Analysis
-
max time kernel
118s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:40
Static task
static1
Behavioral task
behavioral1
Sample
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
Resource
win10v2004-20221111-en
General
-
Target
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
-
Size
743KB
-
MD5
38686fc6e8e7f3585b0e09f1f8f0d962
-
SHA1
9de250d07359479fa6a212f684b79d8334433a16
-
SHA256
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560
-
SHA512
4b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb
-
SSDEEP
12288:ERyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5HpnDzt:oStU4gf2EW5A2DJr/kS4vGIk6v3HX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Hacker.com.cn.exepid process 1324 Hacker.com.cn.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1228 cmd.exe -
Drops file in System32 directory 1 IoCs
Processes:
Hacker.com.cn.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
Processes:
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exedescription ioc process File created C:\Windows\Hacker.com.cn.exe e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe File opened for modification C:\Windows\Hacker.com.cn.exe e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe File created C:\Windows\uninstal.bat e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe -
Modifies data under HKEY_USERS 28 IoCs
Processes:
Hacker.com.cn.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0047000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\WpadDecision = "0" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc\WpadDetectedUrl Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\2e-20-73-4c-9d-dc Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc\WpadDecisionTime = 600658d465ffd801 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc\WpadDecisionTime = 401b061366ffd801 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D} Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\WpadDecisionTime = 600658d465ffd801 Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\WpadNetworkName = "Network 2" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc\WpadDecision = "0" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0047000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\WpadDecisionTime = 401b061366ffd801 Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exeHacker.com.cn.exedescription pid process Token: SeDebugPrivilege 1300 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe Token: SeDebugPrivilege 1324 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Hacker.com.cn.exepid process 1324 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Hacker.com.cn.exee78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exedescription pid process target process PID 1324 wrote to memory of 1488 1324 Hacker.com.cn.exe IEXPLORE.EXE PID 1324 wrote to memory of 1488 1324 Hacker.com.cn.exe IEXPLORE.EXE PID 1324 wrote to memory of 1488 1324 Hacker.com.cn.exe IEXPLORE.EXE PID 1324 wrote to memory of 1488 1324 Hacker.com.cn.exe IEXPLORE.EXE PID 1300 wrote to memory of 1228 1300 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe PID 1300 wrote to memory of 1228 1300 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe PID 1300 wrote to memory of 1228 1300 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe PID 1300 wrote to memory of 1228 1300 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe PID 1300 wrote to memory of 1228 1300 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe PID 1300 wrote to memory of 1228 1300 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe PID 1300 wrote to memory of 1228 1300 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe"C:\Users\Admin\AppData\Local\Temp\e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
PID:1228
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1488
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Hacker.com.cn.exeFilesize
743KB
MD538686fc6e8e7f3585b0e09f1f8f0d962
SHA19de250d07359479fa6a212f684b79d8334433a16
SHA256e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560
SHA5124b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb
-
C:\Windows\Hacker.com.cn.exeFilesize
743KB
MD538686fc6e8e7f3585b0e09f1f8f0d962
SHA19de250d07359479fa6a212f684b79d8334433a16
SHA256e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560
SHA5124b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb
-
C:\Windows\uninstal.batFilesize
254B
MD5862f328ef566af04eff4ec3441d2e0e3
SHA120450422b736126b92df983d4320713265cccac7
SHA25626e7febb1c7e4e95a3a39d76f84e2baca41146715257ef3773c87e87e8021613
SHA512b4d13ef06b11976e11da517599acd63e9cc9ce69f243c7de88e4446a5f612042930235087bec919bf9dd51c68d6a1c1c8bfd55a04fa3d32c7101025bddd244ad
-
memory/1228-58-0x0000000000000000-mapping.dmp
-
memory/1300-54-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB