Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23/11/2022, 20:14
General
-
Target
bd614704d03ecf52c81eb6d21f1d09872fe2da890ff3a62f67dbe991fa835e03.exe
-
Size
54KB
-
MD5
0624ea1569b397f4be8738dc38d06190
-
SHA1
20642f4eb4d95e174195086c8eab7d77f534955e
-
SHA256
bd614704d03ecf52c81eb6d21f1d09872fe2da890ff3a62f67dbe991fa835e03
-
SHA512
6679bebebf3d56da5896a6ce532cee8e96b5a2993828cc86c136f8f2acfe9d48dc5f4bab4d237770b39ff42fcff6acd26edf8879787aab309ff12ef53057c04b
-
SSDEEP
768:sVKm4GV4ujtuYgFC5IjezJckOyLb172+oEFZ0TORX3iSHWIwjkdLv/kcH5hUDrpe:sQKV1MyVckOG12TGX1HxwjkVnDhI+H1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 50 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd614704d03ecf52c81eb6d21f1d09872fe2da890ff3a62f67dbe991fa835e03.exe"C:\Users\Admin\AppData\Local\Temp\bd614704d03ecf52c81eb6d21f1d09872fe2da890ff3a62f67dbe991fa835e03.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat3⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?821335⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4244 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlE33E.tmpC:\Users\Admin\AppData\Local\Temp\inlE33E.tmp2⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BD6147~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD5181acfc0cf7f3aea609d1e86619ddda8
SHA115bcdf20c614f39550f550248ebb5954f37b7ec6
SHA256a1d6856fa8730e935788686694a6c5d3a8fc2130a94bde75fe3aadf584ee58cc
SHA512d058d80e38d5703f8a36844ca032c4fb9ba37ba90ee20659555a9b6b3ced26e5653b0223d5c888962ec642d5ff8eaf41e84fab69ee554556dd1ec273580dc787
-
Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
Filesize
434B
MD5a596306e119dc0f1e8d2527ad11ee94d
SHA1fff0880823b9bd6ed6163ef9b4eb5e94b02dea90
SHA2565ac6207033ae9543453d9de920a06a36a9a665320644fb3dfa29d5671e958f6e
SHA51269c0a7e5354713e4316ff7540cd2e0bfde121fd9ab20de8e549022c10a0aa05d5d0e3aec4a7880f9022d1fc7c6d26604b4d26fda38e96ad083c43c039b67054d
-
Filesize
1KB
MD56d317779c46d365168c1c67bd1638418
SHA171f0d1901d5c29cf1d4c6d833abe49f4e4efd212
SHA256c1e5c6d7648c401784d987cd5af70c638684f02f99562621bf95914656ef9b69
SHA512b67d84451ea9ae12fae33fad9a91630bc337de244a23de4fc6b2d80db70c851d2abf993f03f6a4a1228f3131f357583d7059e228ebfb3d6290ec114de388e699
-
Filesize
791B
MD51706b41fd446b5718a8419c0fcb35d55
SHA1d9bb8df22acdc60c754ac14982cf795df3b1b815
SHA2565c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943
SHA51268c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e
-
Filesize
57.2MB
MD59b002afffae7ad24d4d32aa661689271
SHA1df2f16c4022aa50a017de7925761ed28311f0b42
SHA256167ea2ce28250c9cc5d1270b87f8151fa509d148469de6faf578a34e0778a5c6
SHA51242a91d33d0ff653a4d10c984197e62dd7707e389bfe968ba4a0edde340bd76b2f682b7f11187e8edcb096449491ed99455460c34b8ddb5d4cb4e49e6a0f68944
-
Filesize
57.2MB
MD59b002afffae7ad24d4d32aa661689271
SHA1df2f16c4022aa50a017de7925761ed28311f0b42
SHA256167ea2ce28250c9cc5d1270b87f8151fa509d148469de6faf578a34e0778a5c6
SHA51242a91d33d0ff653a4d10c984197e62dd7707e389bfe968ba4a0edde340bd76b2f682b7f11187e8edcb096449491ed99455460c34b8ddb5d4cb4e49e6a0f68944
-
Filesize
54B
MD5504490369970f1c0eb580afbcdf91618
SHA1b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971
SHA256a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43
SHA5125495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad
-
Filesize
3KB
MD5493c22f6b15f9766ae7c23794fc77da0
SHA143723ba660dbc1486f717441b58298d33b9f2048
SHA256478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182
SHA512662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD59432a2ddfba23a3e865bccdd0ef9a99d
SHA122b55a76e3460122dd0325d5d674b8823bb163e9
SHA256b70153c2e23a208a2526e289ef2741c3a35f1bd38d43a1f69b356eb12e84ec15
SHA512ec2a107efaace4d2f26edcf3e3b5619d3c7b51040c3575d61d07892b04af5dd9a55ff535b95b096edcb8abc5d9b232b5be763db5bc2e6f9456b0d3a347074e44
-
Filesize
248B
MD52197ffb407fb3b2250045c084f73b70a
SHA13d0efbacba73ac5e8d77f0d25d63fc424511bcf6
SHA256a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591
SHA512b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe
-
Filesize
5.8MB
MD5181acfc0cf7f3aea609d1e86619ddda8
SHA115bcdf20c614f39550f550248ebb5954f37b7ec6
SHA256a1d6856fa8730e935788686694a6c5d3a8fc2130a94bde75fe3aadf584ee58cc
SHA512d058d80e38d5703f8a36844ca032c4fb9ba37ba90ee20659555a9b6b3ced26e5653b0223d5c888962ec642d5ff8eaf41e84fab69ee554556dd1ec273580dc787
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
12KB
-
Filesize
148KB