privateloader | 0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71

General

Target

0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
Size

2.5MB
MD5

bab923da922c592e4138b88a402add32
SHA1

5927bed5f9a41a82b6c5b91175ef5bb396a1f17c
SHA256

0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71
SHA512

6c74a6ab914d4f5474450f223020e49658dca756a7769329ccd23d2560121d212474382541a022533b19d5acb5693d2a2576134aafa47ff1f4ab2aa5088c87b7
SSDEEP

49152:VSVJcb9RglAw8js3duEFxNWwKhvzJWNNERSxgNVnJ/hewok+hN6mDKU:VSaIA/stWwkvzJWn+ygNVndhewok+hN3

Score

10^/10

privateloader raccoon redline coreentity cryptone infostealer loader packer stealer upx

Malware Config

Signatures

CoreEntity .NET Packer 2 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
C:\ProgramData\Msgbox.exe	coreentity
C:\ProgramData\Msgbox.exe	coreentity

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Msgbox.exe	family_redline
C:\ProgramData\Msgbox.exe	family_redline

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\ProgramData\Msgbox.exe	cryptone
C:\ProgramData\Msgbox.exe	cryptone

Executes dropped EXE 2 IoCs

Processes:

CF唯爱稳定透视十字准心稳定版09月22SP2.exeMsgbox.exe

pid process

748 CF唯爱稳定透视十字准心稳定版09月22SP2.exe
3672 Msgbox.exe

pid	process
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
3672	Msgbox.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4764-132-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/748-143-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-146-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-147-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-149-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-148-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-153-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-155-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-151-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-157-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-163-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-161-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-159-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-169-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-167-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-171-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-165-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-173-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-175-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-177-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-179-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-181-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-183-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-186-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-188-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/748-190-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4764-191-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/748-193-0x0000000010000000-0x000000001003D000-memory.dmp	upx
C:\ProgramData\Msgbox.exe	upx
C:\ProgramData\Msgbox.exe	upx
behavioral2/memory/4764-197-0x0000000000400000-0x00000000004B4000-memory.dmp	upx
behavioral2/memory/3672-198-0x0000000000400000-0x00000000004B4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CF唯爱稳定透视十字准心稳定版09月22SP2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CF唯爱稳定透视十字准心稳定版09月22SP2.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4764-191-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/4764-197-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe
behavioral2/memory/3672-198-0x0000000000400000-0x00000000004B4000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

Processes:

0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe

description	ioc	process
File created	C:\Windows\game.ico	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
File opened for modification	C:\Windows\game.ico	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9652C208-719C-11ED-A0EE-5E349B7DFDEC}.dat = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9652C204-719C-11ED-A0EE-5E349B7DFDEC}.dat = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9652C202-719C-11ED-A0EE-5E349B7DFDEC} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9652C206-719C-11ED-A0EE-5E349B7DFDEC}.dat = "0"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.91duote.info/?w1"	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe

Modifies registry class 5 IoCs

Processes:

0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exeCF唯爱稳定透视十字准心稳定版09月22SP2.exe

pid	process
4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CF唯爱稳定透视十字准心稳定版09月22SP2.exe

description	pid	process
Token: 33	748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
Token: SeIncBasePriorityPrivilege	748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

IEXPLORE.EXECF唯爱稳定透视十字准心稳定版09月22SP2.exe

pid	process
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
748	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exeIEXPLORE.EXE

description	pid	process	target process
PID 4764 wrote to memory of 2068	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	IEXPLORE.EXE
PID 4764 wrote to memory of 2068	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	IEXPLORE.EXE
PID 2068 wrote to memory of 3948	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 2068 wrote to memory of 3948	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 2068 wrote to memory of 3948	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 4764 wrote to memory of 748	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
PID 4764 wrote to memory of 748	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
PID 4764 wrote to memory of 748	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	CF唯爱稳定透视十字准心稳定版09月22SP2.exe
PID 4764 wrote to memory of 4516	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	IEXPLORE.EXE
PID 4764 wrote to memory of 4516	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	IEXPLORE.EXE
PID 2068 wrote to memory of 5012	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 2068 wrote to memory of 5012	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 2068 wrote to memory of 5012	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 4764 wrote to memory of 4500	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	IEXPLORE.EXE
PID 4764 wrote to memory of 4500	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	IEXPLORE.EXE
PID 2068 wrote to memory of 4528	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 2068 wrote to memory of 4528	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 2068 wrote to memory of 4528	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 4764 wrote to memory of 3672	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	Msgbox.exe
PID 4764 wrote to memory of 3672	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	Msgbox.exe
PID 4764 wrote to memory of 3672	4764	0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe	Msgbox.exe

C:\Users\Admin\AppData\Local\Temp\0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe
"C:\Users\Admin\AppData\Local\Temp\0de4a527e06679ead38bf3250f847729901cab72c9693d7f00e607d04dd6ef71.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.ailili.info/c/c.html?http://go.microsoft.com/fwlink/p/?LinkId=255141
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
PID:3948

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:148482 /prefetch:2
3⤵
- Modifies Internet Explorer settings
PID:5012

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:214018 /prefetch:2
3⤵
- Modifies Internet Explorer settings
PID:4528

C:\CF唯爱稳定透视十字准心稳定版09月22SP2.exe
C:\CF唯爱稳定透视十字准心稳定版09月22SP2.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:748

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.6655.la/url.htm?new_0_http://go.microsoft.com/fwlink/p/?LinkId=255141_http://www.91duote.info/?w1
2⤵
- Modifies Internet Explorer settings
PID:4516

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.t6t8.com/fuzhu.html?g
2⤵
- Modifies Internet Explorer settings
PID:4500

C:\ProgramData\Msgbox.exe
C:\ProgramData\Msgbox.exe /97sky
2⤵
- Executes dropped EXE
PID:3672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\CF唯爱稳定透视十字准心稳定版09月22SP2.exe
Filesize
2.3MB

MD5
83f94619c080a23698b38b200ef84c77

SHA1
171a44608b2e8d6b5ca0ed9c94bb73d1fd3932e9

SHA256
e214a8d61d25bcf3973b4e762baa3b7bba8ade5783a88f34845465ad06c5aa4e

SHA512
5e6e1241860d0f763d49ef24b9790cde7c5d2f69df0b32adb3364bc9d1b587266dcd58abeac3e86dc9efe8b62e79928c52982c098c5d600e841e1c876c5934ce

Download Submit
C:\CF唯爱稳定透视十字准心稳定版09月22SP2.exe
Filesize
2.3MB

MD5
83f94619c080a23698b38b200ef84c77

SHA1
171a44608b2e8d6b5ca0ed9c94bb73d1fd3932e9

SHA256
e214a8d61d25bcf3973b4e762baa3b7bba8ade5783a88f34845465ad06c5aa4e

SHA512
5e6e1241860d0f763d49ef24b9790cde7c5d2f69df0b32adb3364bc9d1b587266dcd58abeac3e86dc9efe8b62e79928c52982c098c5d600e841e1c876c5934ce

Download Submit
C:\ProgramData\Msgbox.exe
Filesize
382.8MB

MD5
67f3f35d5442cba86e0d983db2172bc2

SHA1
56e2e3c8a48a37126b84a8e152115e04dd848ffa

SHA256
1914cedec0571003634e76fe1098dfcd9bf95f7f5b7b3cf7dbecfd83374c2fc9

SHA512
709d3604a808fdbde159960d11f6ec5ffeae834ebaced30a7b45fd89d4e462f332db9263d11c2a81ae6a56997247194f9be7a2ee0f0d8bce48d455d179e7bd85

Download Submit
C:\ProgramData\Msgbox.exe
Filesize
382.8MB

MD5
67f3f35d5442cba86e0d983db2172bc2

SHA1
56e2e3c8a48a37126b84a8e152115e04dd848ffa

SHA256
1914cedec0571003634e76fe1098dfcd9bf95f7f5b7b3cf7dbecfd83374c2fc9

SHA512
709d3604a808fdbde159960d11f6ec5ffeae834ebaced30a7b45fd89d4e462f332db9263d11c2a81ae6a56997247194f9be7a2ee0f0d8bce48d455d179e7bd85

Download Submit
memory/748-159-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-144-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/748-138-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/748-167-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-140-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/748-165-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-143-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-171-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-146-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-147-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-149-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-148-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-153-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-155-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-151-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-157-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-163-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-161-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-199-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/748-169-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-139-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/748-137-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/748-142-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/748-173-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-175-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-177-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-179-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-181-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-183-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-186-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-188-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-190-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-133-0x0000000000000000-mapping.dmp

Download
memory/748-192-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/748-193-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/748-136-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/3672-194-0x0000000000000000-mapping.dmp

Download
memory/3672-198-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4764-191-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4764-197-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4764-132-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads