Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03/09/2024, 13:41
General
-
Target
c8420dc616a0e7b7966303fa2cce3dc0N.exe
-
Size
164KB
-
MD5
c8420dc616a0e7b7966303fa2cce3dc0
-
SHA1
1455345f2e7d340f3e69a3efed371278e3662389
-
SHA256
181d7615af131fae7072e791cb1694ef1c1a62d735e80017406f1c7dc4f14303
-
SHA512
7376cd6f5de1e25659433fa4dd4cd52a7434c4dbad695ed43e86e8ea00a861e98778d1fbbf1b09c2e575abb4b209015ddc182eab1c8f0928ddea957d007367ef
-
SSDEEP
3072:1qpMJFLXBpNum6V0P60/KV69R1Vu8ljAE+cQqCdXe8hTJz:1qGvN4V0Pt9R1Vu8l0B9e8hT1
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8420dc616a0e7b7966303fa2cce3dc0N.exe"C:\Users\Admin\AppData\Local\Temp\c8420dc616a0e7b7966303fa2cce3dc0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kage2011_check.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl6CAA.tmpC:\Users\Admin\AppData\Local\Temp\inl6CAA.tmp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl6CAA.tmp > nul3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C8420D~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD515ecc1eef11e48908b75f5b8a35da995
SHA1433eb7a19c9ac074f8b03e0e69c28e9ca50dfcdf
SHA256052cee97cc524319acd52e5b65fa49968ea1898d47c09bd443ba42bb2dc54b84
SHA5126749a168380cfbb80b8d2cfccd38da3290abae529ee63e8026d2eec7c9e8165fab3310167180391fad4a07a6868de12957c330491e245a87e93b70fa0669521b
-
Filesize
342B
MD506be4c359ac081641ee573f8a661e935
SHA1dcf7f3898af0471d77e900d350af11352a055c9b
SHA2563dc98402e69e1e3121783e444b1a1f8577e6d901a135059a97830367cfe9291b
SHA5126fc2b56586745c18a2c78f7fa831799498c342c63febc2f277b0b7071a6cb7d6e8a0cf81763b4b5d50acae1f2fad9fd6176f65074910d5e93c15efd638c94f7f
-
Filesize
342B
MD5a4755fa81dad66d7bffa76fadadb7718
SHA198b52f4d065f53ccc53814d2ca2a2526e181a075
SHA2566c80bcf9b898d84ca1770aa3c0e5c18644e9ce988b7a417efbe769f395881e56
SHA5123069fb2e9905c22fac76280209ffe931e14554c099701129f2983a5e399e12085780faa7883fbb0b4633c2b8310950d5ca746175e933c6ee5b0d1384c0ecb29e
-
Filesize
342B
MD5c6d08e48c3a339ab2b1a0da4a78f1369
SHA1878d8f66f918d80e71f6ec1e749931cc7eb9621e
SHA2560430d689233f9e9754e1d4982167f07b7303cef14330e2c6b512fe3c0e989c94
SHA512e97a8eba68c609cea05f1344efb9229ab64a94ca9569f4eb49a26210cc2d141837f10e69237ffe004cbc784df3c59dc66cc506f498af5c1b21c1db23891270af
-
Filesize
342B
MD51352a65b22ef8d50e64a19f364fa25c7
SHA18b2d2c03873173a6add17d8ed8663465105545d7
SHA25628d4bf7cbe8d42ff65ecd463132fe881df3ebbf6e7f875ce109f45c30f7fa72a
SHA512dfaf6982614eec1b000fe80e8c1f9ccf6416c4acb1261b1af371cb777181af075b42d052dc87764ff7559677a7d5a8550ed4a1df97c7189904a6d66d2be8dcf8
-
Filesize
342B
MD578bc5f14d5540027369f9baf1a01e371
SHA1dc4881f1ce3ee30b0260b80444f3e773ea1a70df
SHA256e7052c9fbf9b791d2d0776283e7cf27253a90272c2846f9531513eaf9257460b
SHA5125615313ea6637a21821793d98e0cf84962388ca8c242debc8cd32cc8ff983c9032b25caa8671e1b796ff946e41754e4284ee647fbca981fb00fb342b0ea65079
-
Filesize
342B
MD5b6525bd9e5f1c2c1f4e414be63b4c216
SHA1104f2f669f7aa2a05eaf2f82ab3b5c49c0ac70c4
SHA256f8a0455135d4feee5a4ef5fdde20c3846d7ccd4f1b9b67d9bc0e51433c7d8d60
SHA5129c6ccfda62e87f624b57258c81c39bbd99c1c3edf3ef5b20eb525cd841718e2d21c68257faa471f212fa47b534aee2169a6071ddc697ec32383f599d8e6dc6d8
-
Filesize
342B
MD56f6d74ff62855ff87c9c0b5ec23dc020
SHA102df46d90fbb784587e5c428458decb90e275be3
SHA256a22a1e110df4ddf1daa7d01ab57c8beeb77910ff49e017a92348943b4b7f66af
SHA51271d4d1ccc8438e1abf1a151706af62358470914349c877a35470c0b770334cf1695a339770fc7be0f13063c0584b21534c55c6ab6cd2f00b026ada951d3c5acf
-
Filesize
342B
MD5ebc203096ce04703424782c0c76d9357
SHA1bc373750eb0b7011654cadfee04a513d33eccb43
SHA256fa08844fbf0caaba5be8aaf060908083f99676d6d0e8e2f6be60b6b86cda851d
SHA512364e6631aa3907c5fd8ea85757cca28ed846ca652d1a4b678457f985651be5ef8b094d2233e163e6622bee0d29f8564de7179298c1d22d86bb8d69009be0d0e6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
555B
MD5458a331595f313d6bd4ac9cfd0a769c8
SHA174dffa252fbbf48b8f27900a0b77b339c4678115
SHA2562387b151c34a6ee91d2f8a47976ec35c9fc6ea9ecbe0330e156a3a00d51cc0b2
SHA5125b84b8bd34ab1816a2301330e6778fa1cb97c42eafee18c876aa73da26b4d7d1475def53558e2a69baf318c26b3227666a9c6fb4cb7d26d662ac2a7273970d26
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD56b78cb8ced798ca5df5612dd62ce0965
SHA15a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf
SHA25681f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3
SHA512b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
12.3MB
MD5f49d5c2345305a78635fdc2df992d771
SHA19de1e12cda0521c61435727fefa65e01cd517e84
SHA256311a9b7637d0ef57aa5ef870088d30f181a58ab4afd0a048c511e0d736c5ecbf
SHA5124a7ec4a083fb33b78182d4ebbb9d39ba1c5c32a9bc4ccdbc24e7cddbaaadc4156c121100dca9a0aa79fcee55acae1898d9f4c50aa6c96dc05f5ea60312bda6ac
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
64KB