8905def32331738c4a12f15cc89b53379ec4896a0dcc208995301a8c57cf3c82

Analysis

max time kernel
85s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289be682bb8dc3af3cf720035c2c622b.exe
Size

57KB
MD5

289be682bb8dc3af3cf720035c2c622b
SHA1

d65844fdb3f84302ffe115c41cb6df5aaf5971a9
SHA256

8905def32331738c4a12f15cc89b53379ec4896a0dcc208995301a8c57cf3c82
SHA512

ef02777b8f0113913af4829f69f91a96a84a2e02f43310549626ec978ee26cd436dab06319e99c79dfd81d54cb0d6de68bbc5e2a66b648a5d35ba34b246fb599
SSDEEP

1536:bsPjsxbfdYfVnN2FeUnY0VqcyJcgSrTkKCyYceAx6O9Qev0wj:bsmTCVnN2UYYyqcA0TNMAxFQRwj

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3720	attrib.exe
3096	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3720	attrib.exe
3096	attrib.exe

C:\Users\Admin\AppData\Local\Temp\289be682bb8dc3af3cf720035c2c622b.exe
"C:\Users\Admin\AppData\Local\Temp\289be682bb8dc3af3cf720035c2c622b.exe"
1⤵
PID:2832
- C:\Users\Admin\AppData\Local\Temp\inlA064.tmp
  C:\Users\Admin\AppData\Local\Temp\inlA064.tmp
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlA064.tmp > nul
    3⤵
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\289BE6~1.EXE > nul
  2⤵
  PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pds2010_check.bat" "
  2⤵
  PID:4188

C:\PROGRA~1\INTERN~1\iexplore.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
1⤵
PID:2772
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:17410 /prefetch:2
  2⤵
  PID:844

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
1⤵
PID:4344
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe" -o
  2⤵
  PID:2976

C:\Windows\SysWOW64\rundll32.exe
rundll32 D:\VolumeDH\inj.dat,MainLoad
1⤵
PID:2416

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
1⤵
PID:4348

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3720

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
1⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
1⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
1⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
1⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
1⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
1⤵
PID:4320

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
1⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
1⤵
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-115-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-139-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-52-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-54-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-75-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-78-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-88-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-92-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-103-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-109-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-127-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-125-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-133-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-134-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-135-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-111-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-76-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-144-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-137-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-136-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-117-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-116-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-79-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-80-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-83-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-106-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-104-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-102-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-101-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-100-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-98-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-96-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-94-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-93-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-91-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-90-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-87-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-84-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-110-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-82-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2772-81-0x00007FFBD3610000-0x00007FFBD367E000-memory.dmp

Filesize
440KB

Download
memory/2832-0-0x0000000000D80000-0x0000000000DA6000-memory.dmp

Filesize
152KB

Download
memory/2832-1-0x0000000000D70000-0x0000000000D73000-memory.dmp

Filesize
12KB

Download
memory/2832-147-0x0000000000D80000-0x0000000000DA6000-memory.dmp

Filesize
152KB

Download
memory/2832-7-0x0000000000D70000-0x0000000000D73000-memory.dmp

Filesize
12KB

Download
memory/2832-5-0x0000000000D80000-0x0000000000DA6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads