ae0e2c384d44212273a9beb87db8892eaefea61e89bab6671d67161e2bd495b2

Analysis

max time kernel
31s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

088ba4935a7c50f16e59f234baa6739d.exe
Size

57KB
MD5

088ba4935a7c50f16e59f234baa6739d
SHA1

ebdbc0ba82c0d8e0e34fa898aab949605ccd72a0
SHA256

ae0e2c384d44212273a9beb87db8892eaefea61e89bab6671d67161e2bd495b2
SHA512

2a2a6c82da6261b5d0981b49827755ec70c96095eaeef2d8ac2357086d1fca2dffc6f5941a6726603ff2c49bb2aeabea6b9c4cb413f17dfee1267d8d74bc5a79
SSDEEP

1536:6qF+qJB0ODqnmmmcLLWBPkUZ9vAbOu/Ys5MpmMe4s:RF5J2OGnmmJLtogOu+mMLs

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2828	attrib.exe
1168	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2828	attrib.exe
1168	attrib.exe

C:\Users\Admin\AppData\Local\Temp\088ba4935a7c50f16e59f234baa6739d.exe
"C:\Users\Admin\AppData\Local\Temp\088ba4935a7c50f16e59f234baa6739d.exe"
1⤵
PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kage2011_check.bat" "
  2⤵
  PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    PID:4820
- C:\Users\Admin\AppData\Local\Temp\inlBAF5.tmp
  C:\Users\Admin\AppData\Local\Temp\inlBAF5.tmp
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlBAF5.tmp > nul
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\088BA4~1.EXE > nul
  2⤵
  PID:788

C:\PROGRA~1\INTERN~1\iexplore.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
1⤵
PID:1032
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:17410 /prefetch:2
  2⤵
  PID:1236

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
1⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
1⤵
PID:4468

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1168

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2828

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
1⤵
PID:1980
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe" -o
  2⤵
  PID:3992

C:\Windows\SysWOW64\rundll32.exe
rundll32 D:\VolumeDH\inj.dat,MainLoad
1⤵
PID:4180

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
1⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
1⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
1⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
1⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
1⤵
PID:4680

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\inlBAF5.tmp

Filesize
11.5MB

MD5
435e7e2b43e923eb22051d3202d470bf

SHA1
328e03651a574acec5b230dfef8184cbffdda1b0

SHA256
b00a7f449975a05c7c5b827a99b3ff16e40fd7aa109de20f3c9276e417e270da

SHA512
0af4dce6c7c70fb9fab9c30dafe0b44d723867386c36676fbfd8ace70cee10db47f1baf51c929d27feef853821c079dc4941a6de06884f0d9bd07ecd316c94b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlBAF5.tmp

Filesize
10.6MB

MD5
c623cc676f17e5832d43a6d2e0dc3d32

SHA1
1b3065900c0d0256170a9eeb352f80f0efdd5f54

SHA256
fe5bd3ae7424452770d1cdf7fd9a41dc7256aa34e45111076b894b936e5aa36f

SHA512
3d4b6319a354f678df040fc8b2e5f4c6171d884ddc50fbaadc97126888f4fcc60f2f166df8501af3e09fd543e60169cc266eee5b14f42fb6fbe88979e600c44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
557B

MD5
60c54480fe85d58d72662fa3b1255f8f

SHA1
7e975bcf566b39ecffbf784231187ee8a753af88

SHA256
c87185e8b06aceab6578bdadd26d32251353c882f126643567bc7619e8b02c76

SHA512
299d36847b969c184151c83b59b88ac2322c2ee9d89643ae53994c2ae32299f45c8ace083e0c0cfbc4eb3136d16d57f126d4340b833140325deb4c980b93cf9a

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
d4917ae9072a10d8e12ef3b282b25b3b

SHA1
bd9ec6c6395997525ec7c15ecca2f115573cc14c

SHA256
6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b

SHA512
c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
5.8MB

MD5
be61b589ad7abaf8ed9aada58f0d93fb

SHA1
cf2210efb4851e93e520d1bcb6522236832904da

SHA256
aad754adbfd01e6c41a60e9a15ae626ccce6fcd6ac4630263afe4e30d665a4f7

SHA512
e8cad1227d61ac2ed1254731eb2d6c6e768d91c6e9fb34065867dc3d2b6775a2ce29b659a820c9986f74fb6dd3368633c9ee7b533346aaf6084fe39cc4a16840

Download Submit
memory/1032-144-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-85-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-104-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-106-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-107-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-111-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-113-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-97-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-59-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-68-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-70-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-71-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-72-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-74-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-133-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-93-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-120-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-147-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-148-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-152-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-145-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-90-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-143-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-142-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-141-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-119-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-88-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-81-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-112-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-105-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-79-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-98-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-96-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-95-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-91-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-87-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-86-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-102-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-83-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-82-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-75-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-77-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/1032-76-0x00007FFCF20B0000-0x00007FFCF211E000-memory.dmp

Filesize
440KB

Download
memory/2420-123-0x0000000000F70000-0x0000000000F96000-memory.dmp

Filesize
152KB

Download
memory/2420-19-0x0000000000F70000-0x0000000000F96000-memory.dmp

Filesize
152KB

Download
memory/2420-9-0x0000000000ED0000-0x0000000000ED3000-memory.dmp

Filesize
12KB

Download
memory/2420-5-0x0000000000F70000-0x0000000000F96000-memory.dmp

Filesize
152KB

Download
memory/2420-0-0x0000000000F70000-0x0000000000F96000-memory.dmp

Filesize
152KB

Download
memory/2420-1-0x0000000000ED0000-0x0000000000ED3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads