a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf

Analysis

max time kernel
123s
max time network
127s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
Size

297KB
MD5

86ba01e1c30edf9284103b0e94aaa001
SHA1

4f427b906efbbd5f7d4ab349de91893391e3a214
SHA256

a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf
SHA512

46ce2db62631c22ecf1261b4f8b4a90489f19ada9f6f5a8ab7b9ac5c31ff34a81cc8e3a13d2c12945f5304ccf87a2b2549f0a68e63586edee353c92bd9f1f09a
SSDEEP

6144:M2GtJf/f0/+p0irV7PlqL5Em5teKUfqCgT6JjrI//6pOK7/y+3OGP/5:M24fX3p0irV7mJUf7gToQXUJ7qgJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1988	Hacker.com.cn.ini

Loads dropped DLL 1 IoCs

pid	Process
1988	Hacker.com.cn.ini

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.ini

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\huaxiac1\ZOHVWF.DAT	a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
File created	C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini	a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
File opened for modification	C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini	a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D278EC1E-D948-43AE-A900-627358D724A7}\WpadNetworkName = "Network 3"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-81-af-cf-c7-34\WpadDecisionTime = 705e740b0009d901	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D278EC1E-D948-43AE-A900-627358D724A7}\WpadDecision = "0"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D278EC1E-D948-43AE-A900-627358D724A7}\ea-81-af-cf-c7-34	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-81-af-cf-c7-34	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D278EC1E-D948-43AE-A900-627358D724A7}\WpadDecisionReason = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-81-af-cf-c7-34\WpadDecision = "0"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D278EC1E-D948-43AE-A900-627358D724A7}\WpadDecisionTime = 705e740b0009d901	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D278EC1E-D948-43AE-A900-627358D724A7}	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-81-af-cf-c7-34\WpadDetectedUrl	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D278EC1E-D948-43AE-A900-627358D724A7}\WpadDecisionTime = 7043aeceff08d901	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-81-af-cf-c7-34\WpadDecisionTime = 7043aeceff08d901	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-81-af-cf-c7-34\WpadDecisionReason = "1"	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
Token: SeDebugPrivilege	1988	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	Hacker.com.cn.ini

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1988	Hacker.com.cn.ini
1988	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1528	1988	Hacker.com.cn.ini	27
PID 1988 wrote to memory of 1528	1988	Hacker.com.cn.ini	27
PID 1988 wrote to memory of 1528	1988	Hacker.com.cn.ini	27
PID 1988 wrote to memory of 1528	1988	Hacker.com.cn.ini	27

C:\Users\Admin\AppData\Local\Temp\a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
"C:\Users\Admin\AppData\Local\Temp\a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini
"C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini

Filesize
297KB

MD5
86ba01e1c30edf9284103b0e94aaa001

SHA1
4f427b906efbbd5f7d4ab349de91893391e3a214

SHA256
a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf

SHA512
46ce2db62631c22ecf1261b4f8b4a90489f19ada9f6f5a8ab7b9ac5c31ff34a81cc8e3a13d2c12945f5304ccf87a2b2549f0a68e63586edee353c92bd9f1f09a

Download Submit
C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini

Filesize
297KB

MD5
86ba01e1c30edf9284103b0e94aaa001

SHA1
4f427b906efbbd5f7d4ab349de91893391e3a214

SHA256
a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf

SHA512
46ce2db62631c22ecf1261b4f8b4a90489f19ada9f6f5a8ab7b9ac5c31ff34a81cc8e3a13d2c12945f5304ccf87a2b2549f0a68e63586edee353c92bd9f1f09a

Download Submit
C:\Program Files (x86)\huaxiac1\ZOHVWF.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
\Program Files (x86)\huaxiac1\ZOHVWF.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
memory/1088-54-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1088-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1088-56-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1088-61-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1988-62-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1988-65-0x0000000001D60000-0x0000000001D72000-memory.dmp

Filesize
72KB

Download
memory/1988-66-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download