Overview

overview

8

Static

static

3

c28698fb77...c7.exe

windows7-x64

8

c28698fb77...c7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2024 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c28698fb7793316606141e59d6f32bc7.exe

  • Size

    45KB

  • MD5

    c28698fb7793316606141e59d6f32bc7

  • SHA1

    5fc1e08a5213ac4ba94bcb64b2e2a1f7dbab4104

  • SHA256

    9d414195a8cb7fe4018e16b5b425ccf64d8f50405a298705173c5310bfd0326b

  • SHA512

    2ba80cd1072e9e334953c5ef08416ab179bcf86cdf019731e689fd66eae8cb1cace25f5eb2a93c6ee6cb829728e16b5b74228c8c19f0d0fb957f3f7e725ba870

  • SSDEEP

    768:LRVZwlephZYNuRrIKM/GsNEpFjEf8o688PUQ0Zbnwzoxz5FhVkdvDyg:LRAephXq/hxf36JUjZhxdFhKdvZ

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c28698fb7793316606141e59d6f32bc7.exe
    "C:\Users\Admin\AppData\Local\Temp\c28698fb7793316606141e59d6f32bc7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\1.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?71628
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:380
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3156
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\1.inf
          4⤵
            PID:2280
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\2.bat
            4⤵
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
              5⤵
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              PID:2600
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
              5⤵
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              PID:3504
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?S"" /f
              5⤵
                PID:3496
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
                5⤵
                • Modifies registry class
                PID:1136
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\lua\3.bat""" /f
                5⤵
                • Modifies registry class
                PID:844
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
                5⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4880
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp
                5⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:2316
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\2.inf
                5⤵
                • Adds Run key to start application
                • Suspicious use of WriteProcessMemory
                PID:748
                • C:\Windows\SysWOW64\runonce.exe
                  "C:\Windows\system32\runonce.exe" -r
                  6⤵
                  • Checks processor information in registry
                  • Suspicious use of WriteProcessMemory
                  PID:4812
                  • C:\Windows\SysWOW64\grpconv.exe
                    "C:\Windows\System32\grpconv.exe" -o
                    7⤵
                      PID:4580
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32 D:\VolumeDH\inj.dat,MainLoad
                  5⤵
                    PID:1600
            • C:\Users\Admin\AppData\Local\Temp\inlAB70.tmp
              C:\Users\Admin\AppData\Local\Temp\inlAB70.tmp
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4684
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlAB70.tmp > nul
                3⤵
                  PID:3856
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C28698~1.EXE > nul
                2⤵
                  PID:4704

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\4t1od2g\imagestore.dat
                Filesize

                1KB

                MD5

                c891f4c473bb26454832fc71a87296c1

                SHA1

                fbb5b8a86524b4232cfa8d2e36e3246d8aef38ca

                SHA256

                91ef19f37785c5c116c3648037f11b2b76170d5c1475825d01a25a5bf281f40e

                SHA512

                04c6dd11682b9cb481bbd8954f07e719321e57bd0b18190b105afb83baa27f032768889e7a75ad65a597005649299631e8ea20bd0c6b1686cc562e620abdf185

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OCSF5S5B\favicon[1].ico
                Filesize

                1KB

                MD5

                7ef1f0a0093460fe46bb691578c07c95

                SHA1

                2da3ffbbf4737ce4dae9488359de34034d1ebfbd

                SHA256

                4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c

                SHA512

                68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
                Filesize

                903B

                MD5

                a895dff7b4822dbeacbc624df35b115f

                SHA1

                1ecec3bde42582d1841755d6f27ee707c97fbf1e

                SHA256

                a4d15f9e35eea6a8df381f1755660210afc596d97b2babd65132d2261769c5c0

                SHA512

                340b00695153e29ea71726c45482c1923765e4b93c8fdfa243dc575014711f8b27e9e29b1ccce4d86349dab4422f6c72e73cef049cd53c4a8657c5dfbb929f29

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\inlAB70.tmp
                Filesize

                3.3MB

                MD5

                7169c9986b82d83119ad386d0791057d

                SHA1

                7fa8052f07c9dc724129ab6df4ec407b37b8ff8c

                SHA256

                ef8b14f93da0f74296e3d1df7a5f7681da9dc2cff2871e885724ac2bcd45ec99

                SHA512

                be32585c8a76181b43d3b8f1eb7829aaee14f44c180303521d806c8f842f0cf5d0f7f72c871f91d9f3ceba462040e4efbfe928d6d83a383cd7ed04f647f1836d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\inlAB70.tmp
                Filesize

                3.1MB

                MD5

                e71a145593fcec0217f6732b1ee0e8bb

                SHA1

                b8ceabb6b413519f0f8743d2db180207f6c2efac

                SHA256

                05f8645c6ac7b59d7a2c606e02ba577323740b93938f71d2d67010a20b6ced74

                SHA512

                a55035f41209b6636f03c5410517bdbc6e605e28b9b4156a98153c54289a28ebda7310269c7f3a27b287d8a0bf6637853278cc479802c56de90dff240fcbb5e3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat
                Filesize

                50B

                MD5

                e08ad52d3d132292f9c51e7cfec5fe08

                SHA1

                269f7eb185a9ff02664297bfb6f5df9f86ec10f0

                SHA256

                bd2a3003fb1f771283b30a044c49aecb72bfdff4322330337dba4992ecd198f4

                SHA512

                3dc0331f3ee9a57de7bda71a94953239bc7033a130f2b783b35d17ce3ed7b7928c154323d10ba81bd81d3bfd2d7c123cec55f5178d2b44286c2f857ccd6a1722

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\1.bat
                Filesize

                2KB

                MD5

                582695c0131019067973d3870c8c9bca

                SHA1

                575da5536074707385418985375d6735fec7de77

                SHA256

                4dd7bb56ca6f2e48cd57ceafcd79ff31c11ce2d474d777ee5c9e16c5bfbf3e9c

                SHA512

                ea59965f427ca826734115290e42ed9a2b7db66853474a735c0add16b5e0f2e799fe7586aa2114443797d3ea02c09e36523d072dc12be38c9be5ddbab6083231

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\1.inf
                Filesize

                324B

                MD5

                49ba606701a0d1d24e01d3b98029aa3a

                SHA1

                5b6b4cc5bbf46762c41213b6ada8a3ce1ac1129d

                SHA256

                c7b9f2ec324fba5b678c5e1b7f054c6c90255fc1830c378743838e1ed6ad4311

                SHA512

                1b0f03e8132caff71b8965d5eacfd37ab8b99a7ea2621aadf964e4ce943994d40b1e9347245b923d8bd9f13cf1ec959f7e88c2edaa7045cd6bc2d98e13bc59fc

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\1.inf
                Filesize

                410B

                MD5

                66a1f0147fed7ddd19e9bb7ff93705c5

                SHA1

                9d803c81ea2195617379b880b227892ba30b0bf6

                SHA256

                4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

                SHA512

                cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\2.bat
                Filesize

                3KB

                MD5

                2cc7ab0e0e60b07b036165b5359b4f29

                SHA1

                ce5d46d531e37bb52ac4983c061963223b043052

                SHA256

                52ed22e575304c981f0f44c771fdd7d4fe185ecfba4ff9e3ac24986686e58be9

                SHA512

                35bb22bf0c253a0d099f6fbf92ebea36714a674459f7185bce8267aee79ddceeef010a86b3e0f5a1aa9af0d7d3843c4a905a171529e19472543c916b7c926746

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\2.inf
                Filesize

                244B

                MD5

                524023ba7f18bfc502d22dbaade4571e

                SHA1

                fc118e1284db4e36da41d5cc4496ffa9a8b7cd2e

                SHA256

                5d170c83ca9a16ed7f62145099b3b8b0c0a1d4187e60bb0719754cb6ed40fc4c

                SHA512

                22384a0854a9949209444d9e7af3016327ad698e56797af246e02604b880949f40c7f4627303c11d73581c681b93bcee285b3937d4088c61107b9ec73901bdbc

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\4.bat
                Filesize

                44KB

                MD5

                8639815b7bda81055eaba69766f4c83c

                SHA1

                fcd1aacf535d0e948a8ff8104126040d1efb5bb3

                SHA256

                cf1b5e5145057f947af3ab59060e7b184975c66a68d4076732774a572f8376c8

                SHA512

                02268150ae0042dc1b8fda8d2d31b8d94058ade4fff8244a60ba8580f464e1bb5cec4a77448ba730389f9680b27742a697174c5efe2c1ddccb342ab01a5b0954

                Download Submit

              • memory/380-76-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-89-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-55-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-60-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-61-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-62-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-63-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-64-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-56-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-66-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-67-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-70-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-72-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-73-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-75-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-74-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-125-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-78-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-81-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-83-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-82-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-54-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-52-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-58-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-90-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-91-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-92-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-93-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-97-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-99-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-123-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-51-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-103-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-104-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-105-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-110-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-122-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-119-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-120-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/380-121-0x00007FFCA7E30000-0x00007FFCA7E9E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/1104-7-0x0000000000B30000-0x0000000000B33000-memory.dmp

                Filesize

                12KB

                Download

              • memory/1104-98-0x0000000000420000-0x000000000043F000-memory.dmp

                Filesize

                124KB

                Download

              • memory/1104-0-0x0000000000420000-0x000000000043F000-memory.dmp

                Filesize

                124KB

                Download

              • memory/1104-5-0x0000000000420000-0x000000000043F000-memory.dmp

                Filesize

                124KB

                Download

              • memory/1104-1-0x0000000000B30000-0x0000000000B33000-memory.dmp

                Filesize

                12KB

                Download