Analysis
-
max time kernel
205s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:18
Static task
static1
Behavioral task
behavioral1
Sample
3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe
Resource
win10v2004-20221111-en
General
-
Target
3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe
-
Size
864KB
-
MD5
531b780df04c2c67b3862b0720eb7280
-
SHA1
ae1a521b5e0da934d3dfc792ac7e33df5c1029c5
-
SHA256
3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794
-
SHA512
7f954c15141a64301587b831151f032482cca730c4105ec4a9134473836f870a99367be169fd04f3d5630c6aa66c70dc7bfaddfd9775db7e5cfe2f243fc2a94e
-
SSDEEP
24576:L1rM1vWq0u222tNqz/QmXt+ZlVP30mfWAgjLwK:LdCvFl2tgYmcVrbK
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
4.exeHacker.com.cn.inipid process 564 4.exe 2044 Hacker.com.cn.ini -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe -
Drops file in Windows directory 3 IoCs
Processes:
4.exedescription ioc process File created C:\Windows\Hacker.com.cn.ini 4.exe File opened for modification C:\Windows\Hacker.com.cn.ini 4.exe File created C:\Windows\uninstal.bat 4.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Hacker.com.cn.inidescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.ini Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.ini Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.ini Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.ini Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.ini -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4.exeHacker.com.cn.inidescription pid process Token: SeDebugPrivilege 564 4.exe Token: SeDebugPrivilege 2044 Hacker.com.cn.ini -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Hacker.com.cn.inipid process 2044 Hacker.com.cn.ini -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exeHacker.com.cn.ini4.exedescription pid process target process PID 3492 wrote to memory of 564 3492 3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe 4.exe PID 3492 wrote to memory of 564 3492 3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe 4.exe PID 3492 wrote to memory of 564 3492 3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe 4.exe PID 2044 wrote to memory of 4956 2044 Hacker.com.cn.ini IEXPLORE.EXE PID 2044 wrote to memory of 4956 2044 Hacker.com.cn.ini IEXPLORE.EXE PID 564 wrote to memory of 5116 564 4.exe cmd.exe PID 564 wrote to memory of 5116 564 4.exe cmd.exe PID 564 wrote to memory of 5116 564 4.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe"C:\Users\Admin\AppData\Local\Temp\3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵
-
C:\Windows\Hacker.com.cn.iniC:\Windows\Hacker.com.cn.ini1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeFilesize
786KB
MD5bdf3d3f96904b927292e9a6b39d3b2e5
SHA171b9a605cf243955f468960258e385497ccb98d9
SHA2567eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e
SHA51271aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeFilesize
786KB
MD5bdf3d3f96904b927292e9a6b39d3b2e5
SHA171b9a605cf243955f468960258e385497ccb98d9
SHA2567eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e
SHA51271aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514
-
C:\Windows\Hacker.com.cn.iniFilesize
786KB
MD5bdf3d3f96904b927292e9a6b39d3b2e5
SHA171b9a605cf243955f468960258e385497ccb98d9
SHA2567eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e
SHA51271aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514
-
C:\Windows\Hacker.com.cn.iniFilesize
786KB
MD5bdf3d3f96904b927292e9a6b39d3b2e5
SHA171b9a605cf243955f468960258e385497ccb98d9
SHA2567eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e
SHA51271aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514
-
C:\Windows\uninstal.batFilesize
150B
MD55edd682a8b1f2bf873300774f954ab03
SHA12cca4e743d02dbccf31b784ea26a60c03dcc9637
SHA256a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a
SHA512916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2
-
memory/564-134-0x0000000000000000-mapping.dmp
-
memory/3492-132-0x0000000001000000-0x0000000001113000-memory.dmpFilesize
1.1MB
-
memory/3492-133-0x00000000006A0000-0x00000000006F4000-memory.dmpFilesize
336KB
-
memory/3492-137-0x0000000001000000-0x0000000001113000-memory.dmpFilesize
1.1MB
-
memory/3492-138-0x00000000006A0000-0x00000000006F4000-memory.dmpFilesize
336KB
-
memory/3492-142-0x0000000001000000-0x0000000001113000-memory.dmpFilesize
1.1MB
-
memory/5116-141-0x0000000000000000-mapping.dmp