0f64ae6002a31ccf74595b02abe8d234c27908f5cc053f4badee69bb42b496c4

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 02:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe
Size

164KB
MD5

4c77dc9422e6a10a5d665fddd28dc6de
SHA1

d634b9115c12a647572fa41310db0d527c1c43a4
SHA256

0f64ae6002a31ccf74595b02abe8d234c27908f5cc053f4badee69bb42b496c4
SHA512

5c69ea9943aa21ae2713346184cea3d9fc3dd5345185ccf2fc2cad23d7df3784d11ef2ef5d0aea6dbd46c27121982e4ad058b030860819228bb9ac3ab5ab2413
SSDEEP

3072:1qpMJFLXBpNum6V0P60/KV69R1Vu8ljAE+cQqCdXe8hTJI:1qGvN4V0Pt9R1Vu8l0B9e8hTi

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2744	attrib.exe
2528	attrib.exe

Deletes itself 1 IoCs

pid	Process
1832	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2912	inl1048.tmp

Loads dropped DLL 2 IoCs

pid	Process
1636	4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe
1636	4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E315D9A1-431C-11EF-B6DB-72E825B5BD5B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427259549"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?o"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1644	rundll32.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	1644	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeIncBasePriorityPrivilege	1636	4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2912	inl1048.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2572	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2572	iexplore.exe
2572	iexplore.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2776	1636	4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe	31
PID 1636 wrote to memory of 2776	1636	4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe	31
PID 1636 wrote to memory of 2776	1636	4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe	31
PID 1636 wrote to memory of 2776	1636	4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2624	2776	cmd.exe	33
PID 2776 wrote to memory of 2624	2776	cmd.exe	33
PID 2776 wrote to memory of 2624	2776	cmd.exe	33
PID 2776 wrote to memory of 2624	2776	cmd.exe	33
PID 2624 wrote to memory of 2572	2624	cmd.exe	35
PID 2624 wrote to memory of 2572	2624	cmd.exe	35
PID 2624 wrote to memory of 2572	2624	cmd.exe	35
PID 2624 wrote to memory of 2572	2624	cmd.exe	35
PID 2624 wrote to memory of 1644	2624	cmd.exe	36
PID 2624 wrote to memory of 1644	2624	cmd.exe	36
PID 2624 wrote to memory of 1644	2624	cmd.exe	36
PID 2624 wrote to memory of 1644	2624	cmd.exe	36
PID 2624 wrote to memory of 1644	2624	cmd.exe	36
PID 2624 wrote to memory of 1644	2624	cmd.exe	36
PID 2624 wrote to memory of 1644	2624	cmd.exe	36
PID 2624 wrote to memory of 1672	2624	cmd.exe	37
PID 2624 wrote to memory of 1672	2624	cmd.exe	37
PID 2624 wrote to memory of 1672	2624	cmd.exe	37
PID 2624 wrote to memory of 1672	2624	cmd.exe	37
PID 2572 wrote to memory of 1948	2572	iexplore.exe	38
PID 2572 wrote to memory of 1948	2572	iexplore.exe	38
PID 2572 wrote to memory of 1948	2572	iexplore.exe	38
PID 2572 wrote to memory of 1948	2572	iexplore.exe	38
PID 1672 wrote to memory of 1928	1672	cmd.exe	40
PID 1672 wrote to memory of 1928	1672	cmd.exe	40
PID 1672 wrote to memory of 1928	1672	cmd.exe	40
PID 1672 wrote to memory of 1928	1672	cmd.exe	40
PID 1672 wrote to memory of 2424	1672	cmd.exe	41
PID 1672 wrote to memory of 2424	1672	cmd.exe	41
PID 1672 wrote to memory of 2424	1672	cmd.exe	41
PID 1672 wrote to memory of 2424	1672	cmd.exe	41
PID 1672 wrote to memory of 2400	1672	cmd.exe	42
PID 1672 wrote to memory of 2400	1672	cmd.exe	42
PID 1672 wrote to memory of 2400	1672	cmd.exe	42
PID 1672 wrote to memory of 2400	1672	cmd.exe	42
PID 1672 wrote to memory of 1816	1672	cmd.exe	43
PID 1672 wrote to memory of 1816	1672	cmd.exe	43
PID 1672 wrote to memory of 1816	1672	cmd.exe	43
PID 1672 wrote to memory of 1816	1672	cmd.exe	43
PID 1672 wrote to memory of 1784	1672	cmd.exe	44
PID 1672 wrote to memory of 1784	1672	cmd.exe	44
PID 1672 wrote to memory of 1784	1672	cmd.exe	44
PID 1672 wrote to memory of 1784	1672	cmd.exe	44
PID 1672 wrote to memory of 2744	1672	cmd.exe	45
PID 1672 wrote to memory of 2744	1672	cmd.exe	45
PID 1672 wrote to memory of 2744	1672	cmd.exe	45
PID 1672 wrote to memory of 2744	1672	cmd.exe	45
PID 1672 wrote to memory of 2528	1672	cmd.exe	46
PID 1672 wrote to memory of 2528	1672	cmd.exe	46
PID 1672 wrote to memory of 2528	1672	cmd.exe	46
PID 1672 wrote to memory of 2528	1672	cmd.exe	46
PID 1672 wrote to memory of 2964	1672	cmd.exe	47
PID 1672 wrote to memory of 2964	1672	cmd.exe	47
PID 1672 wrote to memory of 2964	1672	cmd.exe	47
PID 1672 wrote to memory of 2964	1672	cmd.exe	47
PID 1672 wrote to memory of 2964	1672	cmd.exe	47
PID 1672 wrote to memory of 2964	1672	cmd.exe	47
PID 1672 wrote to memory of 2964	1672	cmd.exe	47
PID 1672 wrote to memory of 2804	1672	cmd.exe	48
PID 1672 wrote to memory of 2804	1672	cmd.exe	48

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2744	attrib.exe
2528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c77dc9422e6a10a5d665fddd28dc6de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kage2011_check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1948
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:1928
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:1816
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:1784
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2744
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2528
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:2796
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:2772
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:2804
- C:\Users\Admin\AppData\Local\Temp\inl1048.tmp
  C:\Users\Admin\AppData\Local\Temp\inl1048.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl1048.tmp > nul
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\4C77DC~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bda68304d8da61dea710e92caaaad41a

SHA1
0c1f63a364b29d3058fe787ab511fcdd299e035a

SHA256
a1f3cf2132781226176affa63506b3dbe83ca74c1e52a9a16a90ebb02fed9735

SHA512
a178affb5679425747b86de30358e8b874905a757a489c830a0ed02e5f772940fb18b4e20b7e8104854956c718e63ae1ac3acbfc636fbf4c9045bccbc4ad02e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3198a8e147733d0a208f8c232b42151

SHA1
ab66213346ad97df2e68c95459f29d3c1856f913

SHA256
8c226f2525f7da3273d8f04cfecbe67e1b0c5dc25b8c75384aaccc9e8a06bc1d

SHA512
ffe67134060c529ea3ef9640160db0563162d4f428b8f64898d376335ac5d275f2a9d736fb0f64e6eb44681bad9624b360a8d4efc89247eb37188f31b0475e1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1ff00d44d155ee49c702bbc62dab487

SHA1
11e84273a54046469c7708fac11696dfd8e68415

SHA256
644c4bafb0e55cfc99b2771c1139eeca79fe9252d190aef87b3bd6d199f1a38d

SHA512
c5cbe9c51f34935f62c28aa441766852b094f3dfd2f19dfb01a593f23ee49760cab0744d95b8ec1663a29e8ceba9e7a61524d99f74ed65e691506373a84c5fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8b4df71970470a24dfb3c178fb8f0f9

SHA1
fd10b821428cc3e6fec57aecc08773aa11da5877

SHA256
f116b3587f9b31a0cedb7b0644b4ed4e327c4c96863579672acb8b227fb304f0

SHA512
1f85cd9d6bc9a587fc2f230e8c5045c37d047d53fafcc76ea94f10a2d52048fa44e57d5eeb906b854246cbf0e0653cb388a2515e3e5de8899412d09e7f77ffe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d8dc32d3894864d4facac38da30c29a

SHA1
d0445836cdada9dec7c7f9346a73b9f53c36455a

SHA256
8c363820806460d06d96e6f8c2c9334f51e1207cfdda8cc383731fd324184246

SHA512
84ca7b052713378d8137839a58df3e9b48b3bc11798c81d7b68da35b3a45c3afbdcfe5a944a0bd32bd62bc4da0353c4831a34bb52f42d9303f816c8fcc65c7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5169bb5ab3133ce6999c91ca6bc80bd5

SHA1
68fcc17134c41b76405dadbf37e7138e4c503627

SHA256
17ed69c2cc3746fbeda907466a36681230632b543f769417b3f30d4c8657b1c8

SHA512
35d77b833eb78e9c48211c45e2fba885cc169b54645ddd91ad099ecb2238ebefb2fcde2ef316fa01fe5d6ba8f9980eb2e16e6fe2f85e1e3585b9fafcaa763d8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da84b651a1e6d20d88f67cbe6281266f

SHA1
d0cc2d8fb6496916049a564cac07f898345fba60

SHA256
9b11e234b4b2a44c27c707ba272a3c964eaf1a5107367eff5ec42661d09c0572

SHA512
0d8422c123e05e63425b22b567588f9badcafb64c781ec63acfc737346724aca5d2a733a0084156fa9bbca57c1738ac87294ec7b7c028d5c94f0e41bb9f24e13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
491450876e37f36c998285d7d4d0e29b

SHA1
43f582e650e000f857cce499ead7fffb14fc9904

SHA256
64597496692078efcedfa851855f3c74ff7c245ec635e544879f5fc6a80c8b12

SHA512
35a246bf0cde097a5f0a5b1f6f69796411fc72cd7390bee690bbbc53cf928d28e50f2184e4409d36fac49920df4b92b40e99f9702db8093be04667fa38ef4bd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8239703bf43aeefed6f92e40b2eb8c9

SHA1
141f5000951d2c9413e17494e558534f46ab2169

SHA256
96b764291b2567324f5c7fc0fa8e184b76b8a1a46b2530ed3ee1f51e20d23b7f

SHA512
ccbd9799e416a31505f011f2668e138c6b101792b84e16207646a365c33fc32724ac521c866f6ac5099d1b4754ad3a38d38f71a22e310f9d8637910d14a37b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6607ddf7de8b65dc644e148ce4af7712

SHA1
bcf395f7da0ef39bedd8eb15652206e1a5bbc769

SHA256
fb02cbef4ca64d538b58d108fbb6746eb2840933252c18d54f0ce7aaacb34f31

SHA512
cbef79bc8b97c61159a77409404e55dd67b19d78d9459e614db5e61794b0e1fe8effade4cce88314cf8a754724718ef5d4f8048187de5bdbc22c5aa1a4280023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb35355f3a2e1f1d292d05857ddfcfce

SHA1
49cd07f7aefa9293f4ca70ed70f526d6cb297b42

SHA256
c6b4809f2eeaff3f61bd50e0a73b65a93b8cd533a48ca23fe08b952ad5998626

SHA512
e2451c519421ecd5e76494b87e6541563067bf3490f16864a1fe41afdc024b6b35c87a259c1f861eb985e5cd5cf4c94a2da9c0e987e2021bd0f189bf96af9cff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3bafb9c075095de482b11597d862c1f

SHA1
81a3484dcb614c054ad4eaafa4e50ca62b73db1a

SHA256
d0274036d59c74595f8b1f1c6496c5f861784aaec880f071be41e9893df22a83

SHA512
e047ef6dee0a32efbb25446a4dc9be3b9c48a37c8696d593f6e87c485a9a100e4b78c901018569d0251f23cedcc161ae9c411dfd569e088f546b9c9fa1745b99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3df171c9d2e214013091eefdbd339e81

SHA1
7930b717006f127fa4802f9b561adf80662aefcf

SHA256
8e5fc6b8b3cc2097ba5e7364acaf264c7aa456ae6cc37d30b12744e057697c58

SHA512
695071eb54f8eda2069fa82aaefe43f145e0f624a14295273fb3d5d9a12ee6b2cd96f25ce25f33a2d1d50e2dc75c982f5d924f904623e5ce9145e9f3c4a7e687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95ae5f48b575272bb8313a0fc804f6de

SHA1
194093e16b26a2a5412fff79f6b73782ebed65a5

SHA256
66820110ed871ebc59a0bd72bbdd6926aa3bb37ebbdc838426b86c675972df64

SHA512
a317fb7e4383ee7afb1bbfb59c3a7c5abf8b5b795d5effe02aab9d297b3088beae4f05677021508e1f15521f18ee1d3a80a06d07e774e307aff67ec66043cd81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3cca40cb991997fc1d77c8d08f19e7c

SHA1
3afa890e05534cde30b5fa9913bce4bf5b5b4d15

SHA256
e5ab5ee883fc04c9c442e2cc97553a6ca5403fde810aff1e9d5869c2090d08a8

SHA512
1e5eb308a00a77815463c56e8d7beedfcf14ac71d590d479986df5fb94725e05f84ef13faff73dec35d17e93f5096ffac3534ef88cbec477ec6e11e35af62bba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c477b4fced6eb297cff3682da10b0042

SHA1
be0c98eaaed823a1fa8b7491c3e99700e2020f02

SHA256
9c5d9a7075bcc2e0a2b033309d220c84d12b10e79df7dfebda1e3439f4d2b7c2

SHA512
c0745844d0b1473706ff8061a12ec5c7a72a51a3a90d85bc4967a8d4f3885d712bce0264f2a77b7c6bd79f0ab9dd6e6a54aad67984bd9a394c29c00051bd964c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d166d29bc951c57e32cbded24b043eaf

SHA1
d93e399086b706fc83afc0aa2fe153f016be4e5e

SHA256
2a2a0da182edc070ed4acee2cd1e61e92acfd30123b9a39f21010b80ed08e479

SHA512
1b92346192e20cfa37136aa0cb935b3bb853106f91deced736926417761b1069924e80125407d47a126821981452ad9e60e5113aa71407cc9fb8901dbbc83960

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6578c9abe9c09a1b57c6e03c43958417

SHA1
be0dc1774223dbbd033c4915c775024c0a4e215d

SHA256
915c895d137eb57b68f2abea20dff32112cb0428c046bc27ba9e87a65d41c8b5

SHA512
89a9874c537823e0a648184b73f2001f47a20e09fc23864bb8871ff7c38036a322a7e485823486aec90b0b7f469df426aae67e64ae491c1c27cb8098226fada0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45d067bb91d1b46ebcb4fe5d447305c6

SHA1
9d1b8f51cbba72b2e59f2ff980f710d13265d174

SHA256
8f4783d2b35fd46afa3813723ffb3e03efd275b40597ea6bacb95e96b54850ea

SHA512
2a31444676e3160d5f7b555a57f4643de056d797ac3140048afdf49a2d48de9b1c2e872cc48af5560823c08e11a0ece46a2d55ac6998e6fdd9729d9d0399a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\favicon[1].htm

Filesize
802B

MD5
b4f7d6a0d3f6605440a1f5574f90a30c

SHA1
9d91801562174d73d77f1f10a049c594f969172a

SHA256
e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

SHA512
c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1094.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1135.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kage2011_check.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
555B

MD5
458a331595f313d6bd4ac9cfd0a769c8

SHA1
74dffa252fbbf48b8f27900a0b77b339c4678115

SHA256
2387b151c34a6ee91d2f8a47976ec35c9fc6ea9ecbe0330e156a3a00d51cc0b2

SHA512
5b84b8bd34ab1816a2301330e6778fa1cb97c42eafee18c876aa73da26b4d7d1475def53558e2a69baf318c26b3227666a9c6fb4cb7d26d662ac2a7273970d26

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
b7c5e3b416b1d1b5541ef44662e1a764

SHA1
8bff7ea2be2f3cf29f2381d8007198b5991ca3ae

SHA256
f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1

SHA512
65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
6b78cb8ced798ca5df5612dd62ce0965

SHA1
5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf

SHA256
81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3

SHA512
b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
12.3MB

MD5
27e29a7c4d16886f3ee0665c287a328f

SHA1
8754d5dfc9b7f44e8fb0d59776cb255f34abb5cd

SHA256
12372f97d14bf95de1ce112e0ec9a54a16fa3c397ab2610396623224a549d764

SHA512
61758baada04ef507468eaf881af3f3186c35b1a8b409d25a688b352c058cbc9b080dd7d679e63921ff556417565d5e78fc2b28110f741e9847fca69c01df292

Download Submit
memory/1636-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1636-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-59-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads