ae0e2c384d44212273a9beb87db8892eaefea61e89bab6671d67161e2bd495b2

General

Target

088ba4935a7c50f16e59f234baa6739d.exe
Size

57KB
MD5

088ba4935a7c50f16e59f234baa6739d
SHA1

ebdbc0ba82c0d8e0e34fa898aab949605ccd72a0
SHA256

ae0e2c384d44212273a9beb87db8892eaefea61e89bab6671d67161e2bd495b2
SHA512

2a2a6c82da6261b5d0981b49827755ec70c96095eaeef2d8ac2357086d1fca2dffc6f5941a6726603ff2c49bb2aeabea6b9c4cb413f17dfee1267d8d74bc5a79
SSDEEP

1536:6qF+qJB0ODqnmmmcLLWBPkUZ9vAbOu/Ys5MpmMe4s:RF5J2OGnmmJLtogOu+mMLs

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1628	attrib.exe
2976	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1628	attrib.exe
2976	attrib.exe

C:\Users\Admin\AppData\Local\Temp\088ba4935a7c50f16e59f234baa6739d.exe
"C:\Users\Admin\AppData\Local\Temp\088ba4935a7c50f16e59f234baa6739d.exe"
1⤵
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kage2011_check.bat" "
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\088BA4~1.EXE > nul
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\inl8B51.tmp
  C:\Users\Admin\AppData\Local\Temp\inl8B51.tmp
  2⤵
  PID:612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl8B51.tmp > nul
    3⤵
    PID:2628

C:\PROGRA~1\INTERN~1\iexplore.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
1⤵
PID:2484
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2
  2⤵
  PID:968

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
1⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
1⤵
PID:1828

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1628

C:\Windows\SysWOW64\rundll32.exe
rundll32 D:\VolumeDH\inj.dat,MainLoad
1⤵
PID:1988

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
1⤵
PID:1104
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe" -o
  2⤵
  PID:2300

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
1⤵
PID:1544

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
1⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
1⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
1⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
1⤵
PID:2320

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
492b30a1d12652f681a78f056ef33fd5

SHA1
351d2a1e3f1fb5d74b4de1a619cbd65e3a0777f3

SHA256
a9556c97b2c85a5decd9dd9cf7493f2c820bf9787fe57651afb16d73de085287

SHA512
f24d957dd2e10564f24a87c79ff7d80336ccc14fa1ddb0ae434425b1c8cc4b4dd88ac69ef013155a61cae965dc98a9f640bc471b9708e5cd76c2885320e06faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
42a52be4120462075f2c053a54573f05

SHA1
2418b45fa738936c56d0bae0b83066e66f0f3417

SHA256
05f3499eef1ed187f5391ceb084d4683318632f7944010a09c0a973f672ea2d2

SHA512
cc6f66434abb098ce0ffbe0c48cbd700f586fb7e954c19f103e5713ed95574162e5902d4ce8a2dd33077d9eef4f8769a1e1233798667257d009e31d628f871e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA866.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2356-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2356-0-0x0000000001380000-0x00000000013A6000-memory.dmp

Filesize
152KB

Download
memory/2356-5-0x0000000001380000-0x00000000013A6000-memory.dmp

Filesize
152KB

Download
memory/2356-100-0x0000000001380000-0x00000000013A6000-memory.dmp

Filesize
152KB

Download
memory/2356-26-0x0000000000AF0000-0x0000000000AFF000-memory.dmp

Filesize
60KB

Download
memory/2484-71-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads