bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f

General

Target

bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe
Size

743KB
MD5

2b9132097f55a526eb42cbf12275266a
SHA1

8df68acce2554afd511e1b57faffc06ad6131b39
SHA256

bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f
SHA512

af8dfc8b0c9b893fb4338f062f1d9981a9d56feb26fc5b60e0279dd7a3c382078b96f3d49c85bb04b31104b1d2d31893374153d8ad4d9c3799eca9cf505a190c
SSDEEP

12288:ERyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5Hpnrzy:oStU4gf2EW5A2DJr/kS4vGIk6v3Hf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
940	Hacker.com.cn.exe

Deletes itself 1 IoCs

pid	Process
684	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Hacker.com.cn.exe	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe
File created	C:\Windows\uninstal.bat	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe
File created	C:\Windows\Hacker.com.cn.exe	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECEB6828-BFAD-4A2A-9F45-AC16405E2937}	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECEB6828-BFAD-4A2A-9F45-AC16405E2937}\WpadDecisionTime = 60a747cde0ffd801	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-b2-73-37-be-2f	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-b2-73-37-be-2f\WpadDecisionTime = 60a747cde0ffd801	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-b2-73-37-be-2f\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-b2-73-37-be-2f\WpadDecision = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECEB6828-BFAD-4A2A-9F45-AC16405E2937}\WpadDecision = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECEB6828-BFAD-4A2A-9F45-AC16405E2937}\WpadDecisionReason = "1"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECEB6828-BFAD-4A2A-9F45-AC16405E2937}\WpadNetworkName = "Network 2"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECEB6828-BFAD-4A2A-9F45-AC16405E2937}\ee-b2-73-37-be-2f	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe
Token: SeDebugPrivilege	940	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
940	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 760	940	Hacker.com.cn.exe	29
PID 940 wrote to memory of 760	940	Hacker.com.cn.exe	29
PID 940 wrote to memory of 760	940	Hacker.com.cn.exe	29
PID 940 wrote to memory of 760	940	Hacker.com.cn.exe	29
PID 1772 wrote to memory of 684	1772	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe	30
PID 1772 wrote to memory of 684	1772	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe	30
PID 1772 wrote to memory of 684	1772	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe	30
PID 1772 wrote to memory of 684	1772	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe	30
PID 1772 wrote to memory of 684	1772	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe	30
PID 1772 wrote to memory of 684	1772	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe	30
PID 1772 wrote to memory of 684	1772	bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe	30

C:\Users\Admin\AppData\Local\Temp\bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe
"C:\Users\Admin\AppData\Local\Temp\bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:684

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:940
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
2b9132097f55a526eb42cbf12275266a

SHA1
8df68acce2554afd511e1b57faffc06ad6131b39

SHA256
bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f

SHA512
af8dfc8b0c9b893fb4338f062f1d9981a9d56feb26fc5b60e0279dd7a3c382078b96f3d49c85bb04b31104b1d2d31893374153d8ad4d9c3799eca9cf505a190c

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
2b9132097f55a526eb42cbf12275266a

SHA1
8df68acce2554afd511e1b57faffc06ad6131b39

SHA256
bb291519d074e2836f47f3226f346867f7cc8878b92f9644eed1a573796c1a2f

SHA512
af8dfc8b0c9b893fb4338f062f1d9981a9d56feb26fc5b60e0279dd7a3c382078b96f3d49c85bb04b31104b1d2d31893374153d8ad4d9c3799eca9cf505a190c

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
f5bb844fad4358e5978f5b9245de9fb3

SHA1
a98c49b6af53d95fef89f1715676e3996345ffd8

SHA256
2ef868d18ee4bba55263968a44954edba626b91255c0b4ce36f438f6b28d3614

SHA512
d1be8df2fd24c7fc87be9e06cbe2504a907499c74d0d34be30700c202a063ac9108be3da8656bc01231742e1b9a8cb1c1948d4a86dbcb7e514cdd3259d4200b8

Download Submit
memory/1772-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing