Analysis
-
max time kernel
108s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24-12-2023 17:04
General
-
Target
073f3d78667879ea622f97a0f446769d.exe
-
Size
54KB
-
MD5
073f3d78667879ea622f97a0f446769d
-
SHA1
36828e6fb32b2ac0ece118febdc9a5a2edd6fb45
-
SHA256
b1f62290c96f07164d2e7a230a430cfee9acccc1adce1f46575b23292f186b2f
-
SHA512
37b192fb2dbc74f92d62c634aca6fd5e739de195991e06e25ff64407f79f53c9ed953333727a1ecff8d82d9177bf169ecaab45024859fa92812b877b4580d79d
-
SSDEEP
1536:rIwlY1oWU4VC8CZMjCsiea/IeaPZBVbehu:rG1oNIRj+wfsu
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\073f3d78667879ea622f97a0f446769d.exe"C:\Users\Admin\AppData\Local\Temp\073f3d78667879ea622f97a0f446769d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_g_l_229.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?716284⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:17410 /prefetch:25⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f5⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?S"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f5⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf5⤵
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl27B4.tmpC:\Users\Admin\AppData\Local\Temp\inl27B4.tmp2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl27B4.tmp > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\073F3D~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
790B
MD5b18422bf438bbb7798280375a7bc0976
SHA1c1b77b35e3a38ff2ad119f25e548beb5ff68c2e2
SHA256ee8709e751067193dccdfe218108bdae6a30919d7b6c860bc848c7cc4b242fa4
SHA51223cb9c74905f514a2bf4ef91afc53ceb08230b3ce68e3eab17bb36c674260d143a7e7105958ff4ed5c2a416bddffb3c7e28dcf8060cbf323c7e4cab71f613176
-
Filesize
342KB
MD5a748f72c8b6377a5d0cbec304ba396cf
SHA1473099f49045ffdeaa77ae11d71667413c4442af
SHA256fe97bd67dc91de08c3df7a94b92771b2b24cb4e0c00208ecfcaa97a06ce50804
SHA51227de0367c712a2eab5ecbec0680970251b0355b77dc70ed358d5eb790c019825c5c57a5866aea954bd27809323d156784b3a71d34b97fc5b230b0f08b3b7d4a7
-
Filesize
342KB
MD5000813c28e09b37d100f244b764821a7
SHA125b67bb11677236ff68f26495b427dd5aff0656e
SHA256a766169d08bb3bbb351daa02ef3e2d9bb9f4fd68db613a85f11297a1670ced40
SHA512f5d30e20405d8cea35474317263d39f17dfaaaddd9327c6f55717b3d7773cbea7fca2d8c471af2d42c41e348d0997f4e90af3b348e8e9be64fd1dd6332466aab
-
Filesize
54B
MD5504490369970f1c0eb580afbcdf91618
SHA1b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971
SHA256a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43
SHA5125495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad
-
Filesize
3KB
MD5b13d4a59d37d8c293276a4c428ad5659
SHA1710bfa65cfd533b78c564e15e0bbe954e9265ecf
SHA2563aea9dee221648916706758561e23796b2325e4019b28a3070fe2fd8d1d4ed28
SHA5128cb3aec7463cf7d14f333bb9257f03c7f7491f4da4fea3311e505f99b9f6797f0aa3f689355a6625d9f104b8511f7e75218b4c2fdd7f9ac96927d7aa4a6ed0ba
-
Filesize
348B
MD55a2ee8346e676499a5658277e98b2317
SHA134a8d363b3dac690a251e181b3522b3d9e7ffe6e
SHA2564e367269b4b19b937a7f7a420613d2a69e96aef456dfd4b4f6853c1e92885cca
SHA51286f575fc7816ed33ef996e6385bae144c4d750be44f59dd1856b7f601b5291960f522153206a38de75f942537b280c2b49a1c038ba82faa36b9e903354ea9242
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD5185a49cc37f1724dc196f67c42a76340
SHA127fde7b9ba462fc36ba5705832ae44b454d718cf
SHA2563fe8fbf78cb9855c0cc663dda80354318fb2c7ef1dc4d378c98bb1383015140d
SHA51297ee31a378404bae99616a057ddbed8450f56bfd5d0508b4cc3b864e73aa5d8d1f15b21c82ed3570494603ac90bb7cee1b8cbdae9d935bb1ddb71264004e4c22
-
Filesize
248B
MD52197ffb407fb3b2250045c084f73b70a
SHA13d0efbacba73ac5e8d77f0d25d63fc424511bcf6
SHA256a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591
SHA512b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe
-
Filesize
178KB
MD55da4168e9a4c93fff629dc1040485663
SHA19d9ded9f3d8850d3f29a5ba41c948ab00271a77c
SHA256db71ce8ea6e2f35a71b5aa4ad264d9e757b2ec7fd455153df4dcc4969cf354c0
SHA51252fc8c0db2db4b91fd9b48b58702927714ac7dd49d6ec1fbd4efa716ca25d73e0554b10b188f34eb6620cda8bc19972b3e1b1041dac6f1fe665b75634d55a661
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
148KB
-
Filesize
12KB
-
Filesize
148KB
-
Filesize
12KB
-
Filesize
148KB