Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 15:26
Static task
static1
Behavioral task
behavioral1
Sample
bc2653e5b275da0588766bb0ea029ec8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc2653e5b275da0588766bb0ea029ec8.exe
Resource
win10v2004-20240226-en
General
-
Target
bc2653e5b275da0588766bb0ea029ec8.exe
-
Size
57KB
-
MD5
bc2653e5b275da0588766bb0ea029ec8
-
SHA1
488343e1c5b81b749f015c2259a0958de5ea1ecb
-
SHA256
25650154d06812b5467a30bc3eb19ef8e2872f6006f384f0dd5777ea4a5ce1b9
-
SHA512
cf1f9fac92acdf35536a041d6d6a1ffa6f00092349040c5303444540b9ec975f1e3a63d3dd72d714f4e6799080b9c7cf504d8727c9cfe492e607ddfeb3af9ed1
-
SSDEEP
768:/kRmosl06cA28DqSV8WnR1EQgz5pDZLhRWLhuHIf4qBkptr6W8U1ZJXhw13B:sRmex8mSVpRIDZdZD7ptr/ZNxw1x
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 312 attrib.exe 1800 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 540 inlCE0B.tmp -
Loads dropped DLL 2 IoCs
pid Process 2332 bc2653e5b275da0588766bb0ea029ec8.exe 2332 bc2653e5b275da0588766bb0ea029ec8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416159885" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75296A91-DE29-11EE-88B2-FA5112F1BCBF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?o" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2216 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeRestorePrivilege 2216 rundll32.exe Token: SeRestorePrivilege 2216 rundll32.exe Token: SeRestorePrivilege 2216 rundll32.exe Token: SeRestorePrivilege 2216 rundll32.exe Token: SeRestorePrivilege 2216 rundll32.exe Token: SeRestorePrivilege 2216 rundll32.exe Token: SeRestorePrivilege 2216 rundll32.exe Token: SeRestorePrivilege 2276 rundll32.exe Token: SeRestorePrivilege 2276 rundll32.exe Token: SeRestorePrivilege 2276 rundll32.exe Token: SeRestorePrivilege 2276 rundll32.exe Token: SeRestorePrivilege 2276 rundll32.exe Token: SeRestorePrivilege 2276 rundll32.exe Token: SeRestorePrivilege 2276 rundll32.exe Token: SeIncBasePriorityPrivilege 2332 bc2653e5b275da0588766bb0ea029ec8.exe Token: SeIncBasePriorityPrivilege 540 inlCE0B.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2380 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2380 iexplore.exe 2380 iexplore.exe 2572 IEXPLORE.EXE 2572 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2472 2332 bc2653e5b275da0588766bb0ea029ec8.exe 29 PID 2332 wrote to memory of 2472 2332 bc2653e5b275da0588766bb0ea029ec8.exe 29 PID 2332 wrote to memory of 2472 2332 bc2653e5b275da0588766bb0ea029ec8.exe 29 PID 2332 wrote to memory of 2472 2332 bc2653e5b275da0588766bb0ea029ec8.exe 29 PID 2472 wrote to memory of 2892 2472 cmd.exe 31 PID 2472 wrote to memory of 2892 2472 cmd.exe 31 PID 2472 wrote to memory of 2892 2472 cmd.exe 31 PID 2472 wrote to memory of 2892 2472 cmd.exe 31 PID 2892 wrote to memory of 2380 2892 cmd.exe 33 PID 2892 wrote to memory of 2380 2892 cmd.exe 33 PID 2892 wrote to memory of 2380 2892 cmd.exe 33 PID 2892 wrote to memory of 2380 2892 cmd.exe 33 PID 2892 wrote to memory of 2216 2892 cmd.exe 34 PID 2892 wrote to memory of 2216 2892 cmd.exe 34 PID 2892 wrote to memory of 2216 2892 cmd.exe 34 PID 2892 wrote to memory of 2216 2892 cmd.exe 34 PID 2892 wrote to memory of 2216 2892 cmd.exe 34 PID 2892 wrote to memory of 2216 2892 cmd.exe 34 PID 2892 wrote to memory of 2216 2892 cmd.exe 34 PID 2892 wrote to memory of 1348 2892 cmd.exe 35 PID 2892 wrote to memory of 1348 2892 cmd.exe 35 PID 2892 wrote to memory of 1348 2892 cmd.exe 35 PID 2892 wrote to memory of 1348 2892 cmd.exe 35 PID 2380 wrote to memory of 2572 2380 iexplore.exe 36 PID 2380 wrote to memory of 2572 2380 iexplore.exe 36 PID 2380 wrote to memory of 2572 2380 iexplore.exe 36 PID 2380 wrote to memory of 2572 2380 iexplore.exe 36 PID 1348 wrote to memory of 2464 1348 cmd.exe 38 PID 1348 wrote to memory of 2464 1348 cmd.exe 38 PID 1348 wrote to memory of 2464 1348 cmd.exe 38 PID 1348 wrote to memory of 2464 1348 cmd.exe 38 PID 1348 wrote to memory of 960 1348 cmd.exe 39 PID 1348 wrote to memory of 960 1348 cmd.exe 39 PID 1348 wrote to memory of 960 1348 cmd.exe 39 PID 1348 wrote to memory of 960 1348 cmd.exe 39 PID 1348 wrote to memory of 1368 1348 cmd.exe 40 PID 1348 wrote to memory of 1368 1348 cmd.exe 40 PID 1348 wrote to memory of 1368 1348 cmd.exe 40 PID 1348 wrote to memory of 1368 1348 cmd.exe 40 PID 1348 wrote to memory of 1488 1348 cmd.exe 42 PID 1348 wrote to memory of 1488 1348 cmd.exe 42 PID 1348 wrote to memory of 1488 1348 cmd.exe 42 PID 1348 wrote to memory of 1488 1348 cmd.exe 42 PID 1348 wrote to memory of 1944 1348 cmd.exe 43 PID 1348 wrote to memory of 1944 1348 cmd.exe 43 PID 1348 wrote to memory of 1944 1348 cmd.exe 43 PID 1348 wrote to memory of 1944 1348 cmd.exe 43 PID 1348 wrote to memory of 312 1348 cmd.exe 44 PID 1348 wrote to memory of 312 1348 cmd.exe 44 PID 1348 wrote to memory of 312 1348 cmd.exe 44 PID 1348 wrote to memory of 312 1348 cmd.exe 44 PID 1348 wrote to memory of 1800 1348 cmd.exe 45 PID 1348 wrote to memory of 1800 1348 cmd.exe 45 PID 1348 wrote to memory of 1800 1348 cmd.exe 45 PID 1348 wrote to memory of 1800 1348 cmd.exe 45 PID 2332 wrote to memory of 540 2332 bc2653e5b275da0588766bb0ea029ec8.exe 46 PID 2332 wrote to memory of 540 2332 bc2653e5b275da0588766bb0ea029ec8.exe 46 PID 2332 wrote to memory of 540 2332 bc2653e5b275da0588766bb0ea029ec8.exe 46 PID 2332 wrote to memory of 540 2332 bc2653e5b275da0588766bb0ea029ec8.exe 46 PID 1348 wrote to memory of 2276 1348 cmd.exe 47 PID 1348 wrote to memory of 2276 1348 cmd.exe 47 PID 1348 wrote to memory of 2276 1348 cmd.exe 47 PID 1348 wrote to memory of 2276 1348 cmd.exe 47 PID 1348 wrote to memory of 2276 1348 cmd.exe 47 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 312 attrib.exe 1800 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc2653e5b275da0588766bb0ea029ec8.exe"C:\Users\Admin\AppData\Local\Temp\bc2653e5b275da0588766bb0ea029ec8.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\comeback_197.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2464
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:960
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵PID:1368
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
PID:1488
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- Modifies registry class
PID:1944
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:312
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1800
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
PID:3032 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵PID:896
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵PID:2220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlCE0B.tmpC:\Users\Admin\AppData\Local\Temp\inlCE0B.tmp2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlCE0B.tmp > nul3⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BC2653~1.EXE > nul2⤵PID:2940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b0127229e31afc6b763a8af7c4552ac4
SHA1135c8ad54c03011389ad57086bf3bc25e971b6ea
SHA25639ec7992ed1506b98e876a1e1f1db5ae396c75484e0e5b34bd4b035fda99c9ff
SHA512ffd49c0ba1f11f2fb60cfe0599eca51d85e33220c02418d624769b2d80488d6dcc8e1d8c2a2c586f1a323437337c8a210545c09ef94286b714ee239047671165
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a16096f209c2bfe27f2866652afa83e5
SHA18955c87072bdae1d86c758e7a8e55066400efe82
SHA2568e192771006d6a70be3d45596785cb840d2dca5a38cb3f210341173be893229d
SHA512879c4abbae0f97ce17241f341a524d465816b4f00a85e018e5948f227b26ab08e1321cc4fa4d71a7d834af15c9c40bbfc18a8920349bd29d4480429fe46f70a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d4d0ed69ca2a82dd492fefc73fe33ce7
SHA1abaf52153ccfc750cbdb37438c42af26567dbed3
SHA256740106a7f59d591b124ce274f7feb726deff1083757eb67cc3ed14bbdb9c2f08
SHA512270c960aa34e664c53c19af4beec36e7614a1025863849ba7367e8b61d2cc098f4cf17e163b2ed5e410fb9b34e5554ae04cb2da211e2ed7c8b1a761e48785b54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58b897231a4f876e369e6f34385064c22
SHA108f4a42114ae308a4d709c5924935a2606cb54c9
SHA2564fe04c010359770abc6e1924b91169f386e4b5120896f30b5c1121e23f2f9465
SHA512d62357509fccf860f7d5f1ba5d2f1fb407a7f7d4854eb04b0a1c9ec1537e357f71a1bc3a320cafdded6aef2f5fda152f091bc2e6e43989eafb85f481b8815c2c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53bc78dc5b6231a964f6908a6cb98c1e6
SHA10b860a818e9d3e3773d139b265eb7d3c0f56ce36
SHA2565d20874222179bde228f89c03aadba5c190ae7c7aa6bf093c431dfef35bad090
SHA512035326d659821a8b33b61a8f733f83b54b1c2e5bfd5a92db144c150d15d81a37890daef982d73173726814dab0ccad8515a61f7dc3fdbc7f11a6827d645c2f55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54480e1f5ce7e1076c2bef67d84be9904
SHA1340b1669f271eb84a112a222c6ca648e6d9a7802
SHA256b25dbcbcf63c7c4c1cda80c12f04b21fcc4d4a005052955524bc049b2771dc99
SHA51281236ec9cbca858d3d1dee62cca7e0fb408f04bad350ff94b9dd2c10d62ab062ade35418f3eb19253ca92b892c47a3bfacd704c76e9f9b2aa0f82b3529281c18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57a44710943a2ee4ca4503302a39d76a7
SHA1fc2863294e5ba9c7f63923fc785d75e74d48aa65
SHA256f16b65d090d7e7028e5ab0ea8da17dbd29ad25916c35d7697725cc0354a8818a
SHA5124217069cd10f473bbc1fa95a896a9bac042746d76718b94361883be393291f4b490aac6a867fede9254bbf09aa18af2c622f5c6d9d7b7c3dd3a55ea7d3b45d1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d3a7b3b0ed955fa48ef7c031707e0a0e
SHA139283403f18e2f3494c7cf9ab42a91559d24bfe7
SHA25691b3b235e87055f1b2b2dfc5883c808cd0758e549e21b92ba51770634871fb9b
SHA5122f26529c9f9ca5404de4c11fca09c151cf0d257a51a69929f438e989046e496da23a9040058541d0b60b6a21e4aaaec836647309712f74500e3014b01df58ea7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD572ee68299b21b1d74075e8b147399b6c
SHA1da9d1b04eaea9cd37991a05fb072d64e3902da5b
SHA2562a0791e7b3e7307731c8c8ec546b150189786633234dedce3938a8454e5e3a83
SHA512ba4202a11f9fd8bb93116869cc4a9c5528c1c70142a52d2dc9e3d860304c8f3dd0d647ba0cafa7052737679b73cf5b43c6490af8b28de1c76b4b4a9a2ffc22e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ca6d976d33ce253cc42f4c9f68ce4a55
SHA1c765ac154c5935c1947dc0b791d6cfef7d2b7ff1
SHA256880aabf8117a9d14d877e0e5dc13e4664aa886c1f74592c4eef838cecc703627
SHA512d305e0e59fa5994122892f23e062ed207b2232c04b86400ba772711a87f9e99695f8117db1b7a4b8bea71d57ba96b113468aa9e06610064600b3154ee7ffaab8
-
Filesize
1KB
MD538ec3607b15eb241c73ccd7d216c4e97
SHA1312a22cdf5f7b2612f209acf16fe4b61b7d4bb7c
SHA256b3efcbf88630c874554114fac75751a35654891507da9755a8a8c194bb693266
SHA512d36d359e07bae705ee2d038da7916112f86f8158d3cec1d1d9e613fb9ddda329e7052dee62f5d3e4858db38c35611cf2d66d23570d90babe0da90766f1e4f23e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\favicon[1].ico
Filesize1KB
MD57ef1f0a0093460fe46bb691578c07c95
SHA12da3ffbbf4737ce4dae9488359de34034d1ebfbd
SHA2564c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c
SHA51268da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
3.0MB
MD545e62dd07dd3fa794891e94748f1452f
SHA14772fb6e352821f0f796980ce1f68569dfaf16a6
SHA2562a009406529752c34a71407e3c3ab1e599a5b8c35b8406461a0af154ffbfd629
SHA51270b3af6db8504ad6accb5b8d912852725fa0f48d3c83448098521920de2172901c3dd6584a690369f312bd7ea29de687da0b7bd6c7d858058edd34455757aeae
-
Filesize
6.8MB
MD596b0663847844937df58b0c12833e374
SHA161642a2218bf963717df2b1801a112fe7792adf1
SHA256e10a7d2095c946d0a0088bd59ac0d05b047aa103ff8379c37a884f5f7e2b965f
SHA51288c135e40cdde68df99da3701b9b78aa1f3c913683f5dd58921f1f1769e3f5f18e161d88dd3eb3f77f1ab11ba4088fa67d00c26b8859dd6e648b02ff0a2bab01
-
Filesize
5.5MB
MD514d6143926e8431ddb510fab944bb092
SHA1d9d874113e7b5852226e9b7909e76f121b3b1119
SHA25694101806b2196517f1ebcf2aa26abff1f75c2fceda7dfccdfa8b0c75c85e203c
SHA512b48f7980a1a12182b4fd7ced9f93e4460011bd466e71f1fba370a547ff59d53acda29dd9d595739a0b1bfbb6fdb042ab90e6b48bdbbab331ce000544097d7a2b
-
Filesize
660B
MD5c40ea8f677b3f48bfb7f4cfc6d3f03ab
SHA110b94afd8e6ea98a3c8a955304f9ce660b0c380a
SHA256b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c
SHA512409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD56b78cb8ced798ca5df5612dd62ce0965
SHA15a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf
SHA25681f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3
SHA512b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
5.4MB
MD559be1f29067123ab3011e1b8a94088d0
SHA160d675cf74b5674cf715af637c4fa0e8dd8ac5ae
SHA2562032b89290bba82ce826443c615bbcede294101f9a55e9e40ddbabb6130f795b
SHA512a4561e95e23434320dc7eb492cd749076771e4090a3145448ce1697c35650ba0bbdf3544630881f993feac57d29f94afe99d8577442b8f5cb10aef77e601eaac
-
Filesize
6.9MB
MD5e935aa841e33b5c4c524136754e1feea
SHA1ffdc4af4b3c55dcb5e64c0f4006bdf78b485f037
SHA25645a8bd48a7655151eafcf80963a5010933dd1394f984644dfecdf849e24d5193
SHA512bb150bdb0f641c9ca41ea6998234aeecc24b1f8f335d4816bc59a943e94678ce7281ceb511bcc3e0fa409b041dd194052a527f4fc2b8faad60d21caadb4aae6a
-
Filesize
9.2MB
MD5de4bcb7850d84f35170653c4c396433f
SHA1a6fa489ec0fd8937eb9116654f4c2467e1f91d71
SHA256073bd3d560ed7654ccc85ae373befdb7a59542753354e22680912fe34b703d14
SHA51293eeac778ab7a82c837e6e76a6ec99a8b0af603aa07bcf8c0f683b766639f4a57869f9069f4a0bd5e93ff80e502d1b2980f15c833a9134516fa4a2c782dcb710