25650154d06812b5467a30bc3eb19ef8e2872f6006f384f0dd5777ea4a5ce1b9

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc2653e5b275da0588766bb0ea029ec8.exe
Size

57KB
MD5

bc2653e5b275da0588766bb0ea029ec8
SHA1

488343e1c5b81b749f015c2259a0958de5ea1ecb
SHA256

25650154d06812b5467a30bc3eb19ef8e2872f6006f384f0dd5777ea4a5ce1b9
SHA512

cf1f9fac92acdf35536a041d6d6a1ffa6f00092349040c5303444540b9ec975f1e3a63d3dd72d714f4e6799080b9c7cf504d8727c9cfe492e607ddfeb3af9ed1
SSDEEP

768:/kRmosl06cA28DqSV8WnR1EQgz5pDZLhRWLhuHIf4qBkptr6W8U1ZJXhw13B:sRmex8mSVpRIDZdZD7ptr/ZNxw1x

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
312	attrib.exe
1800	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
540	inlCE0B.tmp

Loads dropped DLL 2 IoCs

pid	Process
2332	bc2653e5b275da0588766bb0ea029ec8.exe
2332	bc2653e5b275da0588766bb0ea029ec8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416159885"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75296A91-DE29-11EE-88B2-FA5112F1BCBF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?o"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2216	rundll32.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2216	rundll32.exe
Token: SeRestorePrivilege	2216	rundll32.exe
Token: SeRestorePrivilege	2216	rundll32.exe
Token: SeRestorePrivilege	2216	rundll32.exe
Token: SeRestorePrivilege	2216	rundll32.exe
Token: SeRestorePrivilege	2216	rundll32.exe
Token: SeRestorePrivilege	2216	rundll32.exe
Token: SeRestorePrivilege	2276	rundll32.exe
Token: SeRestorePrivilege	2276	rundll32.exe
Token: SeRestorePrivilege	2276	rundll32.exe
Token: SeRestorePrivilege	2276	rundll32.exe
Token: SeRestorePrivilege	2276	rundll32.exe
Token: SeRestorePrivilege	2276	rundll32.exe
Token: SeRestorePrivilege	2276	rundll32.exe
Token: SeIncBasePriorityPrivilege	2332	bc2653e5b275da0588766bb0ea029ec8.exe
Token: SeIncBasePriorityPrivilege	540	inlCE0B.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2380	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2380	iexplore.exe
2380	iexplore.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2472	2332	bc2653e5b275da0588766bb0ea029ec8.exe	29
PID 2332 wrote to memory of 2472	2332	bc2653e5b275da0588766bb0ea029ec8.exe	29
PID 2332 wrote to memory of 2472	2332	bc2653e5b275da0588766bb0ea029ec8.exe	29
PID 2332 wrote to memory of 2472	2332	bc2653e5b275da0588766bb0ea029ec8.exe	29
PID 2472 wrote to memory of 2892	2472	cmd.exe	31
PID 2472 wrote to memory of 2892	2472	cmd.exe	31
PID 2472 wrote to memory of 2892	2472	cmd.exe	31
PID 2472 wrote to memory of 2892	2472	cmd.exe	31
PID 2892 wrote to memory of 2380	2892	cmd.exe	33
PID 2892 wrote to memory of 2380	2892	cmd.exe	33
PID 2892 wrote to memory of 2380	2892	cmd.exe	33
PID 2892 wrote to memory of 2380	2892	cmd.exe	33
PID 2892 wrote to memory of 2216	2892	cmd.exe	34
PID 2892 wrote to memory of 2216	2892	cmd.exe	34
PID 2892 wrote to memory of 2216	2892	cmd.exe	34
PID 2892 wrote to memory of 2216	2892	cmd.exe	34
PID 2892 wrote to memory of 2216	2892	cmd.exe	34
PID 2892 wrote to memory of 2216	2892	cmd.exe	34
PID 2892 wrote to memory of 2216	2892	cmd.exe	34
PID 2892 wrote to memory of 1348	2892	cmd.exe	35
PID 2892 wrote to memory of 1348	2892	cmd.exe	35
PID 2892 wrote to memory of 1348	2892	cmd.exe	35
PID 2892 wrote to memory of 1348	2892	cmd.exe	35
PID 2380 wrote to memory of 2572	2380	iexplore.exe	36
PID 2380 wrote to memory of 2572	2380	iexplore.exe	36
PID 2380 wrote to memory of 2572	2380	iexplore.exe	36
PID 2380 wrote to memory of 2572	2380	iexplore.exe	36
PID 1348 wrote to memory of 2464	1348	cmd.exe	38
PID 1348 wrote to memory of 2464	1348	cmd.exe	38
PID 1348 wrote to memory of 2464	1348	cmd.exe	38
PID 1348 wrote to memory of 2464	1348	cmd.exe	38
PID 1348 wrote to memory of 960	1348	cmd.exe	39
PID 1348 wrote to memory of 960	1348	cmd.exe	39
PID 1348 wrote to memory of 960	1348	cmd.exe	39
PID 1348 wrote to memory of 960	1348	cmd.exe	39
PID 1348 wrote to memory of 1368	1348	cmd.exe	40
PID 1348 wrote to memory of 1368	1348	cmd.exe	40
PID 1348 wrote to memory of 1368	1348	cmd.exe	40
PID 1348 wrote to memory of 1368	1348	cmd.exe	40
PID 1348 wrote to memory of 1488	1348	cmd.exe	42
PID 1348 wrote to memory of 1488	1348	cmd.exe	42
PID 1348 wrote to memory of 1488	1348	cmd.exe	42
PID 1348 wrote to memory of 1488	1348	cmd.exe	42
PID 1348 wrote to memory of 1944	1348	cmd.exe	43
PID 1348 wrote to memory of 1944	1348	cmd.exe	43
PID 1348 wrote to memory of 1944	1348	cmd.exe	43
PID 1348 wrote to memory of 1944	1348	cmd.exe	43
PID 1348 wrote to memory of 312	1348	cmd.exe	44
PID 1348 wrote to memory of 312	1348	cmd.exe	44
PID 1348 wrote to memory of 312	1348	cmd.exe	44
PID 1348 wrote to memory of 312	1348	cmd.exe	44
PID 1348 wrote to memory of 1800	1348	cmd.exe	45
PID 1348 wrote to memory of 1800	1348	cmd.exe	45
PID 1348 wrote to memory of 1800	1348	cmd.exe	45
PID 1348 wrote to memory of 1800	1348	cmd.exe	45
PID 2332 wrote to memory of 540	2332	bc2653e5b275da0588766bb0ea029ec8.exe	46
PID 2332 wrote to memory of 540	2332	bc2653e5b275da0588766bb0ea029ec8.exe	46
PID 2332 wrote to memory of 540	2332	bc2653e5b275da0588766bb0ea029ec8.exe	46
PID 2332 wrote to memory of 540	2332	bc2653e5b275da0588766bb0ea029ec8.exe	46
PID 1348 wrote to memory of 2276	1348	cmd.exe	47
PID 1348 wrote to memory of 2276	1348	cmd.exe	47
PID 1348 wrote to memory of 2276	1348	cmd.exe	47
PID 1348 wrote to memory of 2276	1348	cmd.exe	47
PID 1348 wrote to memory of 2276	1348	cmd.exe	47

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
312	attrib.exe
1800	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bc2653e5b275da0588766bb0ea029ec8.exe
"C:\Users\Admin\AppData\Local\Temp\bc2653e5b275da0588766bb0ea029ec8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\comeback_197.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2572
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2464
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:960
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:1368
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:1488
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:1944
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:312
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1800
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:3032
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:896
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:2220
- C:\Users\Admin\AppData\Local\Temp\inlCE0B.tmp
  C:\Users\Admin\AppData\Local\Temp\inlCE0B.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlCE0B.tmp > nul
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BC2653~1.EXE > nul
  2⤵
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0127229e31afc6b763a8af7c4552ac4

SHA1
135c8ad54c03011389ad57086bf3bc25e971b6ea

SHA256
39ec7992ed1506b98e876a1e1f1db5ae396c75484e0e5b34bd4b035fda99c9ff

SHA512
ffd49c0ba1f11f2fb60cfe0599eca51d85e33220c02418d624769b2d80488d6dcc8e1d8c2a2c586f1a323437337c8a210545c09ef94286b714ee239047671165

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a16096f209c2bfe27f2866652afa83e5

SHA1
8955c87072bdae1d86c758e7a8e55066400efe82

SHA256
8e192771006d6a70be3d45596785cb840d2dca5a38cb3f210341173be893229d

SHA512
879c4abbae0f97ce17241f341a524d465816b4f00a85e018e5948f227b26ab08e1321cc4fa4d71a7d834af15c9c40bbfc18a8920349bd29d4480429fe46f70a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d4d0ed69ca2a82dd492fefc73fe33ce7

SHA1
abaf52153ccfc750cbdb37438c42af26567dbed3

SHA256
740106a7f59d591b124ce274f7feb726deff1083757eb67cc3ed14bbdb9c2f08

SHA512
270c960aa34e664c53c19af4beec36e7614a1025863849ba7367e8b61d2cc098f4cf17e163b2ed5e410fb9b34e5554ae04cb2da211e2ed7c8b1a761e48785b54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b897231a4f876e369e6f34385064c22

SHA1
08f4a42114ae308a4d709c5924935a2606cb54c9

SHA256
4fe04c010359770abc6e1924b91169f386e4b5120896f30b5c1121e23f2f9465

SHA512
d62357509fccf860f7d5f1ba5d2f1fb407a7f7d4854eb04b0a1c9ec1537e357f71a1bc3a320cafdded6aef2f5fda152f091bc2e6e43989eafb85f481b8815c2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bc78dc5b6231a964f6908a6cb98c1e6

SHA1
0b860a818e9d3e3773d139b265eb7d3c0f56ce36

SHA256
5d20874222179bde228f89c03aadba5c190ae7c7aa6bf093c431dfef35bad090

SHA512
035326d659821a8b33b61a8f733f83b54b1c2e5bfd5a92db144c150d15d81a37890daef982d73173726814dab0ccad8515a61f7dc3fdbc7f11a6827d645c2f55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4480e1f5ce7e1076c2bef67d84be9904

SHA1
340b1669f271eb84a112a222c6ca648e6d9a7802

SHA256
b25dbcbcf63c7c4c1cda80c12f04b21fcc4d4a005052955524bc049b2771dc99

SHA512
81236ec9cbca858d3d1dee62cca7e0fb408f04bad350ff94b9dd2c10d62ab062ade35418f3eb19253ca92b892c47a3bfacd704c76e9f9b2aa0f82b3529281c18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a44710943a2ee4ca4503302a39d76a7

SHA1
fc2863294e5ba9c7f63923fc785d75e74d48aa65

SHA256
f16b65d090d7e7028e5ab0ea8da17dbd29ad25916c35d7697725cc0354a8818a

SHA512
4217069cd10f473bbc1fa95a896a9bac042746d76718b94361883be393291f4b490aac6a867fede9254bbf09aa18af2c622f5c6d9d7b7c3dd3a55ea7d3b45d1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3a7b3b0ed955fa48ef7c031707e0a0e

SHA1
39283403f18e2f3494c7cf9ab42a91559d24bfe7

SHA256
91b3b235e87055f1b2b2dfc5883c808cd0758e549e21b92ba51770634871fb9b

SHA512
2f26529c9f9ca5404de4c11fca09c151cf0d257a51a69929f438e989046e496da23a9040058541d0b60b6a21e4aaaec836647309712f74500e3014b01df58ea7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72ee68299b21b1d74075e8b147399b6c

SHA1
da9d1b04eaea9cd37991a05fb072d64e3902da5b

SHA256
2a0791e7b3e7307731c8c8ec546b150189786633234dedce3938a8454e5e3a83

SHA512
ba4202a11f9fd8bb93116869cc4a9c5528c1c70142a52d2dc9e3d860304c8f3dd0d647ba0cafa7052737679b73cf5b43c6490af8b28de1c76b4b4a9a2ffc22e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca6d976d33ce253cc42f4c9f68ce4a55

SHA1
c765ac154c5935c1947dc0b791d6cfef7d2b7ff1

SHA256
880aabf8117a9d14d877e0e5dc13e4664aa886c1f74592c4eef838cecc703627

SHA512
d305e0e59fa5994122892f23e062ed207b2232c04b86400ba772711a87f9e99695f8117db1b7a4b8bea71d57ba96b113468aa9e06610064600b3154ee7ffaab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5dcsbzd\imagestore.dat

Filesize
1KB

MD5
38ec3607b15eb241c73ccd7d216c4e97

SHA1
312a22cdf5f7b2612f209acf16fe4b61b7d4bb7c

SHA256
b3efcbf88630c874554114fac75751a35654891507da9755a8a8c194bb693266

SHA512
d36d359e07bae705ee2d038da7916112f86f8158d3cec1d1d9e613fb9ddda329e7052dee62f5d3e4858db38c35611cf2d66d23570d90babe0da90766f1e4f23e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\favicon[1].ico

Filesize
1KB

MD5
7ef1f0a0093460fe46bb691578c07c95

SHA1
2da3ffbbf4737ce4dae9488359de34034d1ebfbd

SHA256
4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c

SHA512
68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD07B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD07A.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD2B3.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\comeback_197.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlCE0B.tmp

Filesize
3.0MB

MD5
45e62dd07dd3fa794891e94748f1452f

SHA1
4772fb6e352821f0f796980ce1f68569dfaf16a6

SHA256
2a009406529752c34a71407e3c3ab1e599a5b8c35b8406461a0af154ffbfd629

SHA512
70b3af6db8504ad6accb5b8d912852725fa0f48d3c83448098521920de2172901c3dd6584a690369f312bd7ea29de687da0b7bd6c7d858058edd34455757aeae

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlCE0B.tmp

Filesize
6.8MB

MD5
96b0663847844937df58b0c12833e374

SHA1
61642a2218bf963717df2b1801a112fe7792adf1

SHA256
e10a7d2095c946d0a0088bd59ac0d05b047aa103ff8379c37a884f5f7e2b965f

SHA512
88c135e40cdde68df99da3701b9b78aa1f3c913683f5dd58921f1f1769e3f5f18e161d88dd3eb3f77f1ab11ba4088fa67d00c26b8859dd6e648b02ff0a2bab01

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlCE0B.tmp

Filesize
5.5MB

MD5
14d6143926e8431ddb510fab944bb092

SHA1
d9d874113e7b5852226e9b7909e76f121b3b1119

SHA256
94101806b2196517f1ebcf2aa26abff1f75c2fceda7dfccdfa8b0c75c85e203c

SHA512
b48f7980a1a12182b4fd7ced9f93e4460011bd466e71f1fba370a547ff59d53acda29dd9d595739a0b1bfbb6fdb042ab90e6b48bdbbab331ce000544097d7a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
660B

MD5
c40ea8f677b3f48bfb7f4cfc6d3f03ab

SHA1
10b94afd8e6ea98a3c8a955304f9ce660b0c380a

SHA256
b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c

SHA512
409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
b7c5e3b416b1d1b5541ef44662e1a764

SHA1
8bff7ea2be2f3cf29f2381d8007198b5991ca3ae

SHA256
f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1

SHA512
65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
6b78cb8ced798ca5df5612dd62ce0965

SHA1
5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf

SHA256
81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3

SHA512
b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
5.4MB

MD5
59be1f29067123ab3011e1b8a94088d0

SHA1
60d675cf74b5674cf715af637c4fa0e8dd8ac5ae

SHA256
2032b89290bba82ce826443c615bbcede294101f9a55e9e40ddbabb6130f795b

SHA512
a4561e95e23434320dc7eb492cd749076771e4090a3145448ce1697c35650ba0bbdf3544630881f993feac57d29f94afe99d8577442b8f5cb10aef77e601eaac

Download Submit
\Users\Admin\AppData\Local\Temp\inlCE0B.tmp

Filesize
6.9MB

MD5
e935aa841e33b5c4c524136754e1feea

SHA1
ffdc4af4b3c55dcb5e64c0f4006bdf78b485f037

SHA256
45a8bd48a7655151eafcf80963a5010933dd1394f984644dfecdf849e24d5193

SHA512
bb150bdb0f641c9ca41ea6998234aeecc24b1f8f335d4816bc59a943e94678ce7281ceb511bcc3e0fa409b041dd194052a527f4fc2b8faad60d21caadb4aae6a

Download Submit
\Users\Admin\AppData\Local\Temp\inlCE0B.tmp

Filesize
9.2MB

MD5
de4bcb7850d84f35170653c4c396433f

SHA1
a6fa489ec0fd8937eb9116654f4c2467e1f91d71

SHA256
073bd3d560ed7654ccc85ae373befdb7a59542753354e22680912fe34b703d14

SHA512
93eeac778ab7a82c837e6e76a6ec99a8b0af603aa07bcf8c0f683b766639f4a57869f9069f4a0bd5e93ff80e502d1b2980f15c833a9134516fa4a2c782dcb710

Download Submit
memory/2332-97-0x0000000000C30000-0x0000000000C57000-memory.dmp

Filesize
156KB

Download
memory/2332-0-0x0000000000C30000-0x0000000000C57000-memory.dmp

Filesize
156KB

Download
memory/2332-22-0x0000000002CC0000-0x0000000002CCF000-memory.dmp

Filesize
60KB

Download
memory/2332-9-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2332-5-0x0000000000C30000-0x0000000000C57000-memory.dmp

Filesize
156KB

Download
memory/2332-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2380-62-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads