Analysis
-
max time kernel
29s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
26/12/2023, 12:23
General
-
Target
6e38b9a23e3b3ff3ed2f55acf5d545da.exe
-
Size
57KB
-
MD5
6e38b9a23e3b3ff3ed2f55acf5d545da
-
SHA1
0ecc933f0ded9f1b97ee12eaf5311355bf9779a1
-
SHA256
39c7dfc4f27d430d3c2593f4fc9565b665b53e09d66404ce97b86c7729f1986e
-
SHA512
351f7c4aba4e4d169fb565d505fbba1503075c7a278a6f626e59303f44792e5f0110599fab4cd5298c3b549608e25f085c97237a9499baa6b49c4db079b21af3
-
SSDEEP
768:hBRMLJshpXC1tlRiYTqyFN9Mwxgb+qi90sG3gGaru+6o6cAT5LZwmChDkGBh9OHj:hBFwt8Om/sPruWOLZwmChgGzg+fPVG6s
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e38b9a23e3b3ff3ed2f55acf5d545da.exe"C:\Users\Admin\AppData\Local\Temp\6e38b9a23e3b3ff3ed2f55acf5d545da.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\6E38B9~1.EXE > nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\inl8661.tmpC:\Users\Admin\AppData\Local\Temp\inl8661.tmp2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl8661.tmp > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat" "2⤵
-
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821331⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:22⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat1⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f2⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp2⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad2⤵
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf2⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}2⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f2⤵
-
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o1⤵
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r1⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660B
MD5c40ea8f677b3f48bfb7f4cfc6d3f03ab
SHA110b94afd8e6ea98a3c8a955304f9ce660b0c380a
SHA256b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c
SHA512409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9
-
Filesize
12KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
60KB
-
Filesize
156KB
-
Filesize
64KB