49dc20ca33f09e4725a349d9ef854616c244139182a79f4a374cac135b546cb2

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe
Size

54KB
MD5

2b2a2d9a5bd0d9c5e35ddbb6a75083d3
SHA1

d2dcc6e1f26de4d8013bd5cccd1b7c2cfbb7ae77
SHA256

49dc20ca33f09e4725a349d9ef854616c244139182a79f4a374cac135b546cb2
SHA512

745004bcfdaf546fc2f7fc6ab2804d5c460c543bfa2211182790200489b1db81c8d9eac8f8295649ea9e89e74d4887a2676695d00364e7dd584e510a7cd6448e
SSDEEP

1536:uroWtPdPosz4fSb8OkGy5BCvXaI3HS8hP3iUc:WdFQsUfBUQIvXPH/Prc

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2864	attrib.exe
4316	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	inlD9C3.tmp

Executes dropped EXE 1 IoCs

pid	Process
2612	inlD9C3.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117608"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3948704064"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117608"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3955267184"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3948704064"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117608"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1705F97D-3D1C-11EF-A01A-52A74EE36D85} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2612	inlD9C3.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
748	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
748	iexplore.exe
748	iexplore.exe
740	IEXPLORE.EXE
740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3580	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe	89
PID 2676 wrote to memory of 3580	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe	89
PID 2676 wrote to memory of 3580	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe	89
PID 3580 wrote to memory of 1888	3580	cmd.exe	91
PID 3580 wrote to memory of 1888	3580	cmd.exe	91
PID 3580 wrote to memory of 1888	3580	cmd.exe	91
PID 1888 wrote to memory of 748	1888	cmd.exe	93
PID 1888 wrote to memory of 748	1888	cmd.exe	93
PID 1888 wrote to memory of 2376	1888	cmd.exe	94
PID 1888 wrote to memory of 2376	1888	cmd.exe	94
PID 1888 wrote to memory of 2376	1888	cmd.exe	94
PID 1888 wrote to memory of 2732	1888	cmd.exe	95
PID 1888 wrote to memory of 2732	1888	cmd.exe	95
PID 1888 wrote to memory of 2732	1888	cmd.exe	95
PID 748 wrote to memory of 740	748	iexplore.exe	97
PID 748 wrote to memory of 740	748	iexplore.exe	97
PID 748 wrote to memory of 740	748	iexplore.exe	97
PID 2732 wrote to memory of 2096	2732	cmd.exe	98
PID 2732 wrote to memory of 2096	2732	cmd.exe	98
PID 2732 wrote to memory of 2096	2732	cmd.exe	98
PID 2732 wrote to memory of 3264	2732	cmd.exe	99
PID 2732 wrote to memory of 3264	2732	cmd.exe	99
PID 2732 wrote to memory of 3264	2732	cmd.exe	99
PID 2732 wrote to memory of 5000	2732	cmd.exe	100
PID 2732 wrote to memory of 5000	2732	cmd.exe	100
PID 2732 wrote to memory of 5000	2732	cmd.exe	100
PID 2732 wrote to memory of 4520	2732	cmd.exe	102
PID 2732 wrote to memory of 4520	2732	cmd.exe	102
PID 2732 wrote to memory of 4520	2732	cmd.exe	102
PID 2676 wrote to memory of 2612	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe	101
PID 2676 wrote to memory of 2612	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe	101
PID 2676 wrote to memory of 2612	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe	101
PID 2732 wrote to memory of 4080	2732	cmd.exe	103
PID 2732 wrote to memory of 4080	2732	cmd.exe	103
PID 2732 wrote to memory of 4080	2732	cmd.exe	103
PID 2732 wrote to memory of 2864	2732	cmd.exe	104
PID 2732 wrote to memory of 2864	2732	cmd.exe	104
PID 2732 wrote to memory of 2864	2732	cmd.exe	104
PID 2676 wrote to memory of 372	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe	105
PID 2676 wrote to memory of 372	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe	105
PID 2676 wrote to memory of 372	2676	2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe	105
PID 2732 wrote to memory of 4316	2732	cmd.exe	106
PID 2732 wrote to memory of 4316	2732	cmd.exe	106
PID 2732 wrote to memory of 4316	2732	cmd.exe	106
PID 2732 wrote to memory of 4900	2732	cmd.exe	108
PID 2732 wrote to memory of 4900	2732	cmd.exe	108
PID 2732 wrote to memory of 4900	2732	cmd.exe	108
PID 2732 wrote to memory of 2572	2732	cmd.exe	109
PID 2732 wrote to memory of 2572	2732	cmd.exe	109
PID 2732 wrote to memory of 2572	2732	cmd.exe	109
PID 4900 wrote to memory of 3104	4900	rundll32.exe	110
PID 4900 wrote to memory of 3104	4900	rundll32.exe	110
PID 4900 wrote to memory of 3104	4900	rundll32.exe	110
PID 3104 wrote to memory of 1268	3104	runonce.exe	111
PID 3104 wrote to memory of 1268	3104	runonce.exe	111
PID 3104 wrote to memory of 1268	3104	runonce.exe	111
PID 2612 wrote to memory of 2492	2612	inlD9C3.tmp	113
PID 2612 wrote to memory of 2492	2612	inlD9C3.tmp	113
PID 2612 wrote to memory of 2492	2612	inlD9C3.tmp	113

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2864	attrib.exe
4316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x5_20_ml.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://wWW.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:740
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2096
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3264
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:5000
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:4520
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:4080
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2864
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4316
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:2572
- C:\Users\Admin\AppData\Local\Temp\inlD9C3.tmp
  C:\Users\Admin\AppData\Local\Temp\inlD9C3.tmp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlD9C3.tmp > nul
    3⤵
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2B2A2D~1.EXE > nul
  2⤵
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G241SKZ6\favicon[1].htm

Filesize
802B

MD5
b4f7d6a0d3f6605440a1f5574f90a30c

SHA1
9d91801562174d73d77f1f10a049c594f969172a

SHA256
e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

SHA512
c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\360moheInstall.exe

Filesize
794B

MD5
1bc415b31cdff50d79ea2a3d7b4ff2c1

SHA1
f5ebab61deebc3d7a4a6676a23b982f1418ae6a6

SHA256
582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412

SHA512
ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
645B

MD5
4cafe2ab2ae87e0e3a16f6bd99e92437

SHA1
45757e5b258e3190ea4d4b092375bded4d5ea4fd

SHA256
90896bc5f40509bc3ed86e17cae17da22b4f4ab0e424dc4557b24eccc53429ce

SHA512
123a945a361a07a356361e796159406bff31dbfbe68afaa1f22e144dc2b4025d23112844db70e651b9ee41f674d8efb4cd10b23ee4992d9538de7ada6534f2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5_20_ml.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
b21e4f653320b34a01a860b1cf00c861

SHA1
3de8c41f014512ec793c3452b3c96f832644b0f0

SHA256
29a23c064b35e49d619825b67bf8b01ad6ba4c65e50e167bd69416cdca92d4bf

SHA512
6f791ca6c1929779e8c72b4c5c3ec79c8bd134845679e17915a4758a03b847efe5454fefe3af8be1eb17277ba73612d1534d09734c171f82b7ac351893cd8d9c

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
6b78cb8ced798ca5df5612dd62ce0965

SHA1
5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf

SHA256
81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3

SHA512
b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
5.8MB

MD5
a472857530ce75b85097e0bd022d853a

SHA1
6df538fc0d1bc97f9711128a8f5ebddb1a936a47

SHA256
f35c3a663ee7dc18eff0cb77213add91febd87fa40b408efa70764160ab77a47

SHA512
d438ce771aee16b9a836d6643066cbe224cbd99e21ccb4e2649aa6bb1665b8627b4069aa11496b0c988be45538a68b3ec9afd652bb2354dd1a108e1d560169bf

Download Submit
memory/748-78-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-63-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-82-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-81-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-80-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-72-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-93-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-95-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-96-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-97-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-94-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-92-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-70-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-89-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-87-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-84-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-83-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-128-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-77-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-76-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-75-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-67-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-66-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-73-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-60-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-68-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-98-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-99-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-104-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-100-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-105-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-106-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-108-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-109-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-114-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-52-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-120-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-119-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-121-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-118-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/748-124-0x00007FF93F1E0000-0x00007FF93F24E000-memory.dmp

Filesize
440KB

Download
memory/2676-0-0x0000000000660000-0x0000000000685000-memory.dmp

Filesize
148KB

Download
memory/2676-131-0x0000000000660000-0x0000000000685000-memory.dmp

Filesize
148KB

Download
memory/2676-7-0x00000000007F0000-0x00000000007F3000-memory.dmp

Filesize
12KB

Download
memory/2676-5-0x0000000000660000-0x0000000000685000-memory.dmp

Filesize
148KB

Download
memory/2676-1-0x00000000007F0000-0x00000000007F3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads