05a4b6e3bc783f5fc84c27264e903028791844bfd4678736d827d984f4ea05c0

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe
Size

164KB
MD5

1c1372d20265b22a035253070adc1d22
SHA1

61e16e88c26923e23d38e8ab4727eebd1f9a0db3
SHA256

05a4b6e3bc783f5fc84c27264e903028791844bfd4678736d827d984f4ea05c0
SHA512

21e40c0be7d8e90e92dfcc374753cac80e08cd5e0a13c6c8579580458ebc3f5d81ee9389f32b6596319d3183d8d0b70611c1e0669de597f8b3f0a55bfec2be7f
SSDEEP

1536:TyZ7DUDBiGSlwERCk5yKR2byvh5eO950yvS6eX8TmS1W6udQc49fDEN+wtBa101J:CHUDsB5tD6X8TmSg6sV49fDw66z

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1664	attrib.exe
380	attrib.exe

Deletes itself 1 IoCs

pid	Process
580	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1500	inl9417.tmp

Loads dropped DLL 2 IoCs

pid	Process
2932	1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe
2932	1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426020909"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F3E60B51-37D8-11EF-B393-E64BF8A7A69F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?o"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1644	rundll32.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1960	rundll32.exe
Token: SeRestorePrivilege	1960	rundll32.exe
Token: SeRestorePrivilege	1960	rundll32.exe
Token: SeRestorePrivilege	1960	rundll32.exe
Token: SeRestorePrivilege	1960	rundll32.exe
Token: SeRestorePrivilege	1960	rundll32.exe
Token: SeRestorePrivilege	1960	rundll32.exe
Token: SeIncBasePriorityPrivilege	2932	1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1500	inl9417.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2524	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2524	iexplore.exe
2524	iexplore.exe
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2648	2932	1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2648	2932	1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2648	2932	1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2648	2932	1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe	29
PID 2648 wrote to memory of 2448	2648	cmd.exe	31
PID 2648 wrote to memory of 2448	2648	cmd.exe	31
PID 2648 wrote to memory of 2448	2648	cmd.exe	31
PID 2648 wrote to memory of 2448	2648	cmd.exe	31
PID 2448 wrote to memory of 2524	2448	cmd.exe	33
PID 2448 wrote to memory of 2524	2448	cmd.exe	33
PID 2448 wrote to memory of 2524	2448	cmd.exe	33
PID 2448 wrote to memory of 2524	2448	cmd.exe	33
PID 2448 wrote to memory of 1644	2448	cmd.exe	34
PID 2448 wrote to memory of 1644	2448	cmd.exe	34
PID 2448 wrote to memory of 1644	2448	cmd.exe	34
PID 2448 wrote to memory of 1644	2448	cmd.exe	34
PID 2448 wrote to memory of 1644	2448	cmd.exe	34
PID 2448 wrote to memory of 1644	2448	cmd.exe	34
PID 2448 wrote to memory of 1644	2448	cmd.exe	34
PID 2524 wrote to memory of 2232	2524	iexplore.exe	36
PID 2524 wrote to memory of 2232	2524	iexplore.exe	36
PID 2524 wrote to memory of 2232	2524	iexplore.exe	36
PID 2524 wrote to memory of 2232	2524	iexplore.exe	36
PID 2448 wrote to memory of 1812	2448	cmd.exe	35
PID 2448 wrote to memory of 1812	2448	cmd.exe	35
PID 2448 wrote to memory of 1812	2448	cmd.exe	35
PID 2448 wrote to memory of 1812	2448	cmd.exe	35
PID 1812 wrote to memory of 2240	1812	cmd.exe	38
PID 1812 wrote to memory of 2240	1812	cmd.exe	38
PID 1812 wrote to memory of 2240	1812	cmd.exe	38
PID 1812 wrote to memory of 2240	1812	cmd.exe	38
PID 1812 wrote to memory of 288	1812	cmd.exe	39
PID 1812 wrote to memory of 288	1812	cmd.exe	39
PID 1812 wrote to memory of 288	1812	cmd.exe	39
PID 1812 wrote to memory of 288	1812	cmd.exe	39
PID 1812 wrote to memory of 2220	1812	cmd.exe	40
PID 1812 wrote to memory of 2220	1812	cmd.exe	40
PID 1812 wrote to memory of 2220	1812	cmd.exe	40
PID 1812 wrote to memory of 2220	1812	cmd.exe	40
PID 1812 wrote to memory of 372	1812	cmd.exe	41
PID 1812 wrote to memory of 372	1812	cmd.exe	41
PID 1812 wrote to memory of 372	1812	cmd.exe	41
PID 1812 wrote to memory of 372	1812	cmd.exe	41
PID 1812 wrote to memory of 1572	1812	cmd.exe	42
PID 1812 wrote to memory of 1572	1812	cmd.exe	42
PID 1812 wrote to memory of 1572	1812	cmd.exe	42
PID 1812 wrote to memory of 1572	1812	cmd.exe	42
PID 1812 wrote to memory of 1664	1812	cmd.exe	43
PID 1812 wrote to memory of 1664	1812	cmd.exe	43
PID 1812 wrote to memory of 1664	1812	cmd.exe	43
PID 1812 wrote to memory of 1664	1812	cmd.exe	43
PID 1812 wrote to memory of 380	1812	cmd.exe	44
PID 1812 wrote to memory of 380	1812	cmd.exe	44
PID 1812 wrote to memory of 380	1812	cmd.exe	44
PID 1812 wrote to memory of 380	1812	cmd.exe	44
PID 1812 wrote to memory of 1960	1812	cmd.exe	45
PID 1812 wrote to memory of 1960	1812	cmd.exe	45
PID 1812 wrote to memory of 1960	1812	cmd.exe	45
PID 1812 wrote to memory of 1960	1812	cmd.exe	45
PID 1812 wrote to memory of 1960	1812	cmd.exe	45
PID 1812 wrote to memory of 1960	1812	cmd.exe	45
PID 1812 wrote to memory of 1960	1812	cmd.exe	45
PID 1812 wrote to memory of 2160	1812	cmd.exe	46
PID 1812 wrote to memory of 2160	1812	cmd.exe	46

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1664	attrib.exe
380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c1372d20265b22a035253070adc1d22_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\leg20_check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2524 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2232
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2240
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:288
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:372
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:1572
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1664
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:380
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:1196
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:840
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:2160
- C:\Users\Admin\AppData\Local\Temp\inl9417.tmp
  C:\Users\Admin\AppData\Local\Temp\inl9417.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl9417.tmp > nul
    3⤵
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1C1372~1.EXE > nul
  2⤵
  - Deletes itself
  PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9aff86a42a761e6cc02ee47ae9cec84

SHA1
2b0eec19cfd6628f4befc4bdea2c0e27d6c85ad6

SHA256
7b81e1614d454ce48128954f5a998e883dbfcac582e8bbceb1c3576e63475c59

SHA512
9e2adeb6d2583f432080d08b7d61119cfb8be2553cd201a1205ec2118f481369b356f35c5c6ee2a0eeed886378bcef1a9a51b7712fe95a2042407009f19cf0c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
799df24ccfe73f7a0c3fb67cc9ebdc8a

SHA1
fd3b710ce2c807d3a96470896193fc098092ab10

SHA256
f3b776b20ee46246c921266e2e356f96fb64666488b5c4df6a05aba38a9db22f

SHA512
9d1cdf08108e47608024a6bcef9c0d6c54ae372366c6fedde99ed513554bf2f2ec951a5b01a28decdb59a2d6077c3415688862041591cb869cd14d3508fe259d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
479d6e1ad7a22741161ad827d46df60a

SHA1
d91a29990c28a14013e6da7c03daf001a4503114

SHA256
06d40a74362b70096dc6529041e9cbd9edd07d156655725b52d014f188ca5405

SHA512
d69c59fd510c329dffd793eb118844f0a9bd1439e27083e56318ca743e912c8cf30db3b37cc3fddd8b1d415349b859b5465c7e686a23711eb5e12f0d43b21c43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f27e20bb650b9860896d1019ba091f7

SHA1
2604a8d3c0be62476aab734904a045ca14d5c6ba

SHA256
3ff684edeadae543a92f4b24fd7f952b1ed95b610606b692072f9de8af2ba4c7

SHA512
c65118a2c74d76aa1feca9c438f39ca60daa68841364b3c169246319ccbd2fcf27715d170c5f5df92c73910d8c35cda475e8208860997fa63f98462545930124

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29ca9b50498de4b80319ecfdb1a3f072

SHA1
e9ff4665a65b9f9e873eb15cfea734a373f65639

SHA256
7222ca4f5ee64bb5659b7269b6b02ce48cd8b563744ccd3554fd572b5803558a

SHA512
c2ac17c90a78b49ad5cbd3d79077b249f3578f543095bccd3149e369a36669861f3046af651ffb4bea002339046e87896c2e3fc89b7b4afeef496e410420ddf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d330adee40ba5016f5564d743f77ac2

SHA1
2fee9b9df1b00269e21a06e1dc5a0467b276604c

SHA256
dca69077bb179172b36a106da5820f75ba4c03e49e08ee9dc3bb5fdf17f63a7f

SHA512
45b2f6e53cf21a0f1d7f0c12c7b5aabc15a49ef225a43684b6189715e1ed7db0e1e9bd95c36d5a69d1799ee278202837f13f20b172b09a98b54ec19e36e295fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af16059ca9283b8482d2e4c5446f8c46

SHA1
43030176ba1029e160f2e4664ea788b7b7775901

SHA256
99f85ea61b53c1335293aaaf9208db8b56869626c9f1aac2bc24b81aaca1658e

SHA512
30c669c9da8263c3bf08eefe78fcaff36f82680570eec4f6a86bd2cfd84a43c7d24aea81f5e3395c49ea814c0913742b34954e461f0b641f8bbf05f0e0a88e2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
329d75640a027154249bd65ad6c6bf1b

SHA1
4df373d957c433dbe5978ff6c68b7a9b1118b40a

SHA256
0748821885e8f7bccad966ea02407545c740889b1acd581c433c1b79e6985824

SHA512
34fd11f8cdec479d7165f8184ac0a0d067e3a45cffd6743b3dc71c3d425d1c349d298418755ae6cd6bc368137176661b667f3015c1e4d3146019a533a9035cdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6d7c9d9e3250794efd4795d9b34c4f1

SHA1
c7fda71e44a83603f05618cb7e317bf43b572c12

SHA256
43c697d56626f0245241d2eadfab05fa2fbf4621cc91ba60f949d092c7023d29

SHA512
4e4354cab9113f5f83bb625ff32704b7a91a827e2bf0994fc0e4cc513eb7239fc17cc6708329f005329f1e960c6eeceac39b8176866683e3ae43c7cafb7d23c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a79576f6af0ef2cba22c46292a463263

SHA1
e80d5360d3dac2493708e79986257b619899e929

SHA256
9f9783da33800dbbf75ac562eb39ef19964d8e356551421bab465772b0a27b64

SHA512
cfb9587e673434cc3bbf0d5854f1d7884d45b04fb800f03d89880eaa021365bf8371967333731d2967610bc7f49ec9c8ea17b66d7ccbae64d873987bd05663a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9acadb69773f47650dbf7e967798ad61

SHA1
31e167dfd4eec9c5e82298a79cf8d66bbd91508a

SHA256
f65138db8805c879b1dea616d46b33288debab0d1bb818737be3557f3c40cbef

SHA512
05ac87997b9c269428846c79a5d9f297080d36416070b596e319caa36ab00a18d7dd9c5fdaa2795b3298d471b161d77d2571daba64dbae46444542ebb1c4ffdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f9957f3996bc480d1a50f00b48c95e4

SHA1
36d83013f190fe1d8c0eb294090c3611b21ba1bc

SHA256
a7d5827b607ad0f68cfe7e010bcf7e601537e42c031e873fef0def299e4b2d27

SHA512
a7d0bca288c3c164a9c5e9e82551beed27763defc77f2d0c579054a7f17491dd02c3a276853650ddc9c71fe3792f3a26e90f5e72a320969a75b455e29681ec23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f704255530f5f0ea25e76dc51d0fe69

SHA1
f0daf729f2e3a4b4d9e0d8b096c7538f73fdb9d8

SHA256
ff8a0c1f1ce1e90b82750565b31af005abb84146a977eefffae9f4cdbd5597ab

SHA512
3d4e426950db32b420940ee17940c581b011c30f17651e9a20525570e18369c69ba5ac6c177a6c9c6ad57b8bad1e45704398babab8f22d471619322116ad86ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0ceb1897531bd63cb6df5a3b904b5db

SHA1
928f78e8b3c15889a17f23c2b1018d9bd775aea9

SHA256
a4d490688aedd6f37a3c98313eced389e20b2b51fde985e5f171abef8ec4a7c9

SHA512
a5d08b73330400e51f39f8ed61899f510c170ceae72c6a112d71abe2499a087899626ac90c25ab6a674f3493cd66559d946b9285d6898981a73c7b051b74b001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ff2a7c17aa58b44bf985b312acbf9fd

SHA1
ab43ed702b931a6bc52ab2f65c9990a69cdc7eaa

SHA256
1ac72dcfa25df7df37a7b8dac62e35f6164a492d72ef01abfa616972a69d84d8

SHA512
9c5fb847b191ba3ef17ad6e061ebe03ce59713cce97d2d8ebec656c3aec8a30e499013ebd7321b5858d6a1b09322a4004226f816b50f57ca8040da1ccbe91a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8570a2136b1c98ed7e29223c43156e72

SHA1
c965cbf2c9fd6f23e9b33bc0f55aa2b6b152c1e0

SHA256
64eaeb1d5ed59ec7e00e082e74a84367150d3352edd9a01ebb413c17a3310d98

SHA512
72beffa24712c608083127fdd9049d3483bb9ff711e842ff005a7cf77b685a881492b93700a573b593dccc7be8515ae32a2db7f9f24437506791099c7dab6bf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ad38d69a6b89acf83ed700c2af129aa

SHA1
8b219b7b1df0fc2e2ae55dd4578ab3bfd474a3f7

SHA256
c904a668dd23434bcfbd19bb5135ac2ee0b354aee2e5d07142c3530ac3775d24

SHA512
cdd34dbcda9b65e87804acdd1f3dde7a643181e5cacb0c7b8e9fdeab57527b879193b4a7f297d626581a82a67bcc68ca1cc4cd8c19e1a0af3286aba45b128194

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a156f8de185edcf2547e91f526789542

SHA1
42277a4574568c5f0e8f964fc267d9ace661e03c

SHA256
91eea186e19b8128375377bcb645a7095e2cca5ac0cb13f75178cf0ea1156288

SHA512
742bcbb0f23136f0fce6fc9bed089dbd4d59e9c6fbf976aae5496b5269a8f06e446637e7ec19a8e55b50b4fc7814ed912a7e0e783dde78479740df6072e4c290

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
137024d08ef74a347464787540dbaec1

SHA1
0dff8f6df0eceb714d7905e9363ef26192c0a2e3

SHA256
d98276d95b5bb9ccd24c333c1c3d2bee617e0fb3c4698c94e37145c74e6214b6

SHA512
19e60cd90aafe7a127b49bbd7a84c37abe8dfc5914d12fe16c9d2845656d0dec47cfc8e39e15cdef4f1f5491cb336f3ec0d7fc8d04bde949ee548dfcec530857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\favicon[1].htm

Filesize
803B

MD5
9a56669fda653d180272060c91a1e932

SHA1
d5fd0bd68300df626aaad370ad96912f2edd3cf6

SHA256
37aa151bf0fc859681e856a3dad384f2344b542546e71d080ed7ac31abd79ac8

SHA512
e6a81e5e02a49a744ab62505d3d765a44f246c572f10b032a8e8137aba8b3f0c930ae8f5790c7104c0d1b4bfb9d5282363479954339758f932811260106ae6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab934C.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab93DB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar93EF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\leg20_check.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
555B

MD5
458a331595f313d6bd4ac9cfd0a769c8

SHA1
74dffa252fbbf48b8f27900a0b77b339c4678115

SHA256
2387b151c34a6ee91d2f8a47976ec35c9fc6ea9ecbe0330e156a3a00d51cc0b2

SHA512
5b84b8bd34ab1816a2301330e6778fa1cb97c42eafee18c876aa73da26b4d7d1475def53558e2a69baf318c26b3227666a9c6fb4cb7d26d662ac2a7273970d26

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
b7c5e3b416b1d1b5541ef44662e1a764

SHA1
8bff7ea2be2f3cf29f2381d8007198b5991ca3ae

SHA256
f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1

SHA512
65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
6b78cb8ced798ca5df5612dd62ce0965

SHA1
5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf

SHA256
81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3

SHA512
b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
12.3MB

MD5
347827fbac7bc42d3ea685d191e210da

SHA1
2c97f00846ef8b3e88de441e528edfc805d96faf

SHA256
77f4807ede30598b35b3d5cd022a5da80d87c3a0442e1a638c2678768800565f

SHA512
88aee86d6bbc89fac53d74cd6c4adefa8d5141e491d53e80f34c232e3c013da3d2af1214eb5cf81d746745311996bcd3d53e4f39a1bda5b82da543069eefda7c

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\╟º═┼═┼╣║.url

Filesize
60B

MD5
6f5605e2f55ec2ac78e9883ef7d28b93

SHA1
363a8f5adbf5bd62303d53d621da9351f432b9cc

SHA256
7d19d3d0c3caf8d35eaa57a869664596083dccd850f9989b7eabdca727f363b0

SHA512
ba929e50a453378f899749114c6dae051e877e3a4a25f8ef82d17e27f73c5ae422d5ee576285f58690e555c8976bfed4fb18120ca7ffd3a092a7e7bf3794880a

Download Submit
memory/2524-57-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/2932-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads