42b8bb016e2c6218274ea1da2e40bf07b2a712347c995eaffd3a7934a580e01b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe
Size

33KB
MD5

2e2cbc4c8e1c299179e198cd075b954b
SHA1

8d07a12b957ec48f20ced73a2196151059c95960
SHA256

42b8bb016e2c6218274ea1da2e40bf07b2a712347c995eaffd3a7934a580e01b
SHA512

4c11533b60f9821b32cf5a3c49ec7c5c633c9f486c0bb83a0798d6e6d1cb75309cfacee8575914a98b70512c62cd61869acf3e9bda6ff63a41ee5c1abfab4505
SSDEEP

384:0+Zc3OM/l/yjVCBr9sYrYgIHsNiAIeLViXS1f4lrRpCkdKnOMAkMNek+vvWNeEnd:xi/CAmYFIHskAREFpdKOMAxn6Bw

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4760	attrib.exe
2824	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	inlBB5E.tmp

Executes dropped EXE 1 IoCs

pid	Process
2764	inlBB5E.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fsahdsf = "\"C:\\Users\\Admin\\AppData\\Roaming\\lua\\tmp.\\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4500	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117761"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2080967194"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117761"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2080967194"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117761"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A7A442DE-3DB4-11EF-9BD7-4A64FBB68FC2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2085967273"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\lua\\3.bat\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\NeverShowExt	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4736	reg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2764	inlBB5E.tmp
Token: SeDebugPrivilege	4500	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1652	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1652	iexplore.exe
1652	iexplore.exe
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 1520	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe	88
PID 3136 wrote to memory of 1520	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe	88
PID 3136 wrote to memory of 1520	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe	88
PID 1520 wrote to memory of 4496	1520	cmd.exe	90
PID 1520 wrote to memory of 4496	1520	cmd.exe	90
PID 1520 wrote to memory of 4496	1520	cmd.exe	90
PID 4496 wrote to memory of 1652	4496	cmd.exe	92
PID 4496 wrote to memory of 1652	4496	cmd.exe	92
PID 4496 wrote to memory of 1964	4496	cmd.exe	93
PID 4496 wrote to memory of 1964	4496	cmd.exe	93
PID 4496 wrote to memory of 1964	4496	cmd.exe	93
PID 4496 wrote to memory of 1912	4496	cmd.exe	94
PID 4496 wrote to memory of 1912	4496	cmd.exe	94
PID 4496 wrote to memory of 1912	4496	cmd.exe	94
PID 1652 wrote to memory of 1976	1652	iexplore.exe	96
PID 1652 wrote to memory of 1976	1652	iexplore.exe	96
PID 1652 wrote to memory of 1976	1652	iexplore.exe	96
PID 1912 wrote to memory of 4736	1912	cmd.exe	97
PID 1912 wrote to memory of 4736	1912	cmd.exe	97
PID 1912 wrote to memory of 4736	1912	cmd.exe	97
PID 1912 wrote to memory of 516	1912	cmd.exe	98
PID 1912 wrote to memory of 516	1912	cmd.exe	98
PID 1912 wrote to memory of 516	1912	cmd.exe	98
PID 3136 wrote to memory of 2764	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe	99
PID 3136 wrote to memory of 2764	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe	99
PID 3136 wrote to memory of 2764	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe	99
PID 3136 wrote to memory of 1772	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe	100
PID 3136 wrote to memory of 1772	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe	100
PID 3136 wrote to memory of 1772	3136	2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe	100
PID 2764 wrote to memory of 2492	2764	inlBB5E.tmp	102
PID 2764 wrote to memory of 2492	2764	inlBB5E.tmp	102
PID 2764 wrote to memory of 2492	2764	inlBB5E.tmp	102
PID 1912 wrote to memory of 2604	1912	cmd.exe	104
PID 1912 wrote to memory of 2604	1912	cmd.exe	104
PID 1912 wrote to memory of 2604	1912	cmd.exe	104
PID 1912 wrote to memory of 4712	1912	cmd.exe	105
PID 1912 wrote to memory of 4712	1912	cmd.exe	105
PID 1912 wrote to memory of 4712	1912	cmd.exe	105
PID 1912 wrote to memory of 4760	1912	cmd.exe	106
PID 1912 wrote to memory of 4760	1912	cmd.exe	106
PID 1912 wrote to memory of 4760	1912	cmd.exe	106
PID 1912 wrote to memory of 2824	1912	cmd.exe	107
PID 1912 wrote to memory of 2824	1912	cmd.exe	107
PID 1912 wrote to memory of 2824	1912	cmd.exe	107
PID 1912 wrote to memory of 372	1912	cmd.exe	108
PID 1912 wrote to memory of 372	1912	cmd.exe	108
PID 1912 wrote to memory of 372	1912	cmd.exe	108
PID 1912 wrote to memory of 4500	1912	cmd.exe	109
PID 1912 wrote to memory of 4500	1912	cmd.exe	109
PID 1912 wrote to memory of 4500	1912	cmd.exe	109
PID 372 wrote to memory of 3216	372	rundll32.exe	110
PID 372 wrote to memory of 3216	372	rundll32.exe	110
PID 372 wrote to memory of 3216	372	rundll32.exe	110
PID 1912 wrote to memory of 3704	1912	cmd.exe	111
PID 1912 wrote to memory of 3704	1912	cmd.exe	111
PID 1912 wrote to memory of 3704	1912	cmd.exe	111
PID 3216 wrote to memory of 4764	3216	runonce.exe	112
PID 3216 wrote to memory of 4764	3216	runonce.exe	112
PID 3216 wrote to memory of 4764	3216	runonce.exe	112
PID 1912 wrote to memory of 1188	1912	cmd.exe	113
PID 1912 wrote to memory of 1188	1912	cmd.exe	113
PID 1912 wrote to memory of 1188	1912	cmd.exe	113
PID 1912 wrote to memory of 4788	1912	cmd.exe	114
PID 1912 wrote to memory of 4788	1912	cmd.exe	114

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4760	attrib.exe
2824	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e2cbc4c8e1c299179e198cd075b954b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1976
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\1.inf
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\2.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .bat /f
        5⤵
        Modifies registry key
        
        PID:4736
    - - C:\Windows\SysWOW64\gpupdate.exe
        
        gpupdate /force
        5⤵
        
        PID:516
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:2604
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\lua\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:4712
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4760
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2824
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:372
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:4764
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "360tray.exe" tasklist.txt
        5⤵
        
        PID:3704
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:1188
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /d "1" /f
        5⤵
        
        PID:4788
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\htafile" /v "NeverShowExt" /d "" /f
        5⤵
        Modifies registry class
        
        PID:2008
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\htafile\DefaultIcon" /v "" /d "C:\Program Files\Internet Explorer\IEXPLORE.EXE" /f
        5⤵
        Modifies registry class
        
        PID:3744
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2828
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.82133.com/?S" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3764
- C:\Users\Admin\AppData\Local\Temp\inlBB5E.tmp
  C:\Users\Admin\AppData\Local\Temp\inlBB5E.tmp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlBB5E.tmp > nul
    3⤵
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2E2CBC~1.EXE > nul
  2⤵
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMWT2DJF\favicon[1].htm

Filesize
802B

MD5
b4f7d6a0d3f6605440a1f5574f90a30c

SHA1
9d91801562174d73d77f1f10a049c594f969172a

SHA256
e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

SHA512
c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
906B

MD5
f2572338cb20db1d928b2c61282e6e87

SHA1
8b2b79ef1c914b0b00ec10a06caa8638b2163d45

SHA256
e9bc7df9f665d307b049d0d8bf74ed3c2ac1564094d3c4eff2568742bb5ebbbd

SHA512
240c9e2b2de396ef9dbe6b823723c61ba12c50e9a3b11f5f8f826aa55984d6c18a83361bf5b8f5d2602dbf8152e9feb35ceadce11d098aed246c52dc02771763

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist.txt

Filesize
6KB

MD5
366a68a5082935fc777845b7ad7cbaad

SHA1
533a4c03af0ab23f39c6fd7e6e0360d0244a90f8

SHA256
10595007869969f93b1c7735a649876a208c9e5ed6f87eaca10cdea0e4b254ef

SHA512
676f00dd5b08aa931e04df61a458a53a1f976c894e3bd8021525d73e377496ed79e9b91fd86e6383a1dd3ad2a53a1b06102dc7c3a5683ecc47c967a639f2bf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat

Filesize
50B

MD5
e08ad52d3d132292f9c51e7cfec5fe08

SHA1
269f7eb185a9ff02664297bfb6f5df9f86ec10f0

SHA256
bd2a3003fb1f771283b30a044c49aecb72bfdff4322330337dba4992ecd198f4

SHA512
3dc0331f3ee9a57de7bda71a94953239bc7033a130f2b783b35d17ce3ed7b7928c154323d10ba81bd81d3bfd2d7c123cec55f5178d2b44286c2f857ccd6a1722

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.bat

Filesize
2KB

MD5
d720afa7c1bc6d67157c1fc5e1804f5f

SHA1
372cb41239edb1f4452a67b2c116cd4016b0f608

SHA256
fa0eaebd30bad6d62a875ff2bbd6861750cdf63ef811e620d95584337d8805e3

SHA512
1f4b6dffc79fbdac3868dbd9c9654374eaf28600053dcf041dcc0bbfdfb7d6610d29b8edabf0a88d3d298e8877f927c6f0600fca41ccb1e7d4aaed44ea1d3f1e

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.inf

Filesize
372B

MD5
b12963b468b68f030e9f0657b61be195

SHA1
e14aa110ef8a64ebc5eae328b1bec484bb2a71cf

SHA256
0d55327ae35340672d49f662512a7519302ead8ed74bc2d3a3c7a5f63b01fd98

SHA512
6a78a615026f5f2365441275174406120f32ef3e25554d7c9d7ed4b26c25620baab9e29f2a2da559723e92f2b14cfb7d7fc2ca8e5b70a5cffa17a5d2af683d0e

Download Submit
C:\Users\Admin\AppData\Roaming\lua\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\lua\2.bat

Filesize
8KB

MD5
7b2cc87165c7598cd390c0f7cf4d6717

SHA1
04fd7ce74a29e2df543b9f3eca0bf8f82064f5af

SHA256
4f9d55cf344b944fd73ed63560ee9bf9130f124d593502b5a67abab2586bcd62

SHA512
0d8ca7b61c3a1d69b571063c2d43b623f2fac296e8f9c0dda1103212546632356aeaac6b21de1097ed54682aeccd5a68d8ef08f03f6ad0fc2bd386c7f52bc996

Download Submit
C:\Users\Admin\AppData\Roaming\lua\2.inf

Filesize
244B

MD5
2de3e6e4faea8c4a10ddd4f26455caca

SHA1
b7c02274aa020619e6c7b925427b027ffcc28629

SHA256
9f29d64886130752a5fe40ce6e83a8f35dc65340871cfe435499a609037c2824

SHA512
0e49cbd89766d3697ce4c9a2c83de32ebaee2d41f1a635a94cf0c73541aaa614f4f5b755f55d21fdea07fc76985bc741f2649abc1c6a32e9876ffa6b3a1c33c8

Download Submit
memory/1652-91-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-71-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-53-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-59-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-58-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-62-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-68-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-67-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-69-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-80-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-81-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-82-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-79-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-78-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-90-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-89-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-85-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-56-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-84-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-83-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-77-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-73-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-54-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-55-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-75-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-66-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-64-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-63-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-61-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-93-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-94-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-99-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-106-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-107-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-104-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-103-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-102-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-101-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-50-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-51-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/1652-57-0x00007FFBFDDC0000-0x00007FFBFDE2E000-memory.dmp

Filesize
440KB

Download
memory/3136-7-0x00000000007E0000-0x00000000007E3000-memory.dmp

Filesize
12KB

Download
memory/3136-115-0x0000000000E80000-0x0000000000E95000-memory.dmp

Filesize
84KB

Download
memory/3136-5-0x0000000000E80000-0x0000000000E95000-memory.dmp

Filesize
84KB

Download
memory/3136-1-0x00000000007E0000-0x00000000007E3000-memory.dmp

Filesize
12KB

Download
memory/3136-0-0x0000000000E80000-0x0000000000E95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads