310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175

Analysis

max time kernel
166s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe
Size

160KB
MD5

3541fff37fc34334cfaf0c5b748dc602
SHA1

39ce792ada3b92b29212faf7d254cece6773db67
SHA256

310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175
SHA512

c90a4cfb3e42d4bb98d4d60464b5a7b44868f2e351de29c036b77526f68c1f0009313d35168a8bbe050cc1f48f35941b99fd82956b9220e4563edc0bba994dca
SSDEEP

1536:OJwHa3E5YW/io2C+I4LQ54z2B814KX6hN2DDwRCPERKHOJ++:jHaE5/io2C+I4LQ54z2C14KK3W8RCha

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

inl53F9.tmp

pid process

3356 inl53F9.tmp
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1580 attrib.exe
2808 attrib.exe

pid	process
3356	inl53F9.tmp

pid	process
1580	attrib.exe
2808	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exeinl53F9.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	inl53F9.tmp

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\redload\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

File opened (read-only) \??\D: cmd.exe
Drops file in Program Files directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe
File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\D:	cmd.exe

description	ioc	process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEreg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu455.site\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6572A316-6B66-11ED-89AC-466E527D41B2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\henniu455.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.henniu455.site	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\henniu455.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.henniu455.site\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe

Modifies registry class 9 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\redload\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe

description pid process

Token: SeIncBasePriorityPrivilege 1200 310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1552 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1552 iexplore.exe
1552 iexplore.exe
3756 IEXPLORE.EXE
3756 IEXPLORE.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe

pid	process
1552	iexplore.exe

pid	process
1552	iexplore.exe
1552	iexplore.exe
3756	IEXPLORE.EXE
3756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.execmd.execmd.exerundll32.exerunonce.execmd.exeiexplore.exe

description	pid	process	target process
PID 1200 wrote to memory of 4340	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe	cmd.exe
PID 1200 wrote to memory of 4340	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe	cmd.exe
PID 1200 wrote to memory of 4340	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe	cmd.exe
PID 4340 wrote to memory of 4612	4340	cmd.exe	cmd.exe
PID 4340 wrote to memory of 4612	4340	cmd.exe	cmd.exe
PID 4340 wrote to memory of 4612	4340	cmd.exe	cmd.exe
PID 4612 wrote to memory of 1336	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1336	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1336	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1716	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1716	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1716	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 2356	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 2356	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 2356	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1372	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1372	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1372	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1520	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1520	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1520	4612	cmd.exe	reg.exe
PID 4612 wrote to memory of 1580	4612	cmd.exe	attrib.exe
PID 4612 wrote to memory of 1580	4612	cmd.exe	attrib.exe
PID 4612 wrote to memory of 1580	4612	cmd.exe	attrib.exe
PID 4612 wrote to memory of 2808	4612	cmd.exe	attrib.exe
PID 4612 wrote to memory of 2808	4612	cmd.exe	attrib.exe
PID 4612 wrote to memory of 2808	4612	cmd.exe	attrib.exe
PID 4612 wrote to memory of 364	4612	cmd.exe	rundll32.exe
PID 4612 wrote to memory of 364	4612	cmd.exe	rundll32.exe
PID 4612 wrote to memory of 364	4612	cmd.exe	rundll32.exe
PID 1200 wrote to memory of 3356	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe	inl53F9.tmp
PID 1200 wrote to memory of 3356	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe	inl53F9.tmp
PID 1200 wrote to memory of 3356	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe	inl53F9.tmp
PID 4612 wrote to memory of 228	4612	cmd.exe	rundll32.exe
PID 4612 wrote to memory of 228	4612	cmd.exe	rundll32.exe
PID 4612 wrote to memory of 228	4612	cmd.exe	rundll32.exe
PID 364 wrote to memory of 4240	364	rundll32.exe	runonce.exe
PID 364 wrote to memory of 4240	364	rundll32.exe	runonce.exe
PID 364 wrote to memory of 4240	364	rundll32.exe	runonce.exe
PID 4240 wrote to memory of 3528	4240	runonce.exe	grpconv.exe
PID 4240 wrote to memory of 3528	4240	runonce.exe	grpconv.exe
PID 4240 wrote to memory of 3528	4240	runonce.exe	grpconv.exe
PID 4612 wrote to memory of 4412	4612	cmd.exe	cmd.exe
PID 4612 wrote to memory of 4412	4612	cmd.exe	cmd.exe
PID 4612 wrote to memory of 4412	4612	cmd.exe	cmd.exe
PID 4412 wrote to memory of 1552	4412	cmd.exe	iexplore.exe
PID 4412 wrote to memory of 1552	4412	cmd.exe	iexplore.exe
PID 4412 wrote to memory of 1316	4412	cmd.exe	rundll32.exe
PID 4412 wrote to memory of 1316	4412	cmd.exe	rundll32.exe
PID 4412 wrote to memory of 1316	4412	cmd.exe	rundll32.exe
PID 1552 wrote to memory of 3756	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 3756	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 3756	1552	iexplore.exe	IEXPLORE.EXE
PID 1200 wrote to memory of 4032	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe	cmd.exe
PID 1200 wrote to memory of 4032	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe	cmd.exe
PID 1200 wrote to memory of 4032	1200	310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1580 attrib.exe
2808 attrib.exe

pid	process
1580	attrib.exe
2808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe
"C:\Users\Admin\AppData\Local\Temp\310919c850dde49ae171a1a57e133c4e901be5e0d49005669553d54f9c64b175.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
      4⤵
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      PID:1336
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
      4⤵
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      PID:1716
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
      4⤵
      Modifies registry class
      PID:1372
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
      4⤵
      Modifies registry class
      PID:1520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2808
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
      4⤵
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:3528
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 D:\VolumeDH\inj.dat,MainLoad
      4⤵
      PID:228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\PROGRA~1\INTERN~1\iexplore.exe
        
        C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1552 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3756
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
        5⤵
        
        PID:1316
- C:\Users\Admin\AppData\Local\Temp\inl53F9.tmp
  C:\Users\Admin\AppData\Local\Temp\inl53F9.tmp
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl53F9.tmp > nul
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\310919~1.EXE > nul
  2⤵
  PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\INTERN~1\IEFRAME.dll

Filesize
5.8MB

MD5
86a0d3042974a2e65d42348db60f4555

SHA1
95c00e0902ead2c145d9dddb422c57a55592689e

SHA256
83c3eb9332426828d3fa822d302fa2dff23cfe434406a9af6b20c500c7396381

SHA512
078e0c4b533a3a290b1607bcea901efa7d2dfccb99ed4ae51dfa95ad8635ee5cf239e844acd55ec9e990bc095f3f5e332e6f1f11b18f629cf1b8afd80f3e1cca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
f92a468aa1ae1585f8e594bce07c2f6e

SHA1
e7a12c0092060b048cb66c8cf948f06a6ca6efd5

SHA256
0423098df0149ab526d6beae031944992bd6b6367cc78190dcaad72e172d1857

SHA512
492c42e80c3c7198cf37c6e33ee71c5b7f1b61d3a30cf14a111105773ea0206a59c0426411fed5d3639f74be45b291ba46d12228a7757b6c5183b1ec37c8b746

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
791B

MD5
1706b41fd446b5718a8419c0fcb35d55

SHA1
d9bb8df22acdc60c754ac14982cf795df3b1b815

SHA256
5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

SHA512
68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl53F9.tmp

Filesize
57.2MB

MD5
a3eb02c5b27d2364892ffc6db291150f

SHA1
9b5db14a418366577098edac0c57e3d352ef3d0e

SHA256
3b2329bacc2f3a597c15deba554d40b7bd59850bb6ce7c6f895d9104d434abe4

SHA512
20c4723d81a7c6b3d5c1b207c4d1f8a9a1e7f3bdddd98459c4a51de110d7bc64e193884b1afc96fa42d2f735eba07144a266966333e5d99357b2d9308b0891f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl53F9.tmp

Filesize
57.2MB

MD5
a3eb02c5b27d2364892ffc6db291150f

SHA1
9b5db14a418366577098edac0c57e3d352ef3d0e

SHA256
3b2329bacc2f3a597c15deba554d40b7bd59850bb6ce7c6f895d9104d434abe4

SHA512
20c4723d81a7c6b3d5c1b207c4d1f8a9a1e7f3bdddd98459c4a51de110d7bc64e193884b1afc96fa42d2f735eba07144a266966333e5d99357b2d9308b0891f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
493c22f6b15f9766ae7c23794fc77da0

SHA1
43723ba660dbc1486f717441b58298d33b9f2048

SHA256
478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182

SHA512
662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.bat

Filesize
3KB

MD5
0c2c5c336b07f8f59c77fc1bd47460a3

SHA1
2a6a218a92041345046b422d91f39bb3415505a3

SHA256
35b9dee92b81e2af0bb1b9064e2647c217601d0f40e75cc5f221075076e5d2a2

SHA512
382cd4ae28f9bbe3700d5c9faa2d5cf1ce5831009c1b148f7fa12375e923aa7e1e105ad5e0505bf93c0b2f25805c95df1a18fb532ce67ba1b0fae7a94bb01dde

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.inf

Filesize
248B

MD5
2197ffb407fb3b2250045c084f73b70a

SHA1
3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

SHA256
a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

SHA512
b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

Download Submit
C:\Users\Admin\AppData\Roaming\redload\4.bat

Filesize
5.8MB

MD5
86a0d3042974a2e65d42348db60f4555

SHA1
95c00e0902ead2c145d9dddb422c57a55592689e

SHA256
83c3eb9332426828d3fa822d302fa2dff23cfe434406a9af6b20c500c7396381

SHA512
078e0c4b533a3a290b1607bcea901efa7d2dfccb99ed4ae51dfa95ad8635ee5cf239e844acd55ec9e990bc095f3f5e332e6f1f11b18f629cf1b8afd80f3e1cca

Download Submit
memory/228-147-0x0000000000000000-mapping.dmp

Download
memory/364-145-0x0000000000000000-mapping.dmp

Download
memory/1200-202-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1200-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1316-158-0x0000000000000000-mapping.dmp

Download
memory/1336-137-0x0000000000000000-mapping.dmp

Download
memory/1372-141-0x0000000000000000-mapping.dmp

Download
memory/1520-142-0x0000000000000000-mapping.dmp

Download
memory/1552-173-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-188-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-223-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-156-0x0000000000000000-mapping.dmp

Download
memory/1552-222-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-217-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-216-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-160-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-161-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-163-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-164-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-165-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-166-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-167-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-168-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-169-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-170-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-171-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-214-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-174-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-176-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-177-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-178-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-181-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-180-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-182-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-184-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-186-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-187-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-213-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-189-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-190-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-191-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-192-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-193-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-194-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-198-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-199-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-200-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-212-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-203-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-211-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-204-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-209-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1552-210-0x00007FF8DB7D0000-0x00007FF8DB83E000-memory.dmp

Filesize
440KB

Download
memory/1580-143-0x0000000000000000-mapping.dmp

Download
memory/1716-138-0x0000000000000000-mapping.dmp

Download
memory/2356-139-0x0000000000000000-mapping.dmp

Download
memory/2808-144-0x0000000000000000-mapping.dmp

Download
memory/3356-146-0x0000000000000000-mapping.dmp

Download
memory/3528-153-0x0000000000000000-mapping.dmp

Download
memory/4032-201-0x0000000000000000-mapping.dmp

Download
memory/4104-236-0x0000000000000000-mapping.dmp

Download
memory/4240-152-0x0000000000000000-mapping.dmp

Download
memory/4340-133-0x0000000000000000-mapping.dmp

Download
memory/4412-154-0x0000000000000000-mapping.dmp

Download
memory/4612-135-0x0000000000000000-mapping.dmp

Download