675de676dfa685b0a3604a3e83f2ce955e6d5154f1094b913ec7f0121120ee5f

Analysis

max time kernel
85s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

243a32816b2bd62114bab5cf50ba1213.exe
Size

54KB
MD5

243a32816b2bd62114bab5cf50ba1213
SHA1

ed7563866a2a036140b43d6ae93eacb31427e105
SHA256

675de676dfa685b0a3604a3e83f2ce955e6d5154f1094b913ec7f0121120ee5f
SHA512

1dfc02862dedf8f37395166e7da21e87f835701b03e41e3b490aa0d4aa5dc01b23bbb3f911ef0f651a98ab9c3d1503d73ab1eb6ab500f1a6647b7fd765b54bb7
SSDEEP

768:YU5Qmsqn3fpJ8/f+EDufZJUNL9YTy1t2east7YRpcd2/nqOego9zHd19VmzezClU:1lnIufZAP1t2easWRpFUgizZVxClh+

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
736	attrib.exe
2736	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2736	attrib.exe
736	attrib.exe

C:\Users\Admin\AppData\Local\Temp\243a32816b2bd62114bab5cf50ba1213.exe
"C:\Users\Admin\AppData\Local\Temp\243a32816b2bd62114bab5cf50ba1213.exe"
1⤵
PID:3640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_g_l_229.bat" "
  2⤵
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    PID:2256
- C:\Users\Admin\AppData\Local\Temp\inl9344.tmp
  C:\Users\Admin\AppData\Local\Temp\inl9344.tmp
  2⤵
  PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl9344.tmp > nul
    3⤵
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\243A32~1.EXE > nul
  2⤵
  PID:2240

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3584 CREDAT:17410 /prefetch:2
1⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
1⤵
PID:4984

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2736

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
1⤵
PID:940
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe" -o
  2⤵
  PID:1860

C:\Windows\SysWOW64\rundll32.exe
rundll32 D:\VolumeDH\inj.dat,MainLoad
1⤵
PID:3560

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
1⤵
PID:3996

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:736

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
1⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
1⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
1⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
1⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
1⤵
PID:644

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
1⤵
PID:1852

C:\PROGRA~1\INTERN~1\iexplore.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1284.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\360mohesetup.exe

Filesize
794B

MD5
1bc415b31cdff50d79ea2a3d7b4ff2c1

SHA1
f5ebab61deebc3d7a4a6676a23b982f1418ae6a6

SHA256
582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412

SHA512
ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
791B

MD5
1706b41fd446b5718a8419c0fcb35d55

SHA1
d9bb8df22acdc60c754ac14982cf795df3b1b815

SHA256
5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

SHA512
68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl9344.tmp

Filesize
96KB

MD5
3adc169922981b82b5bbd2b7dff1b6a1

SHA1
b670536a795e988315e1db0d9715f1f74df482de

SHA256
c7d1ed17d452f57353f01d790a71df38efad3b6b18a3c2957fee83a7708b6313

SHA512
b06a89cc4900b2154dfedb04bbc6120076d64cf915007497277fca1e5e98147bb54ca998b090e08e1e4dbcd086383775e4cabc76acbd05dd4151e1604399b011

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl9344.tmp

Filesize
40KB

MD5
0a3835b071a2a91e341a67a42749db05

SHA1
9f8d15ffec2e5df5ddfea72eb2c44d454ec1ea02

SHA256
44143d9cb671c6e45cd7ebc945aaaea7858fca61c0ec5f976e8d7d4053d58ce1

SHA512
cf875094a42a2573ce8d38b4560cf775c39afade8111f7123b3a66afe9dab1e1621894305a3935e617466e9b43dd0da0be4d54d610deb405e83b9e103e296901

Download Submit
C:\Users\Admin\AppData\Local\Temp\s_g_l_229.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
168976102055ae6902b5d251d4b39401

SHA1
37c28d5b4d19bf3ef0be7be04ac4b54c71866773

SHA256
aabf9954046b451c6287c18b37448dbce289b0a76bb0bcbe72b7e97b6ebfc9fc

SHA512
95474e88ce99544ab19d25c3f96b348b99733858b8382baeedce62748444b529e55c0c4df84c20ff05eb7b3172baaa22ade7604c7288b536e1895cd95dbc42a6

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.bat

Filesize
3KB

MD5
428b15afd0f31b5f77d86f84a2e0bf36

SHA1
e76c640936f9ea1a4cf0f26e5417d4cbbde08ea2

SHA256
390a9eb07646fea162115045ea2b76a3a248d8823e7dc4a54851c39463ddfdb5

SHA512
3272917c8a65641eb39c280ba2f23c359145d8951ec78d803143fdbfa87cf6233a4d3a03607bcae7703f718dc592297aefc69726086a206e5d0bffd5655d8ca4

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.inf

Filesize
248B

MD5
2197ffb407fb3b2250045c084f73b70a

SHA1
3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

SHA256
a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

SHA512
b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

Download Submit
C:\Users\Admin\AppData\Roaming\redload\4.bat

Filesize
49KB

MD5
b83930885a71891157a8c94081039989

SHA1
1e7ab3dd1ccdbe66ecd39178a25f58b39f126297

SHA256
4e54dd90456cbd570a5f070ebfc8cc4fc9428c72db6f528d78a426a03b4021fc

SHA512
6c06e0a9ec3881b542cebcc4a8a30bb588e42171334e4ec1216e47a9982026fc480fa309d50056d5a770c8c571fc849ff044aa97856432fabcd3c6b1ad544d6b

Download Submit
memory/3584-138-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-98-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-102-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-108-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-110-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-109-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-111-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-64-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-73-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-63-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-66-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-67-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-99-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-143-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-141-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-140-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-139-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-92-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-137-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-91-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-116-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-107-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-101-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-100-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-85-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-94-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-93-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-89-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-87-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-83-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-84-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-82-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-81-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-79-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-78-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-75-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-74-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-72-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-71-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-70-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3584-69-0x00007FFC03E50000-0x00007FFC03EBE000-memory.dmp

Filesize
440KB

Download
memory/3640-125-0x00000000009B0000-0x00000000009D5000-memory.dmp

Filesize
148KB

Download
memory/3640-7-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/3640-5-0x00000000009B0000-0x00000000009D5000-memory.dmp

Filesize
148KB

Download
memory/3640-1-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/3640-0-0x00000000009B0000-0x00000000009D5000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads