39c7dfc4f27d430d3c2593f4fc9565b665b53e09d66404ce97b86c7729f1986e

Analysis

max time kernel
157s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e38b9a23e3b3ff3ed2f55acf5d545da.exe
Size

57KB
MD5

6e38b9a23e3b3ff3ed2f55acf5d545da
SHA1

0ecc933f0ded9f1b97ee12eaf5311355bf9779a1
SHA256

39c7dfc4f27d430d3c2593f4fc9565b665b53e09d66404ce97b86c7729f1986e
SHA512

351f7c4aba4e4d169fb565d505fbba1503075c7a278a6f626e59303f44792e5f0110599fab4cd5298c3b549608e25f085c97237a9499baa6b49c4db079b21af3
SSDEEP

768:hBRMLJshpXC1tlRiYTqyFN9Mwxgb+qi90sG3gGaru+6o6cAT5LZwmChDkGBh9OHj:hBFwt8Om/sPruWOLZwmChgGzg+fPVG6s

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4456	attrib.exe
3748	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	6e38b9a23e3b3ff3ed2f55acf5d545da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	inl2F4A.tmp

Executes dropped EXE 1 IoCs

pid	Process
4864	inl2F4A.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078671"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1556688887"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ea786b0f39da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1804031958"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1556688887"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078671"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f2859d464fb564ea9e97dd009a434cc00000000020000000000106600000001000020000000fdaba8e1675fae46ecec7833416eb78c7c7c45fefb4f24d8fa91b73149a4d78b000000000e80000000020000200000004af770114c92b294e65bbf426b52898a0a374d01e159ed0bb93746d826fc36de200000000794e33b7ac92f960e35394cf94aafa4ca1e6d6144693ce41e024740947fd0da4000000010afdb5d5436577609d39a08f136d1585c62dac57f49f2cfac643598773a102fcec74ae7dc412dd252db8af664d5faa6130aa17354d6628f9c68b627476006d4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f2859d464fb564ea9e97dd009a434cc0000000002000000000010660000000100002000000030e8efb2af5f4b92c26a9f579f23d0bfd75f7489939848d489b682e575040b92000000000e80000000020000200000003bd5ef7428f3ce63d8e9cd708c25e0585df2c15758b61113702d32d0e4694c0720000000fc4c4e3a562ab4ffc1813454e4fce049c2ebaf77fe334c94bcc39cc5649db9ba40000000677d9811a19a1933ea5364e5b6e3868a29b338b730d2a67d1665b6adc6c8a747b5f3e2937800afd8113603048f9a28300ef81a9d845b1f595a63f8f5b161705c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078671"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f77e5f0f39da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409875950"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{87890D7E-A502-11EE-BCD9-FEBFAF1864CB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1804031958"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078671"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe
Token: SeIncBasePriorityPrivilege	4864	inl2F4A.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3280	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3280	iexplore.exe
3280	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 3360	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe	101
PID 4560 wrote to memory of 3360	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe	101
PID 4560 wrote to memory of 3360	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe	101
PID 3360 wrote to memory of 4408	3360	cmd.exe	103
PID 3360 wrote to memory of 4408	3360	cmd.exe	103
PID 3360 wrote to memory of 4408	3360	cmd.exe	103
PID 4408 wrote to memory of 3280	4408	cmd.exe	105
PID 4408 wrote to memory of 3280	4408	cmd.exe	105
PID 3280 wrote to memory of 2376	3280	iexplore.exe	106
PID 3280 wrote to memory of 2376	3280	iexplore.exe	106
PID 3280 wrote to memory of 2376	3280	iexplore.exe	106
PID 4560 wrote to memory of 4864	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe	107
PID 4560 wrote to memory of 4864	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe	107
PID 4560 wrote to memory of 4864	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe	107
PID 4560 wrote to memory of 4436	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe	126
PID 4560 wrote to memory of 4436	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe	126
PID 4560 wrote to memory of 4436	4560	6e38b9a23e3b3ff3ed2f55acf5d545da.exe	126
PID 4408 wrote to memory of 896	4408	cmd.exe	125
PID 4408 wrote to memory of 896	4408	cmd.exe	125
PID 4408 wrote to memory of 896	4408	cmd.exe	125
PID 4408 wrote to memory of 4112	4408	cmd.exe	109
PID 4408 wrote to memory of 4112	4408	cmd.exe	109
PID 4408 wrote to memory of 4112	4408	cmd.exe	109
PID 4112 wrote to memory of 2556	4112	cmd.exe	110
PID 4112 wrote to memory of 2556	4112	cmd.exe	110
PID 4112 wrote to memory of 2556	4112	cmd.exe	110
PID 4112 wrote to memory of 1896	4112	cmd.exe	123
PID 4112 wrote to memory of 1896	4112	cmd.exe	123
PID 4112 wrote to memory of 1896	4112	cmd.exe	123
PID 4112 wrote to memory of 4836	4112	cmd.exe	111
PID 4112 wrote to memory of 4836	4112	cmd.exe	111
PID 4112 wrote to memory of 4836	4112	cmd.exe	111
PID 4112 wrote to memory of 616	4112	cmd.exe	121
PID 4112 wrote to memory of 616	4112	cmd.exe	121
PID 4112 wrote to memory of 616	4112	cmd.exe	121
PID 4112 wrote to memory of 336	4112	cmd.exe	118
PID 4112 wrote to memory of 336	4112	cmd.exe	118
PID 4112 wrote to memory of 336	4112	cmd.exe	118
PID 4112 wrote to memory of 4456	4112	cmd.exe	112
PID 4112 wrote to memory of 4456	4112	cmd.exe	112
PID 4112 wrote to memory of 4456	4112	cmd.exe	112
PID 4112 wrote to memory of 3748	4112	cmd.exe	117
PID 4112 wrote to memory of 3748	4112	cmd.exe	117
PID 4112 wrote to memory of 3748	4112	cmd.exe	117
PID 4112 wrote to memory of 360	4112	cmd.exe	113
PID 4112 wrote to memory of 360	4112	cmd.exe	113
PID 4112 wrote to memory of 360	4112	cmd.exe	113
PID 4112 wrote to memory of 4428	4112	cmd.exe	116
PID 4112 wrote to memory of 4428	4112	cmd.exe	116
PID 4112 wrote to memory of 4428	4112	cmd.exe	116
PID 360 wrote to memory of 4108	360	rundll32.exe	114
PID 360 wrote to memory of 4108	360	rundll32.exe	114
PID 360 wrote to memory of 4108	360	rundll32.exe	114
PID 4108 wrote to memory of 1748	4108	runonce.exe	119
PID 4108 wrote to memory of 1748	4108	runonce.exe	119
PID 4108 wrote to memory of 1748	4108	runonce.exe	119
PID 4864 wrote to memory of 3288	4864	inl2F4A.tmp	130
PID 4864 wrote to memory of 3288	4864	inl2F4A.tmp	130
PID 4864 wrote to memory of 3288	4864	inl2F4A.tmp	130

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3748	attrib.exe
4456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6e38b9a23e3b3ff3ed2f55acf5d545da.exe
"C:\Users\Admin\AppData\Local\Temp\6e38b9a23e3b3ff3ed2f55acf5d545da.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3280 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2556
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:4836
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4456
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:360
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:4428
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3748
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:336
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:616
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:1896
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      PID:896
- C:\Users\Admin\AppData\Local\Temp\inl2F4A.tmp
  C:\Users\Admin\AppData\Local\Temp\inl2F4A.tmp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl2F4A.tmp > nul
    3⤵
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\6E38B9~1.EXE > nul
  2⤵
  PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD06.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
660B

MD5
c40ea8f677b3f48bfb7f4cfc6d3f03ab

SHA1
10b94afd8e6ea98a3c8a955304f9ce660b0c380a

SHA256
b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c

SHA512
409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
b7c5e3b416b1d1b5541ef44662e1a764

SHA1
8bff7ea2be2f3cf29f2381d8007198b5991ca3ae

SHA256
f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1

SHA512
65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
321B

MD5
b45d9865c76db5b9bc859499a3e9aae0

SHA1
6c4ff3519e8654ea6dac624213df2913018f2e58

SHA256
be7411475aba37b9c1e504d379b5517355968e05a5a4b46b823440dbaa7f1872

SHA512
25fa92de368e9b1d29003e00bdd77ebeb879ffe262cabfca5d9c07b7d34499c13b927d4648c95598b9241b7f4c085d1d5974c74c0ff951d2d3687860a762b6ad

Download Submit
memory/3280-106-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-88-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-62-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-63-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-70-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-69-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-68-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-72-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-77-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-76-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-80-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-83-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-85-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-92-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-94-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-96-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-98-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-99-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-97-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-104-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-103-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-58-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-108-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-113-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-59-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-64-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-120-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-65-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-66-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-67-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-142-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-144-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-143-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-149-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-147-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-146-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-141-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-140-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-107-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-93-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-90-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-74-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/3280-79-0x00007FFC51E50000-0x00007FFC51EBE000-memory.dmp

Filesize
440KB

Download
memory/4560-1-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/4560-121-0x0000000000830000-0x0000000000857000-memory.dmp

Filesize
156KB

Download
memory/4560-21-0x0000000000830000-0x0000000000857000-memory.dmp

Filesize
156KB

Download
memory/4560-11-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/4560-5-0x0000000000830000-0x0000000000857000-memory.dmp

Filesize
156KB

Download
memory/4560-0-0x0000000000830000-0x0000000000857000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads