256e21abd16063ea41e1983a5be729daa6b733ca4ad0110654c1aaba1e93568febc
SHA512e94850301a0efcdbd2d1a73f26c86c65c5854ef32a336d8be01edf5e97a3d7dc98ed35e11677c25e90cd7d21a1c49cfe8db9cebd526070c8b970eb450f91d7e0
-
Filesize
230B
MD5f6dcb2862f6e7f9e69fb7d18668c59f1
SHA1bb23dbba95d8af94ecc36a7d2dd4888af2856737
SHA256c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c
SHA512eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75
-
Filesize
5.8MB
MD5c03e90625e0439d036678d7fbaf9b39b
SHA15ea8a08654f23db3269332e21bd60ada112ec1d6
SHA256f3a2e233b3da1bbaca298c3857ba84e0ba6a1c1708c98711ac5679cc857cdbe6
SHA512b0c6e1dffd4c460d91eacf4671842be921fc0128d7d591e80ec9dc983dcaa9da0d0670cd5b41c354ccf06b00cc5bcc4eea2dfab4671fa826f52d9497cf55ee1a
-
Filesize
57.2MB
MD5082d58fbd7d9f203fa2de38b1209cc29
SHA19629ee284d4f77b3989b167b8ee71a634597e81c
SHA256493a2774c2d22d072f59718b78cd5bdb50e7204eb9b52896a39ab661a66c1078
SHA512f8cceeb9d1133338015ad07cd90ace2505787a76e1f9e811b8de22e1b952b92ad48bc11506d87c71886a310b9b380dbbe6e11b5777b5c9a55d19a4681fb3ff22
-
Filesize
57.3MB
MD5ef15785ec1fed06385d41051bc1a3941
SHA12d2d378954b876dac5f69c94959122f83ef8c794
SHA2560fea2a43223bf9ace8023a6c9290a8f99afd73fa0bfea41aeb49d3f7f3190dca
SHA512adbed32bb4bb8881d995a222561661438b92783aecba93526c63a11eb7a847255a0638e8e7877613f34e3816cdc5030648bbddadf5694af70703f6a70775dcb5
-
Filesize
57.3MB
MD5ef15785ec1fed06385d41051bc1a3941
SHA12d2d378954b876dac5f69c94959122f83ef8c794
SHA2560fea2a43223bf9ace8023a6c9290a8f99afd73fa0bfea41aeb49d3f7f3190dca
SHA512adbed32bb4bb8881d995a222561661438b92783aecba93526c63a11eb7a847255a0638e8e7877613f34e3816cdc5030648bbddadf5694af70703f6a70775dcb5
-
Filesize
57.2MB
MD5082d58fbd7d9f203fa2de38b1209cc29
SHA19629ee284d4f77b3989b167b8ee71a634597e81c
SHA256493a2774c2d22d072f59718b78cd5bdb50e7204eb9b52896a39ab661a66c1078
SHA512f8cceeb9d1133338015ad07cd90ace2505787a76e1f9e811b8de22e1b952b92ad48bc11506d87c71886a310b9b380dbbe6e11b5777b5c9a55d19a4681fb3ff22
-
Filesize
1KB
MD5d56c49b2f0a63bdf2035a1cf5f965125
SHA170064ed9db0812ef8407d05256aa4ebf578c1597
SHA25672bec14de3a4791e4d5261b80aa4062e170c117ad164e8c5a72edbe471ebc32f
SHA512fa9def6b54a8fd7c74f58ebffb97e40431a14c0daed8d0edf890a25cac799bf3ac61f4a0259d95ea22e3ceb27d1862a5881d3a33ccfb9b196d1565d67efa7b2a
-
Filesize
2KB
MD5be9c2a6c4473d5ff3130700864019244
SHA1bd964f122e7715e3fce78dcbbc2118cc85f42053
SHA2568f07137e93b92f7942caa3cca96b3c66d390aa8aaf9bc112d3b132948c61c5bd
SHA512b4810796fad38757315c6d21b03f7cc13777fc928d32f0222208f460f7a515d626837d460dbcd2c0959f1ba383f60a395724325cd7a8d0b8c53538a0a4b16cbc
-
Filesize
36B
MD50b53221b1332efb76ebd2ab7120ff78f
SHA1e3dda4d21e35819eaf50e50c2aab2950ff1505b5
SHA25605bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388
SHA512877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd
-
Filesize
57.2MB
MD5107331e5e7512147e9d2464a66bf603d
SHA1a1dee9c148f8b38edf2ba4794df1935c1d2a139b
SHA256f1bf309e88e983b19833e779450aac3dff5eeaebf77b5f6aacb91e2fb1c01215
SHA512e2488410871e16beaeb7ab35b1d74f06e6b0f6919bd47e7823e84e5958bfe0999b4cfff624b89d22f24a4d9fe9513c65fab57c6537289811ea4642b67f015032
-
Filesize
57.2MB
MD5107331e5e7512147e9d2464a66bf603d
SHA1a1dee9c148f8b38edf2ba4794df1935c1d2a139b
SHA256f1bf309e88e983b19833e779450aac3dff5eeaebf77b5f6aacb91e2fb1c01215
SHA512e2488410871e16beaeb7ab35b1d74f06e6b0f6919bd47e7823e84e5958bfe0999b4cfff624b89d22f24a4d9fe9513c65fab57c6537289811ea4642b67f015032
-
Filesize
631B
MD50b92bb1f3b9141d221dfedfcc5a59527
SHA18d0a11d39776442b53436490284dc460137d3e7a
SHA2565ad1f9cc4cff9a7d07bf72edc9ce2ccb0e75a6bb8038ab92a27a54914d560a99
SHA512e3472c917c7ac2657f4ceb3bf8d1cdabca72bc0090ce2d33b3c334d86ad4cb8b68e109d936f6d99b38dd8d44bcd2e2e152d3292c10c77461e79bb13b2db04205