175e69b820fac09e44f8d067115d899dcbc26b1f4c46d7cc71b8841386c255c7

Analysis

max time kernel
87s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1024a9c15f5162e4ee96531b1e13bdd9.exe
Size

54KB
MD5

1024a9c15f5162e4ee96531b1e13bdd9
SHA1

51ce6484939e91b5c0c40f708fff52189d207708
SHA256

175e69b820fac09e44f8d067115d899dcbc26b1f4c46d7cc71b8841386c255c7
SHA512

2fb2fd7e151db3439468b8f52894759b84b64e6ba3760e4e7a0461ac541e55d86338ff883a7c320338ed5783175b2147f24fba323066f70f3d22d6f4cb669aa1
SSDEEP

768:YU5Qmsqn3fpJ8/f+EDufZJUNL9YTy1t2east7YRpcd2/nqOego9zHd19VmzezClF:1lnIufZAP1t2easWRpFUgizZVxClhH

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1908	attrib.exe
3044	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	1024a9c15f5162e4ee96531b1e13bdd9.exe

Executes dropped EXE 1 IoCs

pid	Process
2428	inlA17D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{079F221F-A4C6-11EE-BD28-76CF25FE979C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2016	iexplore.exe
2016	iexplore.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1168	1796	1024a9c15f5162e4ee96531b1e13bdd9.exe	105
PID 1796 wrote to memory of 1168	1796	1024a9c15f5162e4ee96531b1e13bdd9.exe	105
PID 1796 wrote to memory of 1168	1796	1024a9c15f5162e4ee96531b1e13bdd9.exe	105
PID 1168 wrote to memory of 4384	1168	cmd.exe	107
PID 1168 wrote to memory of 4384	1168	cmd.exe	107
PID 1168 wrote to memory of 4384	1168	cmd.exe	107
PID 4384 wrote to memory of 2016	4384	cmd.exe	109
PID 4384 wrote to memory of 2016	4384	cmd.exe	109
PID 4384 wrote to memory of 4332	4384	cmd.exe	110
PID 4384 wrote to memory of 4332	4384	cmd.exe	110
PID 4384 wrote to memory of 4332	4384	cmd.exe	110
PID 4384 wrote to memory of 5080	4384	cmd.exe	111
PID 4384 wrote to memory of 5080	4384	cmd.exe	111
PID 4384 wrote to memory of 5080	4384	cmd.exe	111
PID 2016 wrote to memory of 2888	2016	iexplore.exe	113
PID 2016 wrote to memory of 2888	2016	iexplore.exe	113
PID 2016 wrote to memory of 2888	2016	iexplore.exe	113
PID 1796 wrote to memory of 2428	1796	1024a9c15f5162e4ee96531b1e13bdd9.exe	128
PID 1796 wrote to memory of 2428	1796	1024a9c15f5162e4ee96531b1e13bdd9.exe	128
PID 1796 wrote to memory of 2428	1796	1024a9c15f5162e4ee96531b1e13bdd9.exe	128

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1908	attrib.exe
3044	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1024a9c15f5162e4ee96531b1e13bdd9.exe
"C:\Users\Admin\AppData\Local\Temp\1024a9c15f5162e4ee96531b1e13bdd9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_g_l_229.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:17410 /prefetch:2
        5⤵
        
        PID:2888
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
      4⤵
      PID:4332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
      4⤵
      PID:5080
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
        5⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
        5⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1908
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        
        PID:3156
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
        5⤵
        
        PID:1764
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
        5⤵
        
        PID:660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1024A9~1.EXE > nul
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\inlA17D.tmp
  C:\Users\Admin\AppData\Local\Temp\inlA17D.tmp
  2⤵
  - Executes dropped EXE
  PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlA17D.tmp > nul
    3⤵
    PID:3588

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
1⤵
PID:2292
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe" -o
  2⤵
  PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
791B

MD5
1706b41fd446b5718a8419c0fcb35d55

SHA1
d9bb8df22acdc60c754ac14982cf795df3b1b815

SHA256
5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

SHA512
68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\s_g_l_229.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
168976102055ae6902b5d251d4b39401

SHA1
37c28d5b4d19bf3ef0be7be04ac4b54c71866773

SHA256
aabf9954046b451c6287c18b37448dbce289b0a76bb0bcbe72b7e97b6ebfc9fc

SHA512
95474e88ce99544ab19d25c3f96b348b99733858b8382baeedce62748444b529e55c0c4df84c20ff05eb7b3172baaa22ade7604c7288b536e1895cd95dbc42a6

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf

Filesize
212B

MD5
c29a919c64a4a5a9adbe8c63503cde35

SHA1
35915bcdf2ba01df5052203624950465534a7bf5

SHA256
fc261f82f96d7e2897f4b6e36960758b9c45985b88a4ca9934e7fb56c0cb3519

SHA512
93308daeb61d1b91cab1e01f6fca69511463688fff6581d9f420e9fadb7b61e6e03381366c04232434cdfc31a086e5f7f068d77e6a35dfe1a104edd5cc138428

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.bat

Filesize
3KB

MD5
428b15afd0f31b5f77d86f84a2e0bf36

SHA1
e76c640936f9ea1a4cf0f26e5417d4cbbde08ea2

SHA256
390a9eb07646fea162115045ea2b76a3a248d8823e7dc4a54851c39463ddfdb5

SHA512
3272917c8a65641eb39c280ba2f23c359145d8951ec78d803143fdbfa87cf6233a4d3a03607bcae7703f718dc592297aefc69726086a206e5d0bffd5655d8ca4

Download Submit
memory/1796-0-0x00000000003F0000-0x0000000000415000-memory.dmp

Filesize
148KB

Download
memory/1796-1-0x0000000000F40000-0x0000000000F43000-memory.dmp

Filesize
12KB

Download
memory/1796-5-0x00000000003F0000-0x0000000000415000-memory.dmp

Filesize
148KB

Download
memory/1796-7-0x0000000000F40000-0x0000000000F43000-memory.dmp

Filesize
12KB

Download
memory/1796-110-0x00000000003F0000-0x0000000000415000-memory.dmp

Filesize
148KB

Download
memory/2016-100-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-141-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-69-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-75-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-76-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-74-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-79-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-86-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-87-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-88-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-90-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-102-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-68-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-104-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-64-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-114-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-122-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-138-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-139-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-66-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-136-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-135-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-132-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-117-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-112-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-111-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-109-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-105-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-103-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-97-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-94-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-93-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-84-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-83-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-82-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-78-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-63-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-72-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-71-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download
memory/2016-70-0x00007FFBC38F0000-0x00007FFBC395E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads