Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe
Resource
win10v2004-20220901-en
General
-
Target
2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe
-
Size
160KB
-
MD5
5fd2ee06fccf4e13ce4f1ad3b62a28db
-
SHA1
4289f2de5bd69393cb4fb5190fff261a38edb8c8
-
SHA256
2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897
-
SHA512
cc1f2c9f78fd2dcf2e2d02dc32f08067679238963fa9037d3d9d2fd512e8159f86eb968b8ccef982f8ceb7cd489b935b14f248a9890df42bfb471653f69a42ef
-
SSDEEP
1536:7zOEJKTB1rO/A5J2q+MEWafDuwrZd67iS+ra68IUvIi0rQ+L:XXcTBPt+MxJwVEi/8HAz9
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
pid Process 4264 inl2AB7.tmp -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3676 attrib.exe 4416 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation inl2AB7.tmp -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\datread\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu1111.site\ = "63" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f007d2eb42e6d801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000098af71010fdc30a90d54f7c800f49a184ced917dcf4cc596288267d54ac4e97d000000000e8000000002000020000000624046b4a92554515cd1236bb306246a1e681ccd309cbef55106693c34e97287200000000782dc8ed0160fc4efc95db9c3413ed33cd26c5674371b232c1e4037dccaafdc400000001b5e81a554b0d54c4941b1ca4c7050b27b930e2c452563ff49767a128b96c9eb5a2ec01a4c62c9c0cb349360b52b5cf652dbdb285f25a894137af9736e0af9b3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{080840E6-5236-11ED-A0EE-C65219BF0A09} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3727352102" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30991938" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991938" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b0c3eb42e6d801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu1111.site IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu1111.site IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu1111.site\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3708758038" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000032d6c6e2a5e7725cac27bdc66ea106bed5796e35f6306614e4571a95248f1539000000000e8000000002000020000000bdf395f5f8d0f09081aeb964c43c3df8554516dccd7cdfecf71fc1460d801f1520000000d3547d25f3918e039d16ddab7c066b68e0c9df25fcfa6eb4835c91d7ed093af140000000ecf4d0da5d6b09ca1f6c0af126d079c90bbec10fcd57bd5a6ad1433d8574987f5ab7a3c039986e3a48c3d83360ce0114d0c82076b2408c29a8ac56157976894b iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30991938" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu1111.site\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3708758038" iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?n" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?n" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\datread\\3.bat\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2088 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2088 iexplore.exe 2088 iexplore.exe 4644 IEXPLORE.EXE 4644 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2140 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe 89 PID 2060 wrote to memory of 2140 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe 89 PID 2060 wrote to memory of 2140 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe 89 PID 2140 wrote to memory of 2368 2140 cmd.exe 91 PID 2140 wrote to memory of 2368 2140 cmd.exe 91 PID 2140 wrote to memory of 2368 2140 cmd.exe 91 PID 2368 wrote to memory of 2088 2368 cmd.exe 93 PID 2368 wrote to memory of 2088 2368 cmd.exe 93 PID 2368 wrote to memory of 1360 2368 cmd.exe 94 PID 2368 wrote to memory of 1360 2368 cmd.exe 94 PID 2368 wrote to memory of 1360 2368 cmd.exe 94 PID 2368 wrote to memory of 4508 2368 cmd.exe 95 PID 2368 wrote to memory of 4508 2368 cmd.exe 95 PID 2368 wrote to memory of 4508 2368 cmd.exe 95 PID 2060 wrote to memory of 4264 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe 97 PID 2060 wrote to memory of 4264 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe 97 PID 2060 wrote to memory of 4264 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe 97 PID 2060 wrote to memory of 5004 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe 98 PID 2060 wrote to memory of 5004 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe 98 PID 2060 wrote to memory of 5004 2060 2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe 98 PID 4508 wrote to memory of 4704 4508 cmd.exe 102 PID 4508 wrote to memory of 4704 4508 cmd.exe 102 PID 4508 wrote to memory of 4704 4508 cmd.exe 102 PID 2088 wrote to memory of 4644 2088 iexplore.exe 99 PID 2088 wrote to memory of 4644 2088 iexplore.exe 99 PID 2088 wrote to memory of 4644 2088 iexplore.exe 99 PID 4508 wrote to memory of 2312 4508 cmd.exe 101 PID 4508 wrote to memory of 2312 4508 cmd.exe 101 PID 4508 wrote to memory of 2312 4508 cmd.exe 101 PID 4508 wrote to memory of 4108 4508 cmd.exe 103 PID 4508 wrote to memory of 4108 4508 cmd.exe 103 PID 4508 wrote to memory of 4108 4508 cmd.exe 103 PID 4508 wrote to memory of 3400 4508 cmd.exe 104 PID 4508 wrote to memory of 3400 4508 cmd.exe 104 PID 4508 wrote to memory of 3400 4508 cmd.exe 104 PID 4508 wrote to memory of 1176 4508 cmd.exe 105 PID 4508 wrote to memory of 1176 4508 cmd.exe 105 PID 4508 wrote to memory of 1176 4508 cmd.exe 105 PID 4508 wrote to memory of 3676 4508 cmd.exe 106 PID 4508 wrote to memory of 3676 4508 cmd.exe 106 PID 4508 wrote to memory of 3676 4508 cmd.exe 106 PID 4508 wrote to memory of 4416 4508 cmd.exe 107 PID 4508 wrote to memory of 4416 4508 cmd.exe 107 PID 4508 wrote to memory of 4416 4508 cmd.exe 107 PID 4508 wrote to memory of 3060 4508 cmd.exe 108 PID 4508 wrote to memory of 3060 4508 cmd.exe 108 PID 4508 wrote to memory of 3060 4508 cmd.exe 108 PID 4508 wrote to memory of 1608 4508 cmd.exe 109 PID 4508 wrote to memory of 1608 4508 cmd.exe 109 PID 4508 wrote to memory of 1608 4508 cmd.exe 109 PID 3060 wrote to memory of 4932 3060 rundll32.exe 110 PID 3060 wrote to memory of 4932 3060 rundll32.exe 110 PID 3060 wrote to memory of 4932 3060 rundll32.exe 110 PID 4932 wrote to memory of 1768 4932 runonce.exe 111 PID 4932 wrote to memory of 1768 4932 runonce.exe 111 PID 4932 wrote to memory of 1768 4932 runonce.exe 111 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3676 attrib.exe 4416 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe"C:\Users\Admin\AppData\Local\Temp\2fc6cb628310d0119424a1a25b3c8132efcaa040c0285e95005e077a11e7e897.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\1.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWW.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4644
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\1.inf4⤵PID:1360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?n"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2312
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?n"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:4704
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?n"" /f5⤵PID:4108
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
PID:3400
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\datread\3.bat""" /f5⤵
- Modifies registry class
PID:1176
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3676
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4416
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵PID:1768
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵PID:1608
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl2AB7.tmpC:\Users\Admin\AppData\Local\Temp\inl2AB7.tmp2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4264
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2FC6CB~1.EXE > nul2⤵PID:5004
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD59ebd067ed9097e52468ed43389e20f84
SHA1254e9e98e444f9aa5025e9f39d26c2ee6343b070
SHA256c2f13a89d711a444d9e2e5a909191abfd3b00b1c73d8b6b5d8f9df8eaa5f8bad
SHA512a70df9fc2fb4ffd351c4702d5b7dfda2f5b96b3596d53f09f981afce933a53768c940dc04e93b0098f5d2a309919d6b3a4398bb03b8bc5aa67c4ac7dff525c3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD57f02dc6e2f6673676e69f4dc29ee7490
SHA19c4b9fc367a65dc65c3c1a57f2cafe0d54e42ccf
SHA2564c9710db1a3af93442f924ca7c5393e982306a8822b1cfed90523d0e5980ef48
SHA5124d79f9f5862f741f15a66438e06563969525186814d192c941f7b6cb9ddbe9f01964694b16786d548985431f9b07d8dcb0f9d4ea80d4ee1c47ffe833e7672fb1
-
Filesize
1KB
MD5139fef1e7e29e8f46a5cdc114772d1ea
SHA1e8fb9c7431b97ffdddb4086702ecb354bb9b980d
SHA2561ebaaa8afa8cc88fb6fc02f739275b0ea84d42c0c0e3d64ede7866c9e99a8552
SHA51251a742613b7d927993d19330b21ce39cd8d64fe344394e6da8b4e32893b77234801e59d757d718965eb61a9579729db05620bf9d0961c4f0c1fb43a21b3d01bc
-
Filesize
858B
MD5d727e34e3f5eb5ee1ce17fe4c66bf617
SHA1ea796e8b305510775d244f30758e125a01569626
SHA256d0cd1c2b674ee72b000ecacb181addd7735f4c3478731c23f4649e312e4c607d
SHA512ae3028364bf02b3e7c78d7a44a3305537c16d7feefb9dd968296b86425babaccee81af0c40eb7f8f374266df0e2c3c1a08b6b951ceaddc55572d6f0f1e85705c
-
Filesize
54B
MD55dd457b845e53fce36e6b543764337e4
SHA1eb7f8ce82274afa5702b20eb5ba133bb71bcb8d6
SHA2560a2c605c32f2e9b3eda6f18df3d8c1fc2d87922b9bb23d6c3a9de3aa3f383992
SHA5120fea97ddf333c178ca4805fc85f8b66f81a7906d1cc7bf440206aff50cc711643e90115f046077a323b3cc78deeb704f7eb8a934d0a1cd011f6a3ad67057c9f6
-
Filesize
57.2MB
MD577355f3363a63f193a47fa3011d65032
SHA1d5be6a880906c718f1db7396b9551ed8f56e0f56
SHA2560376f7ff2711ca8cab067122234a0ecce337d0b510b16a8796fe29562a58f513
SHA5123a3ae82a710aaee138a48df6eab6b1d0294f9322045e07e753a10fcbc856bb9e2bbe50ec2fd59f231f85ca56635885ab18aeaf9a435f30b49561cd91470e1ab3
-
Filesize
57.2MB
MD577355f3363a63f193a47fa3011d65032
SHA1d5be6a880906c718f1db7396b9551ed8f56e0f56
SHA2560376f7ff2711ca8cab067122234a0ecce337d0b510b16a8796fe29562a58f513
SHA5123a3ae82a710aaee138a48df6eab6b1d0294f9322045e07e753a10fcbc856bb9e2bbe50ec2fd59f231f85ca56635885ab18aeaf9a435f30b49561cd91470e1ab3
-
Filesize
3KB
MD5e580af507ea9f91de910e0c11b1e5ff1
SHA1998ed9fad171139fca6e0da98f660417fb87fc1c
SHA2567ab3f848e819dbfe653558a517b6bcd0274040d4e5a0a74e1556916aa5f9d356
SHA512240d3ed95def600a7b6da7b4ec9f0d2289471d7c96c8bff7198b33d55671004e3b7ad500935d9bd8b7d1cc08ad648b05f1b21c4e958542ac6a150dc3dd4797ab
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD57c54db0864c2eb965c63c3dfe6be2256
SHA1303c5edaa7ec4530f88484e3c48ff7e674a676d1
SHA2561886e568662fcc552a91c3ab25b86e5243032d4f43fa45ffb51c57ca533c4b91
SHA51260677e5762c2a267269ca520f554b800e88ce80bd96479b0ab02ea9eded76332657c3c9b93961c47551bdea3feda4b1dd88e58ebd087ae42a7853fd4bf0b8997
-
Filesize
248B
MD5c5eaacddf7fe93d130f1eb67f3fc2d9d
SHA1ce20a3a2d9925fa4672884ffda2ee200c06ad7ce
SHA256c740a578ef5867e18bc914ef724c8258a324b4f35591690e91329a10d17f6b45
SHA5121f9529123cf74f1c53f75d81b9b6dabb127fcef0067c104c5ca044e28450083fa379c256d63d07d4e4053f197c24e02f9e2ab4507f8bb1068032598b52bbbf77
-
Filesize
5.8MB
MD5f864a769555d766db905676145e4aae7
SHA14f1ea2507379d79c615279bff0cccd28a5f8fa86
SHA256af90c76d539d77811dac42f884cfbbd516313397f657fc8608a8f2c2a5f6a906
SHA512fd149fbb45d07acafe9410c849c5d2689be60d3965bb7b4e767fb77853000f236d7b43356d70deae1a40b2e980bc319c7a45db52e935336fa1c9c8ac3db617ec