Analysis
-
max time kernel
163s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-12-2022 12:50
General
-
Target
936da9440a5c092acdead3b3992e96526cd47d811606f644b57d801cf45e1ca2.exe
-
Size
54KB
-
MD5
3118dc2ccf2c79e35e6077b530045f2a
-
SHA1
e6e5ab9c8794b297aa8ee926eb00cdbbe8e088a3
-
SHA256
936da9440a5c092acdead3b3992e96526cd47d811606f644b57d801cf45e1ca2
-
SHA512
982571cc8380bef756c51ad42fb547d62e4f1ec3072824b4c6a50b7446472f9a2c2af571d53f6ff20b64f663e2a209e74e454784f5f21ff408617cf029a338e2
-
SSDEEP
1536:drz9IyO+m2Z18WDMkdk/8M+oEAldgG7NmyzPSeX:xrm2ZKSdK8M+oz/TBX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 46 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\936da9440a5c092acdead3b3992e96526cd47d811606f644b57d801cf45e1ca2.exe"C:\Users\Admin\AppData\Local\Temp\936da9440a5c092acdead3b3992e96526cd47d811606f644b57d801cf45e1ca2.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x5_20_ml.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?716284⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4292 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl5D02.tmpC:\Users\Admin\AppData\Local\Temp\inl5D02.tmp2⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\936DA9~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5f8f8086f87156d14091b152fcaadc3ce
SHA1fe3cfbf9e2e871c948300473593dfcf189013386
SHA2568d92f28b70ed5265fafad8b37ce049b0b8ecad038745173acc35a21b8222bf56
SHA5121235be77513694a1478459e999631920be42183a6993dc1f93333831eaa54ea60c7d8617029289c95fed2f861fc7aa79da551c128df4428d23752044eb68ba7a
-
Filesize
434B
MD54d23a77be9e75df6860439165a17612c
SHA1a5f76e09f49d662dfe4f1348d46ce462129f4061
SHA256c5d7fa27966ddbbcca049e73b8234ff077ed5a7a6690c14fe0a85cf09bc60aba
SHA512c165c67738698078ad4aff2a069e2bbceb64f675d3d499e47be60f04900d4d0a47b1e9703df595096383fb6e744172d7de284cd33481180098693cd653801e84
-
Filesize
639B
MD56fd9d8e6f820fd6778fb7dad894ce95c
SHA12cf91a7b933f56e890c7d11082cf2c1a473e0109
SHA25641ea0ff989f30f6e4c9e6847499cb93ac15b6084b30f6d956f2c281283910bf9
SHA512a6b024021c199f318a78a8107ff443f5017d0b7beb61d86946eb5fb64758f65e85b2364d1e4e910c01fcf2acc5517d20eccac8154f696c3c5e6395d32e78f3bb
-
Filesize
57.2MB
MD51d6d4a48d1224f2faee4de4df623ff5e
SHA1470fb458b062922a1a0b9b89156f2e192292c018
SHA2560b683160760e5dc8d963f8e9ffd9f672ad390c9029028036ab398cec799bac23
SHA51261cb1119828b7c3aeded456cab857acadd218799a42ddcda9ff54034bf254221b5e71adf5904921da9e0a52315393ded962c36de3782097da2bda3d3a5c7f725
-
Filesize
57.2MB
MD51d6d4a48d1224f2faee4de4df623ff5e
SHA1470fb458b062922a1a0b9b89156f2e192292c018
SHA2560b683160760e5dc8d963f8e9ffd9f672ad390c9029028036ab398cec799bac23
SHA51261cb1119828b7c3aeded456cab857acadd218799a42ddcda9ff54034bf254221b5e71adf5904921da9e0a52315393ded962c36de3782097da2bda3d3a5c7f725
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
3KB
MD560b83f28f7a84b223dc19ffdfff482fc
SHA1f33a5aed6ba5fc5b07df49da757cc089ee0152ac
SHA2564f7d844924c5fb8be4b9f12f602597a54273c8abe9baa715fd0148b3404a3eb4
SHA51254cc35b7550f7082160344b7cb5b2772bbd9c89093c78bd5044a838ac9c91585d85d87c0f1229e4ff0d5d2f27377edac13c538b17197a8f266e678adb03ee4e8
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD5d4917ae9072a10d8e12ef3b282b25b3b
SHA1bd9ec6c6395997525ec7c15ecca2f115573cc14c
SHA2566f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b
SHA512c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
5.8MB
MD5e3a117f066e3e2bf471580b3ba5d2964
SHA1fc7d7451602d8039f1ae372dd331dad50f46b68f
SHA2562d0de4259e11514160ebf94ce1f71e065cbfc70ec4c982ffa13b4e86f9ad8c45
SHA5129bdcee8d5c521121a963b6454328598fb4aa69529fca0adc300bbc32f2614a9cd2c675b9e352d852ddb849826d1e7ac958c8a80950810c510f1e968d96e819fb
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
12KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB