855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe
Size

662KB
MD5

c6b01a57eb53feea05cbab7c1fc39c03
SHA1

2ad9c7719783498514e712e450a0adaf60d09e6d
SHA256

855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397
SHA512

e576d0e5f32662bae817148dad9a7bce43ec971875924286c26c2b7745adec73c63976696545884640c7c8844274215bde3b80f7d692ef55f2914701d12daac7
SSDEEP

12288:4ZoiuvhPq6VHX/wuoVjGFrGzcY7Vr8bBTgF3Z4mxxbgRoM9KkONLha4nfKE:cPuvhy61DFNY7R8bBgQmXbgOoGLPfKE

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2008	Server.exe
1488	Hacker.com.cn.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000014b75-56.dat	upx
behavioral1/files/0x000a000000014b75-57.dat	upx
behavioral1/files/0x000a000000014b75-59.dat	upx
behavioral1/memory/2008-62-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x000a000000014b75-63.dat	upx
behavioral1/files/0x0008000000014d16-64.dat	upx
behavioral1/files/0x0008000000014d16-66.dat	upx
behavioral1/memory/2008-68-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1488-70-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1488-72-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
784	855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe
784	855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	Server.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server.exe
File created	C:\Windows\uninstal.bat	Server.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDecisionTime = 80b2a14a6307d901	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadNetworkName = "Network 3"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDecisionTime = c083f2156307d901	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\7a-76-83-60-f3-cf	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadDecisionTime = c083f2156307d901	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadDecision = "0"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0083000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDecision = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDetectedUrl	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadDecisionTime = 80b2a14a6307d901	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0083000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	Server.exe
Token: SeDebugPrivilege	1488	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1488	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2008	784	855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe	26
PID 784 wrote to memory of 2008	784	855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe	26
PID 784 wrote to memory of 2008	784	855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe	26
PID 784 wrote to memory of 2008	784	855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe	26
PID 1488 wrote to memory of 1732	1488	Hacker.com.cn.exe	28
PID 1488 wrote to memory of 1732	1488	Hacker.com.cn.exe	28
PID 1488 wrote to memory of 1732	1488	Hacker.com.cn.exe	28
PID 1488 wrote to memory of 1732	1488	Hacker.com.cn.exe	28
PID 2008 wrote to memory of 1724	2008	Server.exe	29
PID 2008 wrote to memory of 1724	2008	Server.exe	29
PID 2008 wrote to memory of 1724	2008	Server.exe	29
PID 2008 wrote to memory of 1724	2008	Server.exe	29
PID 2008 wrote to memory of 1724	2008	Server.exe	29
PID 2008 wrote to memory of 1724	2008	Server.exe	29
PID 2008 wrote to memory of 1724	2008	Server.exe	29

C:\Users\Admin\AppData\Local\Temp\855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe
"C:\Users\Admin\AppData\Local\Temp\855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:1724

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
295KB

MD5
620acaa531c9ed2e93d57bb02a49d463

SHA1
b81fe0a9a1c49c7fdbc28d131500746eb8715b13

SHA256
5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

SHA512
4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
295KB

MD5
620acaa531c9ed2e93d57bb02a49d463

SHA1
b81fe0a9a1c49c7fdbc28d131500746eb8715b13

SHA256
5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

SHA512
4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
295KB

MD5
620acaa531c9ed2e93d57bb02a49d463

SHA1
b81fe0a9a1c49c7fdbc28d131500746eb8715b13

SHA256
5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

SHA512
4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
295KB

MD5
620acaa531c9ed2e93d57bb02a49d463

SHA1
b81fe0a9a1c49c7fdbc28d131500746eb8715b13

SHA256
5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

SHA512
4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

Download Submit
C:\Windows\uninstal.bat

Filesize
160B

MD5
69e01c599950b5caf5cd7ec972f89682

SHA1
2d34ceced77c1f86417c00f706e06cc902b11e3b

SHA256
b46da5e666a34856e6f9763f5bef2a4879b4d33f42ea1727be44a84e76fc8e5e

SHA512
48acf4f4b87eb21a255003a18ed572efb78d5c3ad90b4529bbb16dd32b53142c8f08fe4f567d29115e2ac1fb543f71c1b9ac3dc79cc14afda84c67f72ff11ba9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
295KB

MD5
620acaa531c9ed2e93d57bb02a49d463

SHA1
b81fe0a9a1c49c7fdbc28d131500746eb8715b13

SHA256
5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

SHA512
4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
295KB

MD5
620acaa531c9ed2e93d57bb02a49d463

SHA1
b81fe0a9a1c49c7fdbc28d131500746eb8715b13

SHA256
5c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e

SHA512
4ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99

Download Submit
memory/784-61-0x0000000003160000-0x0000000003228000-memory.dmp

Filesize
800KB

Download
memory/784-54-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/784-69-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/784-55-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/1488-72-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1488-70-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2008-68-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2008-62-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2008-60-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download