ae2a04f94bd9c46c979ac213edcc026692c54f9ec2afbeaa8b03752ae4f792bc

General

Target

1048b55d549d456b05d057b067faa185.exe
Size

54KB
MD5

1048b55d549d456b05d057b067faa185
SHA1

e14b56b39d4ea871b17e19d9ffaeac1fa6381a83
SHA256

ae2a04f94bd9c46c979ac213edcc026692c54f9ec2afbeaa8b03752ae4f792bc
SHA512

f7021f00e9c4f5f7069aaac72f09a3df4c2775d417f0c9f199272b43e44aa8e00f77c4d78e4a99f533af908a0cf559c2913bc08dd06edb8e17920c0e415f6726
SSDEEP

768:gNh5DfiT2+IXeIt1wgOP+kw+tNwsxQkHPrz+N35yKNQbJItygam7RIEMrOQYz0+w:gZWKJJMguNNdxzHni3gkkJIv7R9wg0a0

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1844	attrib.exe
872	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2076	2916	1048b55d549d456b05d057b067faa185.exe	31
PID 2916 wrote to memory of 2076	2916	1048b55d549d456b05d057b067faa185.exe	31
PID 2916 wrote to memory of 2076	2916	1048b55d549d456b05d057b067faa185.exe	31
PID 2916 wrote to memory of 2076	2916	1048b55d549d456b05d057b067faa185.exe	31
PID 2076 wrote to memory of 2408	2076	cmd.exe	33
PID 2076 wrote to memory of 2408	2076	cmd.exe	33
PID 2076 wrote to memory of 2408	2076	cmd.exe	33
PID 2076 wrote to memory of 2408	2076	cmd.exe	33
PID 2408 wrote to memory of 1708	2408	cmd.exe	35
PID 2408 wrote to memory of 1708	2408	cmd.exe	35
PID 2408 wrote to memory of 1708	2408	cmd.exe	35
PID 2408 wrote to memory of 1708	2408	cmd.exe	35

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1844	attrib.exe
872	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1048b55d549d456b05d057b067faa185.exe
"C:\Users\Admin\AppData\Local\Temp\1048b55d549d456b05d057b067faa185.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://wWW.cnkankan.com/?82133
      4⤵
      PID:1708
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\1.inf
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\2.bat
      4⤵
      PID:2988
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
        5⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
        5⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
        5⤵
        
        PID:1880
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        
        PID:980
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\datread\3.bat""" /f
        5⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1844
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:872
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\2.inf
        5⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
858B

MD5
d727e34e3f5eb5ee1ce17fe4c66bf617

SHA1
ea796e8b305510775d244f30758e125a01569626

SHA256
d0cd1c2b674ee72b000ecacb181addd7735f4c3478731c23f4649e312e4c607d

SHA512
ae3028364bf02b3e7c78d7a44a3305537c16d7feefb9dd968296b86425babaccee81af0c40eb7f8f374266df0e2c3c1a08b6b951ceaddc55572d6f0f1e85705c

Download Submit
C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat

Filesize
54B

MD5
5dd457b845e53fce36e6b543764337e4

SHA1
eb7f8ce82274afa5702b20eb5ba133bb71bcb8d6

SHA256
0a2c605c32f2e9b3eda6f18df3d8c1fc2d87922b9bb23d6c3a9de3aa3f383992

SHA512
0fea97ddf333c178ca4805fc85f8b66f81a7906d1cc7bf440206aff50cc711643e90115f046077a323b3cc78deeb704f7eb8a934d0a1cd011f6a3ad67057c9f6

Download Submit
C:\Users\Admin\AppData\Roaming\datread\1.bat

Filesize
3KB

MD5
70c32a548388769424935af37d73cabc

SHA1
2411e148d5bc6b82403e1d7491293810ba76c8a2

SHA256
bd69b2f6f82d1ef3e608423e03c51f40290bdc9e6c2c27b72fa068ca2a9fb8ee

SHA512
785184d29875bb7c89f0bc3ed6ed00bab3cc919af42af0a8e34c05b948be2e14a33b2256a7e6083325571b55e4a19321666fe6243909dd6e96ad9bf0767bf006

Download Submit
C:\Users\Admin\AppData\Roaming\datread\1.inf

Filesize
212B

MD5
c29a919c64a4a5a9adbe8c63503cde35

SHA1
35915bcdf2ba01df5052203624950465534a7bf5

SHA256
fc261f82f96d7e2897f4b6e36960758b9c45985b88a4ca9934e7fb56c0cb3519

SHA512
93308daeb61d1b91cab1e01f6fca69511463688fff6581d9f420e9fadb7b61e6e03381366c04232434cdfc31a086e5f7f068d77e6a35dfe1a104edd5cc138428

Download Submit
C:\Users\Admin\AppData\Roaming\datread\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\datread\2.bat

Filesize
3KB

MD5
2dccbc7c9d8e6493c16fab45e323b10c

SHA1
b64f49270de7be232bfdce99cd7670af82baf73e

SHA256
36b2154f812901d1b2dc99d91c960a012a30411fc8b39fa32c74157fef53d3f7

SHA512
90e03bad493dc480f9d6bc976bf9028589522f3b04c5dd0222efffea4b237941b0e594ba51e880c657945c80ff80bb136d6caae6b3841398e9753c7fa47c3f3a

Download Submit
C:\Users\Admin\AppData\Roaming\datread\4.bat

Filesize
1.8MB

MD5
b84f9ac7fd3b7b3add1dd7d0c4252845

SHA1
1af1a2f867c902d383e36d418f930dcb1f50f4bb

SHA256
a9c635fb9a9f39a5c4ff35279c973118eb36bb14c84dfee9ce616898db3e06c5

SHA512
f236f5d495330b0ddb7d14f943a2306f995e6cbeec865f5c979cdd2efb18eff2db54a04f51f6e44516814e369ffb47a8835514b4157dd356e9114c4b4b36d94a

Download Submit
memory/1708-75-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/2916-0-0x0000000000AC0000-0x0000000000AE5000-memory.dmp

Filesize
148KB

Download
memory/2916-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2916-5-0x0000000000AC0000-0x0000000000AE5000-memory.dmp

Filesize
148KB

Download
memory/2916-38-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads