635798a04c33050dd9c0aff5b02dcca8dea168abd67e72d72287df2e920889bd

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe
Size

160KB
MD5

a8be49d99be95dcad12ed9edb0f9979c
SHA1

bc7683dde0fbec9fc11a388ed3550865d982e7d7
SHA256

635798a04c33050dd9c0aff5b02dcca8dea168abd67e72d72287df2e920889bd
SHA512

1180376ea8d339fd411f68971b0b51d151f077982793e246b47514e68328e107f3d59a69b805d814fcc887c81ca9bc38801ad2c2b2dff6d2ab32e3e7b9444717
SSDEEP

1536:L/el+8Hruyv+mMiIAcI9vmQHv51skHMDnHgqAYsMKWqD7WCDYVRaJmg0k+X:z2LLuyv+mMi5cCeeM7JAJM3IymYVSe

Score

8^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3136	attrib.exe
3492	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	inlF152.tmp

Executes dropped EXE 1 IoCs

pid	Process
2540	inlF152.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\redload\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlF152.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1658582029"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1658582029"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1879988238"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1879988238"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31125962"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125962"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125962"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C1BFADD-5DBD-11EF-84CD-62872261FF50} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31125962"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?S"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?S"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\redload\\3.bat\""	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2540	inlF152.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2448	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2448	iexplore.exe
2448	iexplore.exe
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 4344	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe	106
PID 632 wrote to memory of 4344	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe	106
PID 632 wrote to memory of 4344	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe	106
PID 4344 wrote to memory of 1716	4344	cmd.exe	108
PID 4344 wrote to memory of 1716	4344	cmd.exe	108
PID 4344 wrote to memory of 1716	4344	cmd.exe	108
PID 1716 wrote to memory of 2448	1716	cmd.exe	110
PID 1716 wrote to memory of 2448	1716	cmd.exe	110
PID 1716 wrote to memory of 5044	1716	cmd.exe	111
PID 1716 wrote to memory of 5044	1716	cmd.exe	111
PID 1716 wrote to memory of 5044	1716	cmd.exe	111
PID 2448 wrote to memory of 2948	2448	iexplore.exe	112
PID 2448 wrote to memory of 2948	2448	iexplore.exe	112
PID 2448 wrote to memory of 2948	2448	iexplore.exe	112
PID 1716 wrote to memory of 4064	1716	cmd.exe	113
PID 1716 wrote to memory of 4064	1716	cmd.exe	113
PID 1716 wrote to memory of 4064	1716	cmd.exe	113
PID 4064 wrote to memory of 1424	4064	cmd.exe	116
PID 4064 wrote to memory of 1424	4064	cmd.exe	116
PID 4064 wrote to memory of 1424	4064	cmd.exe	116
PID 4064 wrote to memory of 716	4064	cmd.exe	117
PID 4064 wrote to memory of 716	4064	cmd.exe	117
PID 4064 wrote to memory of 716	4064	cmd.exe	117
PID 4064 wrote to memory of 4476	4064	cmd.exe	118
PID 4064 wrote to memory of 4476	4064	cmd.exe	118
PID 4064 wrote to memory of 4476	4064	cmd.exe	118
PID 632 wrote to memory of 2540	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe	115
PID 632 wrote to memory of 2540	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe	115
PID 632 wrote to memory of 2540	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe	115
PID 4064 wrote to memory of 3592	4064	cmd.exe	119
PID 4064 wrote to memory of 3592	4064	cmd.exe	119
PID 4064 wrote to memory of 3592	4064	cmd.exe	119
PID 632 wrote to memory of 3808	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe	120
PID 632 wrote to memory of 3808	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe	120
PID 632 wrote to memory of 3808	632	a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe	120
PID 4064 wrote to memory of 1112	4064	cmd.exe	121
PID 4064 wrote to memory of 1112	4064	cmd.exe	121
PID 4064 wrote to memory of 1112	4064	cmd.exe	121
PID 4064 wrote to memory of 3136	4064	cmd.exe	123
PID 4064 wrote to memory of 3136	4064	cmd.exe	123
PID 4064 wrote to memory of 3136	4064	cmd.exe	123
PID 4064 wrote to memory of 3492	4064	cmd.exe	124
PID 4064 wrote to memory of 3492	4064	cmd.exe	124
PID 4064 wrote to memory of 3492	4064	cmd.exe	124
PID 4064 wrote to memory of 4468	4064	cmd.exe	125
PID 4064 wrote to memory of 4468	4064	cmd.exe	125
PID 4064 wrote to memory of 4468	4064	cmd.exe	125
PID 4064 wrote to memory of 3920	4064	cmd.exe	126
PID 4064 wrote to memory of 3920	4064	cmd.exe	126
PID 4064 wrote to memory of 3920	4064	cmd.exe	126
PID 4468 wrote to memory of 2920	4468	rundll32.exe	127
PID 4468 wrote to memory of 2920	4468	rundll32.exe	127
PID 4468 wrote to memory of 2920	4468	rundll32.exe	127
PID 2920 wrote to memory of 2872	2920	runonce.exe	128
PID 2920 wrote to memory of 2872	2920	runonce.exe	128
PID 2920 wrote to memory of 2872	2920	runonce.exe	128
PID 2540 wrote to memory of 3372	2540	inlF152.tmp	130
PID 2540 wrote to memory of 3372	2540	inlF152.tmp	130
PID 2540 wrote to memory of 3372	2540	inlF152.tmp	130

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3136	attrib.exe
3492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8be49d99be95dcad12ed9edb0f9979c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_Mg_l_219.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?71628
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2948
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
      4⤵
      System Location Discovery: System Language Discovery
      PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:1424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:716
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?S"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3136
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3492
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4468
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
- C:\Users\Admin\AppData\Local\Temp\inlF152.tmp
  C:\Users\Admin\AppData\Local\Temp\inlF152.tmp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlF152.tmp > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A8BE49~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verCEB0.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\favicon[1].htm

Filesize
802B

MD5
b4f7d6a0d3f6605440a1f5574f90a30c

SHA1
9d91801562174d73d77f1f10a049c594f969172a

SHA256
e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

SHA512
c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\360mohesetup.exe

Filesize
88B

MD5
bcd8edb015ddc9e31e8e1b4657c3df43

SHA1
d320e044bc0ed73e557a885a1a47714b8c85200e

SHA256
37646c67c0e8429e6fbfc56678a20fd311cb48d0cb19bb5097078968f0673f37

SHA512
2a1497b35930c516a0f5bf75be460eff986b08d2ed0331dd702be5533b88198a59a41f39252809ef83b455bcf4d07ab0d9723494e8008a9578d0509a643cd6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
790B

MD5
b18422bf438bbb7798280375a7bc0976

SHA1
c1b77b35e3a38ff2ad119f25e548beb5ff68c2e2

SHA256
ee8709e751067193dccdfe218108bdae6a30919d7b6c860bc848c7cc4b242fa4

SHA512
23cb9c74905f514a2bf4ef91afc53ceb08230b3ce68e3eab17bb36c674260d143a7e7105958ff4ed5c2a416bddffb3c7e28dcf8060cbf323c7e4cab71f613176

Download Submit
C:\Users\Admin\AppData\Local\Temp\s_Mg_l_219.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
b13d4a59d37d8c293276a4c428ad5659

SHA1
710bfa65cfd533b78c564e15e0bbe954e9265ecf

SHA256
3aea9dee221648916706758561e23796b2325e4019b28a3070fe2fd8d1d4ed28

SHA512
8cb3aec7463cf7d14f333bb9257f03c7f7491f4da4fea3311e505f99b9f6797f0aa3f689355a6625d9f104b8511f7e75218b4c2fdd7f9ac96927d7aa4a6ed0ba

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf

Filesize
372B

MD5
b12963b468b68f030e9f0657b61be195

SHA1
e14aa110ef8a64ebc5eae328b1bec484bb2a71cf

SHA256
0d55327ae35340672d49f662512a7519302ead8ed74bc2d3a3c7a5f63b01fd98

SHA512
6a78a615026f5f2365441275174406120f32ef3e25554d7c9d7ed4b26c25620baab9e29f2a2da559723e92f2b14cfb7d7fc2ca8e5b70a5cffa17a5d2af683d0e

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.inf

Filesize
410B

MD5
66a1f0147fed7ddd19e9bb7ff93705c5

SHA1
9d803c81ea2195617379b880b227892ba30b0bf6

SHA256
4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

SHA512
cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.bat

Filesize
3KB

MD5
185a49cc37f1724dc196f67c42a76340

SHA1
27fde7b9ba462fc36ba5705832ae44b454d718cf

SHA256
3fe8fbf78cb9855c0cc663dda80354318fb2c7ef1dc4d378c98bb1383015140d

SHA512
97ee31a378404bae99616a057ddbed8450f56bfd5d0508b4cc3b864e73aa5d8d1f15b21c82ed3570494603ac90bb7cee1b8cbdae9d935bb1ddb71264004e4c22

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.inf

Filesize
248B

MD5
2197ffb407fb3b2250045c084f73b70a

SHA1
3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

SHA256
a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

SHA512
b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

Download Submit
C:\Users\Admin\AppData\Roaming\redload\4.bat

Filesize
5.8MB

MD5
2da37d291b224dfe4830725836c2290b

SHA1
e568ef74e7ee4a4028cb3ebb41ba60f01eab4103

SHA256
3c1b98dfc18086341a77e04fa74d849ecbc8ce2ec0eb638ec8805c28b8b4de3c

SHA512
8cfdaf4a0718165f3ee3d9d8dbbc98a4e8b16583f9a1834df56219dd4aae9cb61fcf67891618bdd609c86c7cd2e7bcd4b787b30b070e56b301163fff55d6459a

Download Submit
memory/632-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/632-123-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/632-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2448-71-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-59-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-95-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-93-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-89-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-87-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-85-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-84-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-83-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-82-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-81-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-88-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-74-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-73-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-86-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-68-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-66-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-65-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-64-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-96-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-60-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-94-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-57-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-56-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-54-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-58-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-97-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-102-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-79-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-105-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-109-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-111-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-108-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-107-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-106-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-77-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-72-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-70-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-63-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-151-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-156-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-162-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-62-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download
memory/2448-61-0x00007FFBD9F00000-0x00007FFBD9F6E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads