1579be2c9e38abc5bcbeffc11285886aab4c535e83ed002b1866ba4ed79f95fd

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 09:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe
Size

96KB
MD5

04ec53a1c638d330d93daf8b7bfaadad
SHA1

c4c17dd3d907e2482abce5577b32b53ced7112b2
SHA256

1579be2c9e38abc5bcbeffc11285886aab4c535e83ed002b1866ba4ed79f95fd
SHA512

bfb95ed883e813abf582983043845667699b7f131cd6cdc52bd616c009827f490f8157a0610586259af4f91d4763cf5fb9d479e5bcb0e4cc5b057dd04bf2a524
SSDEEP

1536:WUsuXxpfTtbrO/A5HN+TOC+eWmcJ9J+r3:6ITtx+R+PJ8

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5096	attrib.exe
3428	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	inl8D78.tmp

Executes dropped EXE 1 IoCs

pid	Process
2996	inl8D78.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fsahdsf = "\"C:\\Users\\Admin\\AppData\\Roaming\\lua\\tmp.\\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1036	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90444413f8c2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000ae43e61a3094e1cf7b8614f421b71dfab902410b2969195b7ac93edced6a58fe000000000e80000000020000200000001e256cb42dccec1d3b9f86da40503ec2134f89fa5caa8557902828900495f37720000000518eec5cbc03fcd0dcbbefe6ef4895dbae46de625f84451c2721f2aa1f42a9e9400000006990a96d49307152a63efabe1c548ad4cd603ee7162e2409dd6690c068aa885b09d54b544ae87201f2608881a9fbc1df26e1ed769930b9021715b620f2268f15	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0893f13f8c2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{37782F6E-2EEB-11EF-9519-7ACDD6433640} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000000c1f211f3a446cd13fb948dfae0a7b61d43dad3a7b89ca472e060199a5359df0000000000e80000000020000200000004fc08cd7503990e09a824f64283409836fc4d7ea6eb09f23c45adc17205ed7c320000000168da0623e67c846b7432ecba1287ae9a2013c26a0359029cc55bb92e78950dd40000000c23789cc99d916b2cae27434ea34c09445bce0de18de32d5755ed2d4dccea9bcc214b3c26b546b92ee64eeb6661901afde1e46aac482e1088db0096cc363c0cc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\NeverShowExt	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\lua\\3.bat\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4900	reg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	tasklist.exe
Token: SeIncBasePriorityPrivilege	2996	inl8D78.tmp
Token: SeIncBasePriorityPrivilege	2584	04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
512	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
512	iexplore.exe
512	iexplore.exe
4480	IEXPLORE.EXE
4480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1652	2584	04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe	90
PID 2584 wrote to memory of 1652	2584	04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe	90
PID 2584 wrote to memory of 1652	2584	04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe	90
PID 1652 wrote to memory of 3480	1652	cmd.exe	92
PID 1652 wrote to memory of 3480	1652	cmd.exe	92
PID 1652 wrote to memory of 3480	1652	cmd.exe	92
PID 3480 wrote to memory of 512	3480	cmd.exe	94
PID 3480 wrote to memory of 512	3480	cmd.exe	94
PID 3480 wrote to memory of 3968	3480	cmd.exe	95
PID 3480 wrote to memory of 3968	3480	cmd.exe	95
PID 3480 wrote to memory of 3968	3480	cmd.exe	95
PID 3480 wrote to memory of 4872	3480	cmd.exe	96
PID 3480 wrote to memory of 4872	3480	cmd.exe	96
PID 3480 wrote to memory of 4872	3480	cmd.exe	96
PID 512 wrote to memory of 4480	512	iexplore.exe	98
PID 512 wrote to memory of 4480	512	iexplore.exe	98
PID 512 wrote to memory of 4480	512	iexplore.exe	98
PID 4872 wrote to memory of 4900	4872	cmd.exe	99
PID 4872 wrote to memory of 4900	4872	cmd.exe	99
PID 4872 wrote to memory of 4900	4872	cmd.exe	99
PID 4872 wrote to memory of 3120	4872	cmd.exe	101
PID 4872 wrote to memory of 3120	4872	cmd.exe	101
PID 4872 wrote to memory of 3120	4872	cmd.exe	101
PID 2584 wrote to memory of 2996	2584	04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe	100
PID 2584 wrote to memory of 2996	2584	04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe	100
PID 2584 wrote to memory of 2996	2584	04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe	100
PID 4872 wrote to memory of 3948	4872	cmd.exe	102
PID 4872 wrote to memory of 3948	4872	cmd.exe	102
PID 4872 wrote to memory of 3948	4872	cmd.exe	102
PID 4872 wrote to memory of 1700	4872	cmd.exe	103
PID 4872 wrote to memory of 1700	4872	cmd.exe	103
PID 4872 wrote to memory of 1700	4872	cmd.exe	103
PID 4872 wrote to memory of 3428	4872	cmd.exe	104
PID 4872 wrote to memory of 3428	4872	cmd.exe	104
PID 4872 wrote to memory of 3428	4872	cmd.exe	104
PID 4872 wrote to memory of 5096	4872	cmd.exe	105
PID 4872 wrote to memory of 5096	4872	cmd.exe	105
PID 4872 wrote to memory of 5096	4872	cmd.exe	105
PID 4872 wrote to memory of 2612	4872	cmd.exe	106
PID 4872 wrote to memory of 2612	4872	cmd.exe	106
PID 4872 wrote to memory of 2612	4872	cmd.exe	106
PID 4872 wrote to memory of 1036	4872	cmd.exe	107
PID 4872 wrote to memory of 1036	4872	cmd.exe	107
PID 4872 wrote to memory of 1036	4872	cmd.exe	107
PID 2612 wrote to memory of 2488	2612	rundll32.exe	108
PID 2612 wrote to memory of 2488	2612	rundll32.exe	108
PID 2612 wrote to memory of 2488	2612	rundll32.exe	108
PID 4872 wrote to memory of 4608	4872	cmd.exe	109
PID 4872 wrote to memory of 4608	4872	cmd.exe	109
PID 4872 wrote to memory of 4608	4872	cmd.exe	109
PID 2488 wrote to memory of 1716	2488	runonce.exe	110
PID 2488 wrote to memory of 1716	2488	runonce.exe	110
PID 2488 wrote to memory of 1716	2488	runonce.exe	110
PID 4872 wrote to memory of 1604	4872	cmd.exe	111
PID 4872 wrote to memory of 1604	4872	cmd.exe	111
PID 4872 wrote to memory of 1604	4872	cmd.exe	111
PID 4872 wrote to memory of 1552	4872	cmd.exe	112
PID 4872 wrote to memory of 1552	4872	cmd.exe	112
PID 4872 wrote to memory of 1552	4872	cmd.exe	112
PID 4872 wrote to memory of 2136	4872	cmd.exe	113
PID 4872 wrote to memory of 2136	4872	cmd.exe	113
PID 4872 wrote to memory of 2136	4872	cmd.exe	113
PID 4872 wrote to memory of 1808	4872	cmd.exe	114
PID 4872 wrote to memory of 1808	4872	cmd.exe	114

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3428	attrib.exe
5096	attrib.exe

C:\Users\Admin\AppData\Local\Temp\04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:512
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:512 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4480
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\1.inf
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\2.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .bat /f
        5⤵
        Modifies registry key
        
        PID:4900
    - - C:\Windows\SysWOW64\gpupdate.exe
        
        gpupdate /force
        5⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:3948
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\lua\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:1700
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3428
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5096
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "360tray.exe" tasklist.txt
        5⤵
        
        PID:4608
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\htafile" /v "NeverShowExt" /d "" /f
        5⤵
        Modifies registry class
        
        PID:2136
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\htafile\DefaultIcon" /v "" /d "C:\Program Files\Internet Explorer\IEXPLORE.EXE" /f
        5⤵
        Modifies registry class
        
        PID:1808
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2304
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3520
- C:\Users\Admin\AppData\Local\Temp\inl8D78.tmp
  C:\Users\Admin\AppData\Local\Temp\inl8D78.tmp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl8D78.tmp > nul
    3⤵
    PID:4668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\04EC53~1.EXE > nul
  2⤵
  PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
915B

MD5
be85f25f9b7db8406cd5355970ab35a4

SHA1
9b3dda905d2e30940e7205846195b2d7b6636747

SHA256
fa23240bc8f6b3bfe2622188299e24aa286ab3d27ba0e40358f8893926a6dc59

SHA512
8418f4d3dca7002394e8d538d90bfe05582a2ee4b10f8526c3cbb87c8a512ee606afd0172eaf57e47bde21c0129b53a740c4e5a5ed1efa205316edc5e9ab9ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist.txt

Filesize
7KB

MD5
131530cdc25ff3547489837c7b23abf2

SHA1
b7db1854d8b0c18d29fefefe66139beedee1fa55

SHA256
52cd261d8e4260483873412e883cb627c20968ec84f3f1eea151d3294f5b1ba5

SHA512
0f3e129183337ecbd226c622caa5b3256aaa4c76dfa9d60de32ed8dff0b2a512df1940e7dbbf1e6e706984a8b59d89d5dcca71846da095ab9670cb5e50addabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat

Filesize
50B

MD5
e08ad52d3d132292f9c51e7cfec5fe08

SHA1
269f7eb185a9ff02664297bfb6f5df9f86ec10f0

SHA256
bd2a3003fb1f771283b30a044c49aecb72bfdff4322330337dba4992ecd198f4

SHA512
3dc0331f3ee9a57de7bda71a94953239bc7033a130f2b783b35d17ce3ed7b7928c154323d10ba81bd81d3bfd2d7c123cec55f5178d2b44286c2f857ccd6a1722

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.bat

Filesize
2KB

MD5
d720afa7c1bc6d67157c1fc5e1804f5f

SHA1
372cb41239edb1f4452a67b2c116cd4016b0f608

SHA256
fa0eaebd30bad6d62a875ff2bbd6861750cdf63ef811e620d95584337d8805e3

SHA512
1f4b6dffc79fbdac3868dbd9c9654374eaf28600053dcf041dcc0bbfdfb7d6610d29b8edabf0a88d3d298e8877f927c6f0600fca41ccb1e7d4aaed44ea1d3f1e

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.inf

Filesize
348B

MD5
5a2ee8346e676499a5658277e98b2317

SHA1
34a8d363b3dac690a251e181b3522b3d9e7ffe6e

SHA256
4e367269b4b19b937a7f7a420613d2a69e96aef456dfd4b4f6853c1e92885cca

SHA512
86f575fc7816ed33ef996e6385bae144c4d750be44f59dd1856b7f601b5291960f522153206a38de75f942537b280c2b49a1c038ba82faa36b9e903354ea9242

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\lua\2.bat

Filesize
8KB

MD5
7b2cc87165c7598cd390c0f7cf4d6717

SHA1
04fd7ce74a29e2df543b9f3eca0bf8f82064f5af

SHA256
4f9d55cf344b944fd73ed63560ee9bf9130f124d593502b5a67abab2586bcd62

SHA512
0d8ca7b61c3a1d69b571063c2d43b623f2fac296e8f9c0dda1103212546632356aeaac6b21de1097ed54682aeccd5a68d8ef08f03f6ad0fc2bd386c7f52bc996

Download Submit
C:\Users\Admin\AppData\Roaming\lua\2.inf

Filesize
244B

MD5
2de3e6e4faea8c4a10ddd4f26455caca

SHA1
b7c02274aa020619e6c7b925427b027ffcc28629

SHA256
9f29d64886130752a5fe40ce6e83a8f35dc65340871cfe435499a609037c2824

SHA512
0e49cbd89766d3697ce4c9a2c83de32ebaee2d41f1a635a94cf0c73541aaa614f4f5b755f55d21fdea07fc76985bc741f2649abc1c6a32e9876ffa6b3a1c33c8

Download Submit
memory/512-75-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-69-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-48-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-46-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-55-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-58-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-62-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-64-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-70-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-54-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-72-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-71-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-74-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-80-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-81-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-79-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-82-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-83-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-40-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-73-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-89-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-47-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-68-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-66-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-60-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-57-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-56-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-52-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-50-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-49-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-44-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-43-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-41-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-45-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-91-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-96-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-94-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-93-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-92-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-90-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-121-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/512-127-0x00007FFF9F670000-0x00007FFF9F6DE000-memory.dmp

Filesize
440KB

Download
memory/2584-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2584-140-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads