ddbd9021e2da803cee2d5a298ed224b5ae34aefec55aede6a76925a4d13282e3

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe
Size

57KB
MD5

5c11886d390c628eb62fb46baacbbc87
SHA1

b8fe7afbdb9598629e9220150919bbd65cac67ce
SHA256

ddbd9021e2da803cee2d5a298ed224b5ae34aefec55aede6a76925a4d13282e3
SHA512

e5bd0167210b5ded6a24ba58a8d88e200d3b4ec64b217091fe55729019926aff4f386653ef1001f53f6e55e9d8dd10a83a9c141a474cc61aef9a7d943664223c
SSDEEP

1536:+TbbFsJXt+zYI6evWmB05G4MkX9hqHvlLkrR:+ZMXE81b9Okb09GR

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1716	attrib.exe
1436	attrib.exe

Deletes itself 1 IoCs

pid	Process
2464	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2152	inl1299.tmp

Loads dropped DLL 2 IoCs

pid	Process
1328	5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe
1328	5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FCCBE371-45CF-11EF-A2BE-5E235017FF15} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427556375"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?o"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1140	rundll32.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	1140	rundll32.exe
Token: SeRestorePrivilege	1140	rundll32.exe
Token: SeRestorePrivilege	1140	rundll32.exe
Token: SeRestorePrivilege	1140	rundll32.exe
Token: SeRestorePrivilege	1140	rundll32.exe
Token: SeRestorePrivilege	1140	rundll32.exe
Token: SeRestorePrivilege	1140	rundll32.exe
Token: SeRestorePrivilege	1092	rundll32.exe
Token: SeRestorePrivilege	1092	rundll32.exe
Token: SeRestorePrivilege	1092	rundll32.exe
Token: SeRestorePrivilege	1092	rundll32.exe
Token: SeRestorePrivilege	1092	rundll32.exe
Token: SeRestorePrivilege	1092	rundll32.exe
Token: SeRestorePrivilege	1092	rundll32.exe
Token: SeIncBasePriorityPrivilege	1328	5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2152	inl1299.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2240	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2240	iexplore.exe
2240	iexplore.exe
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2864	1328	5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe	31
PID 1328 wrote to memory of 2864	1328	5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe	31
PID 1328 wrote to memory of 2864	1328	5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe	31
PID 1328 wrote to memory of 2864	1328	5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe	31
PID 2864 wrote to memory of 2724	2864	cmd.exe	33
PID 2864 wrote to memory of 2724	2864	cmd.exe	33
PID 2864 wrote to memory of 2724	2864	cmd.exe	33
PID 2864 wrote to memory of 2724	2864	cmd.exe	33
PID 2724 wrote to memory of 2240	2724	cmd.exe	35
PID 2724 wrote to memory of 2240	2724	cmd.exe	35
PID 2724 wrote to memory of 2240	2724	cmd.exe	35
PID 2724 wrote to memory of 2240	2724	cmd.exe	35
PID 2240 wrote to memory of 2148	2240	iexplore.exe	36
PID 2240 wrote to memory of 2148	2240	iexplore.exe	36
PID 2240 wrote to memory of 2148	2240	iexplore.exe	36
PID 2240 wrote to memory of 2148	2240	iexplore.exe	36
PID 2724 wrote to memory of 1140	2724	cmd.exe	37
PID 2724 wrote to memory of 1140	2724	cmd.exe	37
PID 2724 wrote to memory of 1140	2724	cmd.exe	37
PID 2724 wrote to memory of 1140	2724	cmd.exe	37
PID 2724 wrote to memory of 1140	2724	cmd.exe	37
PID 2724 wrote to memory of 1140	2724	cmd.exe	37
PID 2724 wrote to memory of 1140	2724	cmd.exe	37
PID 2724 wrote to memory of 2044	2724	cmd.exe	38
PID 2724 wrote to memory of 2044	2724	cmd.exe	38
PID 2724 wrote to memory of 2044	2724	cmd.exe	38
PID 2724 wrote to memory of 2044	2724	cmd.exe	38
PID 2044 wrote to memory of 644	2044	cmd.exe	40
PID 2044 wrote to memory of 644	2044	cmd.exe	40
PID 2044 wrote to memory of 644	2044	cmd.exe	40
PID 2044 wrote to memory of 644	2044	cmd.exe	40
PID 2044 wrote to memory of 2648	2044	cmd.exe	41
PID 2044 wrote to memory of 2648	2044	cmd.exe	41
PID 2044 wrote to memory of 2648	2044	cmd.exe	41
PID 2044 wrote to memory of 2648	2044	cmd.exe	41
PID 2044 wrote to memory of 2976	2044	cmd.exe	42
PID 2044 wrote to memory of 2976	2044	cmd.exe	42
PID 2044 wrote to memory of 2976	2044	cmd.exe	42
PID 2044 wrote to memory of 2976	2044	cmd.exe	42
PID 2044 wrote to memory of 2984	2044	cmd.exe	43
PID 2044 wrote to memory of 2984	2044	cmd.exe	43
PID 2044 wrote to memory of 2984	2044	cmd.exe	43
PID 2044 wrote to memory of 2984	2044	cmd.exe	43
PID 2044 wrote to memory of 2636	2044	cmd.exe	44
PID 2044 wrote to memory of 2636	2044	cmd.exe	44
PID 2044 wrote to memory of 2636	2044	cmd.exe	44
PID 2044 wrote to memory of 2636	2044	cmd.exe	44
PID 2044 wrote to memory of 1436	2044	cmd.exe	45
PID 2044 wrote to memory of 1436	2044	cmd.exe	45
PID 2044 wrote to memory of 1436	2044	cmd.exe	45
PID 2044 wrote to memory of 1436	2044	cmd.exe	45
PID 2044 wrote to memory of 1716	2044	cmd.exe	46
PID 2044 wrote to memory of 1716	2044	cmd.exe	46
PID 2044 wrote to memory of 1716	2044	cmd.exe	46
PID 2044 wrote to memory of 1716	2044	cmd.exe	46
PID 2044 wrote to memory of 1092	2044	cmd.exe	47
PID 2044 wrote to memory of 1092	2044	cmd.exe	47
PID 2044 wrote to memory of 1092	2044	cmd.exe	47
PID 2044 wrote to memory of 1092	2044	cmd.exe	47
PID 2044 wrote to memory of 1092	2044	cmd.exe	47
PID 2044 wrote to memory of 1092	2044	cmd.exe	47
PID 2044 wrote to memory of 1092	2044	cmd.exe	47
PID 2044 wrote to memory of 2208	2044	cmd.exe	48
PID 2044 wrote to memory of 2208	2044	cmd.exe	48

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1436	attrib.exe
1716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c11886d390c628eb62fb46baacbbc87_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mother_check219.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2240 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2148
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:644
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2648
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
        5⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:2984
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:2636
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1436
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1716
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:572
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:2208
- C:\Users\Admin\AppData\Local\Temp\inl1299.tmp
  C:\Users\Admin\AppData\Local\Temp\inl1299.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl1299.tmp > nul
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5C1188~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7acfb2e89fbe821150856378b608acd

SHA1
b96c157e3ec8838c8d3c6b3d7cd577533ac5aa9f

SHA256
934cbaeea8662acaf84123147040d4242a402162f04f749222593059026bba15

SHA512
3bcc766b3a91716b16a6fe386599b9c37ab8d2eab7c2d9ca89c4f0a52a30ded15c075673f2b4821803f95eb14b138f5093d9adb2b9812b8d6094062a589bbf40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62f5d60e838eb42cf777ae7419adf2f8

SHA1
874e3ff403c9d16f6312d2657a943b3a1c930399

SHA256
45904a0472385cfc9ebe92c1bb346ebf84df34cd5b29c90b0561ce2b86a7dcc9

SHA512
ddbd1431eb773d234f59c07f70543a629f97b651b75cf2902c459d6fc19fbfac998a62977db66bf9cb010bd44b34a8c8914f48bf5eee98d5c1a0fe0aa780a7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25a9305b14cd8b027029dff2bef88269

SHA1
66d7c6303b135493d2bd7fd22a1d897964eb868b

SHA256
ba0b4f391aa975cd0c47668109cd2baa2b9f25ff1647cf23178aa2cc24e17a5d

SHA512
f213211679806456fdcbe2724a0551cbaf6fb533fc42d59013578605de1e00e2cf827c6eff5ff84bdcf72e41d35906a3f4df846bf8bfe5772ddf6b35936819c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c13cf79d0a7ec7b2a57385aa4213d24d

SHA1
003da366387c2bb5f3d6ecd5a1e77090e1680fd9

SHA256
92adeb2c10a50f1ec7bc55d799269bf256738d6a83462c5645db5463227ac346

SHA512
06be325ac5d312ab97310025337b5d88505891d19596bb9a6d3298614a3b3ed551ba5f7c1fa0c31b7fdf44216ba8f87335f04fb3371678f57e6fbbaabff37605

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
306c8d99ec6f8f7447b4b2a74b180727

SHA1
d94e0010ee666fa1b9c908c12c7dd47ca8934057

SHA256
531389b05e0d7491f005fdcae2906ad73633a7587ded338e3507dc13873b458b

SHA512
b1d9b63ba552b791412a8cd7e9bc2685a60d59ccd87daea112db0b66bd713e937443579170086e82682f677b0a3955179771cca6b2a2533ad2617e2bc6564770

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
122c89bda744cab4af1925e083d1c0bb

SHA1
aa61170b027b01d4ec33d92f3dcb39a12cb170d9

SHA256
b2d8588fdbbec10e163c9991db4cfcff27df573360af86561e3207130605269e

SHA512
e9a8b309d669b4c8cb8cf1c43502d448d2e42b4ab6f0c00b512b8dc08e0c283e3b6c19a94a00e1ddd33ab8a3d2c33912a2afd6ef7a38adfc240faafeb83dd046

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed762226de72c8bb0f353c7921af67a3

SHA1
4d79a0c7312575ac3919d46a6f69c6032a351389

SHA256
e9dce995c944c2c11ad8aa87861ae8e3927e348c09642444ec34497eea9efcd4

SHA512
7991a0b6ec2b6874e7dfbc12a4b90d98a8b3ec7156a48112a9ef3b3007060d20fdee03473c17e835f63334acf73d3e5e035d87f71b9de54ff867e5674522d87f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
639a607e913941469c84d3a99c4ef973

SHA1
bb0757f1b2ee9f2910dc31a7305b07f93bbe2faf

SHA256
97525c62a880b889b31a080ef8fcdf7b542451848a1f6fc0e4163f7f8deccb3b

SHA512
9dcb7d6f7c7ec61248c4a0caf45915b762e8ce0144cab2da41e14c26feccba4aa6d23c9d524aeb25cf635138eca6a78c34645aa677f60f314c12e30b29194077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9794309fb5062864a73def27af2bbb3

SHA1
5fcafe711a7d09fd9b0c1e3e13d067f62f2fe27b

SHA256
2f3feb5d6ef7c448aa6655b09980f5c8aaf7b665eab5b56a459b09a4fc8ddcca

SHA512
59deb75f2397854334d6c29286622d7619e247e8c9f10b8ce40567d8ed9e9ebac3dcaf65b34e82c216e62de5cdbdc6782443b6170849f4bdf68ffb30bc4630c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
272ce98c57b8679eb65eca7a9f283ad5

SHA1
b1d140ad250d86dd2477ae68004474ae75c07182

SHA256
04bc72ae0efe52b434ccabffe048b2d3293a3ece0b22792e18c21ca365ad965e

SHA512
8156f7093b66125148759c9324be43f120acbdeb1e9ddeae7904cd1767d018cac2c9a76db59fad92b4028dccca69421e07b0f684b301ef0486fea608cd48c179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7b6a024ed544d7b44ec7ab8acd368f6

SHA1
1d31a3a495b3481c7d31b5462fb85d4c046199ec

SHA256
489f8b70b1427616ae9791fd8227f99a51f4c382f7721524af58c7a472697395

SHA512
a144fd4d4c2dc531919fc855f3dfa11727d391ace579518ede5790967787030ed7aa5e7bbc15baf67bdd37b0379e409a046bb73a88578ce63e769f2bd13459df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5c557bd6ad38604933914fc4246eaa3

SHA1
6a55ff3d9fd9a5746e36364cefbbb4b58d2ebaa6

SHA256
5f15e8cc3c723cf52c074179ef7609f8b50104191bdfc3473206cb01ae361462

SHA512
fd4bb32b12eced71a07d8844e36a96b02184f3380f0de6bc092a7cfb615fd86641256a3d762aad798864ee8d3c3b15bd1b61e6a72cc83b155afcf5dfc8ddcf8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ccfc7c4d66c1c22b56a3fdf0375daa6

SHA1
fac5628041ca92de80a469046c4183c61edb4857

SHA256
c73f5dccfe641b8fa36fab226776283ac245df21476bcf3af570b2414abb753c

SHA512
ab799e48d46ecd6ec937b7b46cc3dd19ec2ddf5f88d5dc7970d8b4098461cb8889fd757dd51378b67ff8b714113e77fc4bf3f9ef3b616110b4445e1fddc5afd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2c90e18cacbd9842a6c2d0668ac3de6

SHA1
c3084f7bddfdd4b300c672be6d563136d619f9a5

SHA256
4e8519b2c743a9de6519852a18f1a9e43c411e287dce4fd7890f2ad84e75c051

SHA512
a533e2c551b1f7e55d19898c7168a5c9bae7b47fa0343b4d8cc2cf60c9fd13681791a515d914109eecb8d0d6efdeba0f90e8663959cee90a2059d92c0eac25bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce831aa82988655ab1074c581599b4a3

SHA1
bbffcc518f0e74d272bf93bfb27739fba4d30bef

SHA256
881b934ee63056aa5302bec95406613681ae1d3616084cba99371a31a2032152

SHA512
de6f985a0eea298107497c7ae6ec3a3ef2f66a6e39942fbba65c498a4e323d1d528e407da5d426a852b5c8a5bd51b8deb87b2c111f9ea6e4c892e293f7682653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd459e87ad7a6c367835c349fccd2a82

SHA1
6c9fa9897bfa37164bf53da251132fc59dbf6607

SHA256
a796ec1ce4d51526c32c78b6ca48d76dd8206d9a9d758976393f8415461d4db0

SHA512
0b0add52d7079f10fc2695fd49053adab62924dcc7258b05476cf62665ce0c6ec72409081622a31b70cc4294fcab7b13066e0f838343edfeb28a29824ae030ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
657d4b4db23ff37e9a2be36878de1c62

SHA1
293df4bd0e0981e2bf31ef780e6e777df1609a93

SHA256
501a086707dede7bfcfb7efa1e46646b853fb072b4ffbf0496302e4e919e6307

SHA512
8777e4aadce1f3107f80395723cdfda7378f4b4ec347785f046d35678c004c06c11cfe2c0d01d6276c52f8ab058aa7623a9716e8a7c4de365cafd58e27a0e6b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e888adc90a489e75064b61057d6d0c8f

SHA1
1f38af76837c0d9ce81192c6766067780e4fa89a

SHA256
7d04332d600f126cb08e8091f7a87cf0c00e6781b819cde97c4b3d19f66b94e1

SHA512
61a5213effdafdb4854161c22208b359e7fdccf1e8436e7c892af188ff51696471e1001f27aa225b0753e8ae5162679dd03a902078f5e3084cd7750bd247cbce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WHDSWW5V\favicon[1].htm

Filesize
802B

MD5
b4f7d6a0d3f6605440a1f5574f90a30c

SHA1
9d91801562174d73d77f1f10a049c594f969172a

SHA256
e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

SHA512
c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1289.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1328.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mother_check219.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
660B

MD5
c40ea8f677b3f48bfb7f4cfc6d3f03ab

SHA1
10b94afd8e6ea98a3c8a955304f9ce660b0c380a

SHA256
b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c

SHA512
409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
b7c5e3b416b1d1b5541ef44662e1a764

SHA1
8bff7ea2be2f3cf29f2381d8007198b5991ca3ae

SHA256
f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1

SHA512
65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
321B

MD5
b45d9865c76db5b9bc859499a3e9aae0

SHA1
6c4ff3519e8654ea6dac624213df2913018f2e58

SHA256
be7411475aba37b9c1e504d379b5517355968e05a5a4b46b823440dbaa7f1872

SHA512
25fa92de368e9b1d29003e00bdd77ebeb879ffe262cabfca5d9c07b7d34499c13b927d4648c95598b9241b7f4c085d1d5974c74c0ff951d2d3687860a762b6ad

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
454B

MD5
45a663aaaa22c42bb167b18436c73938

SHA1
81236229eaed313ba57b0377629b8e50f824a352

SHA256
a8958f6b4cfc7a3db84f806ab7751ee1b72227c59f682e433e764228b3d94fc9

SHA512
adbd1253176aa7c40ac25dec3bd81202db3d1f762a0f9176d5719bb7120b6fffd0e420fd8ebd9c8fa62127c4c46001244865da077f383a8d35a4207ac7887d81

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
6b78cb8ced798ca5df5612dd62ce0965

SHA1
5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf

SHA256
81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3

SHA512
b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
12.3MB

MD5
4b63becb6d036ca5c6d39e6794d92e79

SHA1
00aee2c07d83a8de0051ad66700dfe6082e87e73

SHA256
0c09f8a1cc1b2f8d9d77b20053b9c6a6e2d43057bb6d1b8c48cc96ce5ca320fd

SHA512
91416dd25076bf9b1312823dc3215e82e2d7df76c1a3e027d5932fbde1c6b373e03fdb8ae2eabf2a26ef28c4ffa4413c60156b32f4aebbb20dfb6ff632f296e5

Download Submit
memory/1328-1-0x0000000000D60000-0x0000000000D87000-memory.dmp

Filesize
156KB

Download
memory/1328-2-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1328-5-0x0000000000D60000-0x0000000000D87000-memory.dmp

Filesize
156KB

Download
memory/1328-24-0x0000000000C90000-0x0000000000C9F000-memory.dmp

Filesize
60KB

Download
memory/1328-98-0x0000000000D60000-0x0000000000D87000-memory.dmp

Filesize
156KB

Download
memory/2240-50-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads