Overview

overview

8

Static

static

3

6fb5071331...bf.exe

windows7-x64

8

6fb5071331...bf.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fb50713314e5efdea6285202214fbbf.exe

  • Size

    54KB

  • MD5

    6fb50713314e5efdea6285202214fbbf

  • SHA1

    0ca70c75795286d099e1ab7559b8f8a5c5061df6

  • SHA256

    51c2c22dd1b44e70b2b5ce8a9bb10b279527e03dbfb60d0810e7b4b2dc1c2dc3

  • SHA512

    855df736f424c765a7561a11807af24fefc64cb5d6a10bddfe0cd525be6249f30c26523abbaca320653bcf210d1efc2a174182ba37fdb2bf24878ba012a8fd40

  • SSDEEP

    1536:/KZiivgFkkHnjXVJj+AvIvWC61AIRNG4ij:UvcDHnjFByvb613A

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fb50713314e5efdea6285202214fbbf.exe
    "C:\Users\Admin\AppData\Local\Temp\6fb50713314e5efdea6285202214fbbf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_min_run.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
        3⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4320
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
          4⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:1948
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
          4⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:4572
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?S"" /f
          4⤵
            PID:3456
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
            4⤵
            • Modifies registry class
            PID:4600
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
            4⤵
            • Modifies registry class
            PID:776
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:4568
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:2880
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
            4⤵
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2340
            • C:\Windows\SysWOW64\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              5⤵
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:3128
              • C:\Windows\SysWOW64\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                6⤵
                  PID:1112
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 D:\VolumeDH\inj.dat,MainLoad
              4⤵
                PID:1468
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3936
                • C:\PROGRA~1\INTERN~1\iexplore.exe
                  C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?71628
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1980
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:17410 /prefetch:2
                    6⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1044
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
                  5⤵
                    PID:3556
            • C:\Users\Admin\AppData\Local\Temp\inlA46B.tmp
              C:\Users\Admin\AppData\Local\Temp\inlA46B.tmp
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1896
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlA46B.tmp > nul
                3⤵
                  PID:2984
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\6FB507~1.EXE > nul
                2⤵
                  PID:1988

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\PROGRA~1\INTERN~1\IEFRAME.dll
                Filesize

                348KB

                MD5

                084125acf8be8c62c9878ba86bfc9418

                SHA1

                33e5c79d62ec9b8496a54d66661f0d791f76b068

                SHA256

                484ae917a5312740cc924fc7efee7bc9394e577d14b2f76ec21d9f82ec46918f

                SHA512

                05c7415d5c15ecdc339a4a7724f8be4425efad06c72528a2b2fb520eca02fa6e35fb67eaa358944975fc7446f173365122acd27bfca39e84823a3f8bf2ebb4f2

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                Filesize

                471B

                MD5

                00c810ad5af9bb1ffa13d83698695136

                SHA1

                356ae631a77f5b6039531fd01904a27e8d64fd3c

                SHA256

                646abae3e23a04a2e487d6811e6fa2f65666e86f650baefcd821f45737165854

                SHA512

                b7335f7b5f9a36999e5eb128f839ad8566c50ef9922f19ddff691266c745faa72a8ecedc97de3e91aa7be7e99df3c4928660f147aa1c9dd76361eb2eb2b1c3fc

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                Filesize

                404B

                MD5

                8670ec099cdef4acf9f0f1b98d76705f

                SHA1

                f35f7250dd785d7a10941a4b2213aa1cdb5d435b

                SHA256

                d93981bbc027f2f8aad7f552fc11d32618697a23c12beedd6f4629ad305d3f61

                SHA512

                a8affe0a3524452a7e520e24cf534129e6a9a9c526daf7f05a51b0df0d3b2c2ef17c1aaa580e5cf82bd9e19d8bbbc6d91f1bbcf914d095f596e795ceac9fcf15

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ccxtump\imagestore.dat
                Filesize

                1KB

                MD5

                e7722a99dd6874521f08fc6ae3e7f2c4

                SHA1

                490e9c5c4531cee6a6ce5f665faf1f28444cd749

                SHA256

                e031f59351fdbfc96b444b14408ccb71f8da803afeb6cdc8f313fdff3ee9934b

                SHA512

                a29154f7f63d6134961a024ab5a3f8fe780e25264b267c2e34609e04a2de17c83a22da216f735f3f648180b62859085b11249c6db80cf0396b69cce614afa34f

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0A013ETK\favicon[1].ico
                Filesize

                1KB

                MD5

                7ef1f0a0093460fe46bb691578c07c95

                SHA1

                2da3ffbbf4737ce4dae9488359de34034d1ebfbd

                SHA256

                4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c

                SHA512

                68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
                Filesize

                790B

                MD5

                b18422bf438bbb7798280375a7bc0976

                SHA1

                c1b77b35e3a38ff2ad119f25e548beb5ff68c2e2

                SHA256

                ee8709e751067193dccdfe218108bdae6a30919d7b6c860bc848c7cc4b242fa4

                SHA512

                23cb9c74905f514a2bf4ef91afc53ceb08230b3ce68e3eab17bb36c674260d143a7e7105958ff4ed5c2a416bddffb3c7e28dcf8060cbf323c7e4cab71f613176

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\inlA46B.tmp
                Filesize

                1.4MB

                MD5

                068c9a7169f61522b0f7461d98d4c5cf

                SHA1

                dee4e976cf9fb36e681f0226f339ff58fb34d13a

                SHA256

                b374facbf692703dd50de302feaaaf5949741b4e11772ed5f010ac55ea68297a

                SHA512

                2a11a8e68a7065245aef3ca84db8f9eb84ef37b9646dee9ddd9587b4e3b15031ca532a2a6984714b0414f8b57993ef585bf3fbca4113adea77f6e8ba170ee6bc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\inlA46B.tmp
                Filesize

                1.6MB

                MD5

                22becd82324246cb105e4def945a2a72

                SHA1

                1715c008c60e7ca783f4dcb988c105be9ef2f89d

                SHA256

                450cc48029ba107b6270faf6a59c0e33b122e55366ffc0761d1ae21839105ccc

                SHA512

                bc37ca25dc66924e6ca0b69a415ffd5423898679c62a2661065e39a0f07457a99366d32af15b461bf8996002f807da89a0d8879781c2d9167d38d6a211848d81

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\s_min_run.bat
                Filesize

                54B

                MD5

                504490369970f1c0eb580afbcdf91618

                SHA1

                b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

                SHA256

                a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

                SHA512

                5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\1.bat
                Filesize

                3KB

                MD5

                58db0fb8d73a32c0e8057a6f78c16d07

                SHA1

                5cca0167d57e8bc9a8a228134db7456bfedeb63e

                SHA256

                5191c4b522b9dd8369363060d5e03b2728f71c09855daf1ebc418f592c50029a

                SHA512

                829e9da755fdd4c0b0b276ee47775af66f264ac7ae0e8bb8dec1480a038c58cb6d9e9cdd3706ca7b412f6d143ea6e1034da9993220ae0329e1323d9c5c5ab75a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\1.inf
                Filesize

                410B

                MD5

                66a1f0147fed7ddd19e9bb7ff93705c5

                SHA1

                9d803c81ea2195617379b880b227892ba30b0bf6

                SHA256

                4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

                SHA512

                cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\2.bat
                Filesize

                3KB

                MD5

                e0c1d8f31000bfbb421ec380b2b33a1c

                SHA1

                3ab4f702f7f0614268d1f244617b331b49b03e3e

                SHA256

                21ecb6568e1a4610e87e0a976a478f9097ca44024d1f9a491ec249443a233865

                SHA512

                32f711c0bef8af5d9d67e1807d5aa78b73412c128f82a8e6c498b6a68ee5682d90047beb25ecd6c032256d41e4fbb3b9faefd3ca0fdf500e7f5c27468e2665bc

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\2.inf
                Filesize

                248B

                MD5

                2197ffb407fb3b2250045c084f73b70a

                SHA1

                3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

                SHA256

                a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

                SHA512

                b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

                Download Submit

              • C:\Users\Admin\AppData\Roaming\redload\4.bat
                Filesize

                5.8MB

                MD5

                d20e4926f69c662c79629d82ec369c0e

                SHA1

                c898b6f2306b33d4a8beec4fb3c2090036b854a1

                SHA256

                54b1337044bbd5ffff161edcaba706d4549deeb1508ad50016b92f5d262bd4ac

                SHA512

                5f63c1b4b4ce74d88a7825a0d3157122106b1bbd343ee2f60bfbbe4eed4b1f47c1b9020e6f92b0fb336d7d456764daaafb6bdc5aecfd333a17e8395b16985f69

                Download Submit

              • memory/1440-1-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1440-5-0x0000000000AE0000-0x0000000000B05000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1440-7-0x0000000000AB0000-0x0000000000AB3000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1440-0-0x0000000000AE0000-0x0000000000B05000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1440-168-0x0000000000AE0000-0x0000000000B05000-memory.dmp

                Filesize

                148KB

                Download

              • memory/1980-110-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-126-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-93-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-98-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-92-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-91-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-89-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-100-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-88-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-106-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-108-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-94-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-112-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-111-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-114-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-116-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-122-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-121-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-124-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-123-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-125-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-96-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-131-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-117-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-115-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-135-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-138-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-136-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-134-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-133-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-132-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-113-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-104-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-103-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-102-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-101-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-95-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-90-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-87-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-84-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1980-83-0x00007FFCE6330000-0x00007FFCE639E000-memory.dmp

                Filesize

                440KB

                Download