Analysis
-
max time kernel
157s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 12:23
Static task
static1
Behavioral task
behavioral1
Sample
6e38b9a23e3b3ff3ed2f55acf5d545da.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6e38b9a23e3b3ff3ed2f55acf5d545da.exe
Resource
win10v2004-20231215-en
General
-
Target
6e38b9a23e3b3ff3ed2f55acf5d545da.exe
-
Size
57KB
-
MD5
6e38b9a23e3b3ff3ed2f55acf5d545da
-
SHA1
0ecc933f0ded9f1b97ee12eaf5311355bf9779a1
-
SHA256
39c7dfc4f27d430d3c2593f4fc9565b665b53e09d66404ce97b86c7729f1986e
-
SHA512
351f7c4aba4e4d169fb565d505fbba1503075c7a278a6f626e59303f44792e5f0110599fab4cd5298c3b549608e25f085c97237a9499baa6b49c4db079b21af3
-
SSDEEP
768:hBRMLJshpXC1tlRiYTqyFN9Mwxgb+qi90sG3gGaru+6o6cAT5LZwmChDkGBh9OHj:hBFwt8Om/sPruWOLZwmChgGzg+fPVG6s
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4456 attrib.exe 3748 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 6e38b9a23e3b3ff3ed2f55acf5d545da.exe Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation inl2F4A.tmp -
Executes dropped EXE 1 IoCs
pid Process 4864 inl2F4A.tmp -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078671" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1556688887" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ea786b0f39da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1804031958" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1556688887" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31078671" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f2859d464fb564ea9e97dd009a434cc00000000020000000000106600000001000020000000fdaba8e1675fae46ecec7833416eb78c7c7c45fefb4f24d8fa91b73149a4d78b000000000e80000000020000200000004af770114c92b294e65bbf426b52898a0a374d01e159ed0bb93746d826fc36de200000000794e33b7ac92f960e35394cf94aafa4ca1e6d6144693ce41e024740947fd0da4000000010afdb5d5436577609d39a08f136d1585c62dac57f49f2cfac643598773a102fcec74ae7dc412dd252db8af664d5faa6130aa17354d6628f9c68b627476006d4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f2859d464fb564ea9e97dd009a434cc0000000002000000000010660000000100002000000030e8efb2af5f4b92c26a9f579f23d0bfd75f7489939848d489b682e575040b92000000000e80000000020000200000003bd5ef7428f3ce63d8e9cd708c25e0585df2c15758b61113702d32d0e4694c0720000000fc4c4e3a562ab4ffc1813454e4fce049c2ebaf77fe334c94bcc39cc5649db9ba40000000677d9811a19a1933ea5364e5b6e3868a29b338b730d2a67d1665b6adc6c8a747b5f3e2937800afd8113603048f9a28300ef81a9d845b1f595a63f8f5b161705c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078671" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f77e5f0f39da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409875950" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{87890D7E-A502-11EE-BCD9-FEBFAF1864CB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1804031958" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31078671" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\"" reg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe Token: SeIncBasePriorityPrivilege 4864 inl2F4A.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3280 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3280 iexplore.exe 3280 iexplore.exe 2376 IEXPLORE.EXE 2376 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 4560 wrote to memory of 3360 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe 101 PID 4560 wrote to memory of 3360 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe 101 PID 4560 wrote to memory of 3360 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe 101 PID 3360 wrote to memory of 4408 3360 cmd.exe 103 PID 3360 wrote to memory of 4408 3360 cmd.exe 103 PID 3360 wrote to memory of 4408 3360 cmd.exe 103 PID 4408 wrote to memory of 3280 4408 cmd.exe 105 PID 4408 wrote to memory of 3280 4408 cmd.exe 105 PID 3280 wrote to memory of 2376 3280 iexplore.exe 106 PID 3280 wrote to memory of 2376 3280 iexplore.exe 106 PID 3280 wrote to memory of 2376 3280 iexplore.exe 106 PID 4560 wrote to memory of 4864 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe 107 PID 4560 wrote to memory of 4864 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe 107 PID 4560 wrote to memory of 4864 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe 107 PID 4560 wrote to memory of 4436 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe 126 PID 4560 wrote to memory of 4436 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe 126 PID 4560 wrote to memory of 4436 4560 6e38b9a23e3b3ff3ed2f55acf5d545da.exe 126 PID 4408 wrote to memory of 896 4408 cmd.exe 125 PID 4408 wrote to memory of 896 4408 cmd.exe 125 PID 4408 wrote to memory of 896 4408 cmd.exe 125 PID 4408 wrote to memory of 4112 4408 cmd.exe 109 PID 4408 wrote to memory of 4112 4408 cmd.exe 109 PID 4408 wrote to memory of 4112 4408 cmd.exe 109 PID 4112 wrote to memory of 2556 4112 cmd.exe 110 PID 4112 wrote to memory of 2556 4112 cmd.exe 110 PID 4112 wrote to memory of 2556 4112 cmd.exe 110 PID 4112 wrote to memory of 1896 4112 cmd.exe 123 PID 4112 wrote to memory of 1896 4112 cmd.exe 123 PID 4112 wrote to memory of 1896 4112 cmd.exe 123 PID 4112 wrote to memory of 4836 4112 cmd.exe 111 PID 4112 wrote to memory of 4836 4112 cmd.exe 111 PID 4112 wrote to memory of 4836 4112 cmd.exe 111 PID 4112 wrote to memory of 616 4112 cmd.exe 121 PID 4112 wrote to memory of 616 4112 cmd.exe 121 PID 4112 wrote to memory of 616 4112 cmd.exe 121 PID 4112 wrote to memory of 336 4112 cmd.exe 118 PID 4112 wrote to memory of 336 4112 cmd.exe 118 PID 4112 wrote to memory of 336 4112 cmd.exe 118 PID 4112 wrote to memory of 4456 4112 cmd.exe 112 PID 4112 wrote to memory of 4456 4112 cmd.exe 112 PID 4112 wrote to memory of 4456 4112 cmd.exe 112 PID 4112 wrote to memory of 3748 4112 cmd.exe 117 PID 4112 wrote to memory of 3748 4112 cmd.exe 117 PID 4112 wrote to memory of 3748 4112 cmd.exe 117 PID 4112 wrote to memory of 360 4112 cmd.exe 113 PID 4112 wrote to memory of 360 4112 cmd.exe 113 PID 4112 wrote to memory of 360 4112 cmd.exe 113 PID 4112 wrote to memory of 4428 4112 cmd.exe 116 PID 4112 wrote to memory of 4428 4112 cmd.exe 116 PID 4112 wrote to memory of 4428 4112 cmd.exe 116 PID 360 wrote to memory of 4108 360 rundll32.exe 114 PID 360 wrote to memory of 4108 360 rundll32.exe 114 PID 360 wrote to memory of 4108 360 rundll32.exe 114 PID 4108 wrote to memory of 1748 4108 runonce.exe 119 PID 4108 wrote to memory of 1748 4108 runonce.exe 119 PID 4108 wrote to memory of 1748 4108 runonce.exe 119 PID 4864 wrote to memory of 3288 4864 inl2F4A.tmp 130 PID 4864 wrote to memory of 3288 4864 inl2F4A.tmp 130 PID 4864 wrote to memory of 3288 4864 inl2F4A.tmp 130 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3748 attrib.exe 4456 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e38b9a23e3b3ff3ed2f55acf5d545da.exe"C:\Users\Admin\AppData\Local\Temp\6e38b9a23e3b3ff3ed2f55acf5d545da.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3280 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2556
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵PID:4836
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4456
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵PID:1748
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵PID:4428
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3748
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- Modifies registry class
PID:336
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
PID:616
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:1896
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵PID:896
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl2F4A.tmpC:\Users\Admin\AppData\Local\Temp\inl2F4A.tmp2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl2F4A.tmp > nul3⤵PID:3288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\6E38B9~1.EXE > nul2⤵PID:4436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
660B
MD5c40ea8f677b3f48bfb7f4cfc6d3f03ab
SHA110b94afd8e6ea98a3c8a955304f9ce660b0c380a
SHA256b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c
SHA512409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
321B
MD5b45d9865c76db5b9bc859499a3e9aae0
SHA16c4ff3519e8654ea6dac624213df2913018f2e58
SHA256be7411475aba37b9c1e504d379b5517355968e05a5a4b46b823440dbaa7f1872
SHA51225fa92de368e9b1d29003e00bdd77ebeb879ffe262cabfca5d9c07b7d34499c13b927d4648c95598b9241b7f4c085d1d5974c74c0ff951d2d3687860a762b6ad