Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe
-
Size
168KB
-
MD5
b0f6f38e4b86506db3693830c859086b
-
SHA1
eb4a26d8fe794f5a16700d0c91def7117c4ab98c
-
SHA256
39294884fcde06ac7e3bb2a9eab94ecf6e8ab5f5119e77b420a38c5cd0c634ea
-
SHA512
c205885d3e89a5777f785e26f6e01ab6f99f050ed8170ff153fb94529505eb4464f9596f43b2e6d1e5b326e0a914267b4d39ca3b5a6f70c3564c3ab1d1d90577
-
SSDEEP
1536:KgIM5N4czoLRpCt98SaE4cku5V72OXZR1VuCEWWAEbIge3+T:7BeRzSaEkuj728ZR1VuzWWpF
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2932 attrib.exe 1224 attrib.exe -
Deletes itself 1 IoCs
pid Process 3064 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3060 inlBD5.tmp -
Loads dropped DLL 2 IoCs
pid Process 2208 b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe 2208 b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runonce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inlBD5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430352365" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8B84181-5F3D-11EF-8D15-7A7F57CBBBB1} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.71628.com/?i" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.71628.com/?i" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2976 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeRestorePrivilege 2976 rundll32.exe Token: SeRestorePrivilege 2976 rundll32.exe Token: SeRestorePrivilege 2976 rundll32.exe Token: SeRestorePrivilege 2976 rundll32.exe Token: SeRestorePrivilege 2976 rundll32.exe Token: SeRestorePrivilege 2976 rundll32.exe Token: SeRestorePrivilege 2976 rundll32.exe Token: SeRestorePrivilege 1196 rundll32.exe Token: SeRestorePrivilege 1196 rundll32.exe Token: SeRestorePrivilege 1196 rundll32.exe Token: SeRestorePrivilege 1196 rundll32.exe Token: SeRestorePrivilege 1196 rundll32.exe Token: SeRestorePrivilege 1196 rundll32.exe Token: SeRestorePrivilege 1196 rundll32.exe Token: SeIncBasePriorityPrivilege 2208 b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3060 inlBD5.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2648 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2648 iexplore.exe 2648 iexplore.exe 1192 IEXPLORE.EXE 1192 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2624 2208 b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe 31 PID 2208 wrote to memory of 2624 2208 b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe 31 PID 2208 wrote to memory of 2624 2208 b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe 31 PID 2208 wrote to memory of 2624 2208 b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe 31 PID 2624 wrote to memory of 2584 2624 cmd.exe 33 PID 2624 wrote to memory of 2584 2624 cmd.exe 33 PID 2624 wrote to memory of 2584 2624 cmd.exe 33 PID 2624 wrote to memory of 2584 2624 cmd.exe 33 PID 2584 wrote to memory of 2648 2584 cmd.exe 35 PID 2584 wrote to memory of 2648 2584 cmd.exe 35 PID 2584 wrote to memory of 2648 2584 cmd.exe 35 PID 2584 wrote to memory of 2648 2584 cmd.exe 35 PID 2648 wrote to memory of 1192 2648 iexplore.exe 36 PID 2648 wrote to memory of 1192 2648 iexplore.exe 36 PID 2648 wrote to memory of 1192 2648 iexplore.exe 36 PID 2648 wrote to memory of 1192 2648 iexplore.exe 36 PID 2584 wrote to memory of 2976 2584 cmd.exe 37 PID 2584 wrote to memory of 2976 2584 cmd.exe 37 PID 2584 wrote to memory of 2976 2584 cmd.exe 37 PID 2584 wrote to memory of 2976 2584 cmd.exe 37 PID 2584 wrote to memory of 2976 2584 cmd.exe 37 PID 2584 wrote to memory of 2976 2584 cmd.exe 37 PID 2584 wrote to memory of 2976 2584 cmd.exe 37 PID 2584 wrote to memory of 2888 2584 cmd.exe 38 PID 2584 wrote to memory of 2888 2584 cmd.exe 38 PID 2584 wrote to memory of 2888 2584 cmd.exe 38 PID 2584 wrote to memory of 2888 2584 cmd.exe 38 PID 2888 wrote to memory of 2940 2888 cmd.exe 40 PID 2888 wrote to memory of 2940 2888 cmd.exe 40 PID 2888 wrote to memory of 2940 2888 cmd.exe 40 PID 2888 wrote to memory of 2940 2888 cmd.exe 40 PID 2888 wrote to memory of 2908 2888 cmd.exe 41 PID 2888 wrote to memory of 2908 2888 cmd.exe 41 PID 2888 wrote to memory of 2908 2888 cmd.exe 41 PID 2888 wrote to memory of 2908 2888 cmd.exe 41 PID 2888 wrote to memory of 2956 2888 cmd.exe 42 PID 2888 wrote to memory of 2956 2888 cmd.exe 42 PID 2888 wrote to memory of 2956 2888 cmd.exe 42 PID 2888 wrote to memory of 2956 2888 cmd.exe 42 PID 2888 wrote to memory of 2068 2888 cmd.exe 43 PID 2888 wrote to memory of 2068 2888 cmd.exe 43 PID 2888 wrote to memory of 2068 2888 cmd.exe 43 PID 2888 wrote to memory of 2068 2888 cmd.exe 43 PID 2888 wrote to memory of 2620 2888 cmd.exe 44 PID 2888 wrote to memory of 2620 2888 cmd.exe 44 PID 2888 wrote to memory of 2620 2888 cmd.exe 44 PID 2888 wrote to memory of 2620 2888 cmd.exe 44 PID 2888 wrote to memory of 2932 2888 cmd.exe 45 PID 2888 wrote to memory of 2932 2888 cmd.exe 45 PID 2888 wrote to memory of 2932 2888 cmd.exe 45 PID 2888 wrote to memory of 2932 2888 cmd.exe 45 PID 2888 wrote to memory of 1224 2888 cmd.exe 46 PID 2888 wrote to memory of 1224 2888 cmd.exe 46 PID 2888 wrote to memory of 1224 2888 cmd.exe 46 PID 2888 wrote to memory of 1224 2888 cmd.exe 46 PID 2888 wrote to memory of 1196 2888 cmd.exe 47 PID 2888 wrote to memory of 1196 2888 cmd.exe 47 PID 2888 wrote to memory of 1196 2888 cmd.exe 47 PID 2888 wrote to memory of 1196 2888 cmd.exe 47 PID 2888 wrote to memory of 1196 2888 cmd.exe 47 PID 2888 wrote to memory of 1196 2888 cmd.exe 47 PID 2888 wrote to memory of 1196 2888 cmd.exe 47 PID 2888 wrote to memory of 488 2888 cmd.exe 48 PID 2888 wrote to memory of 488 2888 cmd.exe 48 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2932 attrib.exe 1224 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\julia_fun219.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?716284⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1192
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2940
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2908
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f5⤵
- System Location Discovery: System Language Discovery
PID:2956
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2068
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2932
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1224
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2316 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
- System Location Discovery: System Language Discovery
PID:2276
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
- System Location Discovery: System Language Discovery
PID:488
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlBD5.tmpC:\Users\Admin\AppData\Local\Temp\inlBD5.tmp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlBD5.tmp > nul3⤵
- System Location Discovery: System Language Discovery
PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B0F6F3~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556549c84d7a957254335210e4f1ca51c
SHA1a37fa510e1d45ffb36c2fa77533c3550d0ce098c
SHA2565fcf6702b130d29a455dc7230428a6594d971ea410196057736a961216f95744
SHA512b0af71897802a36d5ad5ad2114059d511f086e5594bdb8042414d72f11d0b911f5846e1a7ca1367058da65c097695cd383938b693262b7bf02b41c1e499beef4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f3081c972b3d6958375e4fdba9842ad
SHA1fefa13528e5cdf69353e49c7382722303a5e06bc
SHA256e1ed4ed4bbc96a7dd61c268dd50696da7321709552ab4eb62e4a4bf4836c8738
SHA512e56855d750fc2d52f5ad9b76331872be3330a681ffd2ba7662b1616669b1a2cc0d00227dd4c4447668bd531c50e3faac4a80cd3b1ae1943a56247deafadf7fdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f72e995c1431207e5bb15d1aad2eddb9
SHA1a2366a515797fe120b77dfb09e02ca7a34ebaf68
SHA256e5ede669766d2285db04d725b8c052039a625570e9790c54882aa0a3f9c0bc60
SHA512c5a35728702a1f9fda46d3bb471c09c1c7bff30cda861725334f4b669cbfb2d788848a9243512170e29d70a8030dd3a89eaa074da3ead3a5021e2331d38d1a1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD555f2c41438e1f6fd25dd07a6adb34693
SHA195b99a27d550d01a10748e850ce39ab503359897
SHA25669893bc034fc183418e6af195424dd44dc4342fb788723d700b1185752d76a15
SHA512d54c260ce472c22cf992f53dfa31563a8c1aa137a4897e7b946401980c20ee20cf1b0b0eb125cf54363cf10c9e7721b3ecf1b5171cbe2e5a8b44cbd395db8dd8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dcd1d1edf62ede38d83040ecaaf966d2
SHA154f35c37293f2389c7d8f08a06410d87794dba7d
SHA256eaea659172488d469f97c9a68320164b19e35d51f482fac5699b560baba20e9e
SHA512ad4c3905c662e7dde736d51989ccbfe3186c84922e3b46eb156b7b45a6f8616dd1756345cb632c2eca18f322606e35a1e1b8b0cbcc72e39fd90125d4f0266df9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55777fed784362153e8fbd7949679054b
SHA17b0b7022f7139aff65138324dd5e0b9ea6b23858
SHA256df6edbf4cdbc6086c31c4e94e5d9b00d30d7ef59d030905c12d7a6889783f999
SHA5129e23628ae3c005ea213ad3f47d8b90875466ec545291234ce962ec7ca0c2bc78f298ce5d6b61eae37e18571169fc63e3e38a1502b44a6d32cbcd391585f167ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5146761c84801e647224d1665405ca27f
SHA12fc335874ced5d918c9f2fda20451f9eec37c7c0
SHA25611138a03739c0d644e4e2496b33c7c2c05d62490bf6e5e08f4e57df55056f26f
SHA512d9deee29f74ca2035fbe7c2fbc61bba3fa995ceffb6a43f8e0ba84ea730ee710f99376d73ce44e8335842683e15d495aa60621bbe1746be0c1c3bea3a103bb6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb159b0c8f8f1dbe0e454fc9595daf8e
SHA19cd1462ef5057567dd571284045fe79395f54115
SHA25674f2490fce7d9b6d9c1152f555c6db7194c5588282b42eba8d2fab8f34c0c5c7
SHA5123e7bdaa504015d7ec0a19d742afa692f6283158a8f84dcc348f7fe05839594ac76c250b9862d81d00400b4517fb587a6640bee7b01ce272cf53c4fd5a5938d3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e2f9ab4aac7d83ae32f547c020aa86e
SHA100f5d8516c08615b5aa9342fafaf1849bac6144a
SHA256576a71d84991cb87562163ad6b5237a03b4398fe6bfa8f3c67e31955e12d414a
SHA5128b81ccf5b6efb3e19e57383f2c4a445e9e7defbe893241f53cfd9ac9f5225674f610b6977c9216d89c80064240147addec3ebba5ef9d6055c7a7d3c995eac2e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50caee91ea8fc1343661f486e81a8a29d
SHA1a79535e8cf929f9f64db6b0847eabdc786c0ceaf
SHA2568c0c567d866033f0875e13af15aa3edefa981d28fa8405f8f6e4a47d4c0c121c
SHA5123415dddb5b641bf649a0457e70228e5191581d03adc61cc62a7a561f9130b2f0af4db5b5cf2f2c520ce7d326c8b7b1e44508a4e71ab0fbd2223e947d28ba5d63
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD501b8cdeb2fc6c50bd7700768e253704a
SHA17015382675f7f304a15daf892ccd0f4fa890cacc
SHA256cab85ad08d59d7a007792f10213fa4125ed365a811798792a3a6970f7d18eb0e
SHA512fddbfd7f3fc2ac2b3faf4c9d1cea21618b1b43579bfd2e5086d6f5eee79e124b33d3f389e69630c1399087e5f85a523c24a71bd70ccd5b533ac6ffb78d73d98f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\favicon[1].htm
Filesize802B
MD5b4f7d6a0d3f6605440a1f5574f90a30c
SHA19d91801562174d73d77f1f10a049c594f969172a
SHA256e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd
SHA512c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
660B
MD5d980f89e4088711df685a0aa09e8f5a7
SHA1dde805f4fa5e016e122e4240e20ff844113717d7
SHA25628f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09
SHA512fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9
-
Filesize
3KB
MD5286fe459674aef6eee17f6ac79a15fdb
SHA1233dc43099c575a67b05fc1076e676324fd6e63d
SHA256872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2
SHA512c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD5d4917ae9072a10d8e12ef3b282b25b3b
SHA1bd9ec6c6395997525ec7c15ecca2f115573cc14c
SHA2566f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b
SHA512c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
12.3MB
MD5ae9300f03a6d2e49c898280284d8d74f
SHA16474c770a4054910bf90d8815644d0be4b57e3af
SHA256aebff64a27473f65e988ba96056c9fdae9fb256990b58a7920c935ce6a38b5c1
SHA51207bbd545e940854b70e0028e84d1c2e25bb8ea185d9e89fcb2ee929436cfb44c505082b997605c7c1a7cfc161b2bb9918935d21b4167958aba4ff9cc86366f6b