7ca539a6e1a9cc8f22aa063c192f5af3d58e27ee9cdd685ac12ea9f724b06ead

Analysis

max time kernel
85s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01458dc4c90d0edbecc461dd54b7c059.exe
Size

160KB
MD5

01458dc4c90d0edbecc461dd54b7c059
SHA1

ff9e9aca0ba2b1e8cb2e22cbfdcea86d7a8799b2
SHA256

7ca539a6e1a9cc8f22aa063c192f5af3d58e27ee9cdd685ac12ea9f724b06ead
SHA512

d1d15eb9f396739bcdf99f248cd8977f2068f988a68c2fb2332d1ddb3eddbc011d1e5bc75326817ebcf40e155a543a439e9b8aeb10d65ba0eba9f48c435ec3c7
SSDEEP

1536:9/elR8Hruyv+mMiIAcI9vmQHv51skHMDnHbZAYsMKWqD7WCDYVRaJNGXp+g:F2WLuyv+mMi5cCeeM7FAJM3IymYVZB

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4688	attrib.exe
5040	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4688	attrib.exe
5040	attrib.exe

C:\Users\Admin\AppData\Local\Temp\01458dc4c90d0edbecc461dd54b7c059.exe
"C:\Users\Admin\AppData\Local\Temp\01458dc4c90d0edbecc461dd54b7c059.exe"
1⤵
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_Mg_l_219.bat" "
  2⤵
  PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    PID:1228
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
      4⤵
      PID:4432
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4432 CREDAT:17410 /prefetch:2
        5⤵
        
        PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
      4⤵
      PID:4072
- C:\Users\Admin\AppData\Local\Temp\inl948C.tmp
  C:\Users\Admin\AppData\Local\Temp\inl948C.tmp
  2⤵
  PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl948C.tmp > nul
    3⤵
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\01458D~1.EXE > nul
  2⤵
  PID:2012

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
1⤵
PID:2392

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4688

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5040

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
1⤵
PID:1900
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe" -o
  2⤵
  PID:2340

C:\Windows\SysWOW64\rundll32.exe
rundll32 D:\VolumeDH\inj.dat,MainLoad
1⤵
PID:5064

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
1⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
1⤵
PID:244

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
1⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
1⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\360mohesetup.exe

Filesize
794B

MD5
1bc415b31cdff50d79ea2a3d7b4ff2c1

SHA1
f5ebab61deebc3d7a4a6676a23b982f1418ae6a6

SHA256
582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412

SHA512
ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
791B

MD5
1706b41fd446b5718a8419c0fcb35d55

SHA1
d9bb8df22acdc60c754ac14982cf795df3b1b815

SHA256
5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

SHA512
68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl948C.tmp

Filesize
34KB

MD5
8b0ca7e58d1d183759286b8d47490c13

SHA1
1855f292c48a2390d2860ac2c57499f21c61ad62

SHA256
aadd484bf072828284a758205a43292456cf2fe0e933d5af865fa8911f941e9d

SHA512
35bc00a315d60d0f9730c43ad231f3fc7b6e7d85a1196e86b14351ce325440c0a8f0e5305863b2b26fb65450f8e216c238b500b9d6cd4de175c6e8aac48b47ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl948C.tmp

Filesize
79KB

MD5
e777f175df3a300813576e713dd1fc63

SHA1
a732ab71888701fc669ecfe2cf5a3faf047d09ed

SHA256
40685cfd990c7e5f0d161056fb91c44d48efc44f56890b74f6b70822748b5d6e

SHA512
69c7c997262c0d121807f6dd3c49478db46dea76c552667e02b26bfe2907106eb452a9b6f495b9b7b1ce06b4e577ad8703a2ffd7507f20ab18ecbab629e39ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\s_Mg_l_219.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
168976102055ae6902b5d251d4b39401

SHA1
37c28d5b4d19bf3ef0be7be04ac4b54c71866773

SHA256
aabf9954046b451c6287c18b37448dbce289b0a76bb0bcbe72b7e97b6ebfc9fc

SHA512
95474e88ce99544ab19d25c3f96b348b99733858b8382baeedce62748444b529e55c0c4df84c20ff05eb7b3172baaa22ade7604c7288b536e1895cd95dbc42a6

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.bat

Filesize
3KB

MD5
428b15afd0f31b5f77d86f84a2e0bf36

SHA1
e76c640936f9ea1a4cf0f26e5417d4cbbde08ea2

SHA256
390a9eb07646fea162115045ea2b76a3a248d8823e7dc4a54851c39463ddfdb5

SHA512
3272917c8a65641eb39c280ba2f23c359145d8951ec78d803143fdbfa87cf6233a4d3a03607bcae7703f718dc592297aefc69726086a206e5d0bffd5655d8ca4

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.inf

Filesize
248B

MD5
2197ffb407fb3b2250045c084f73b70a

SHA1
3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

SHA256
a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

SHA512
b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

Download Submit
C:\Users\Admin\AppData\Roaming\redload\4.bat

Filesize
66KB

MD5
04b00376e3718f010177ea6c91e11cf0

SHA1
7418d72e1be38d55a26b39c7712bdd521b0dce9e

SHA256
5e55c5f78e310d82fbec759ff4fc3184acb2df3ead41938db3cb3af9c25fbde1

SHA512
1e6ad58ffadf3b1fc5dca6f791d74d5977a68305c9e3ecfe13460b030ebe5c565534bfbefe2323895699b0b7489ee8ac28dd2cbd4e5f52fe7dedcbacd1090df6

Download Submit
memory/1428-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1428-119-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4432-128-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-111-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-79-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-89-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-88-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-87-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-92-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-93-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-97-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-98-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-99-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-100-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-101-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-122-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-75-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-127-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-133-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-126-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-136-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-134-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-125-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-77-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-72-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-69-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-91-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-83-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-82-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-81-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-76-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-74-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-71-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-68-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-65-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-63-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-62-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-61-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-64-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-58-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-57-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-56-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-54-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-48-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download
memory/4432-60-0x00007FFBE00A0000-0x00007FFBE010E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads