a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf

General

Target

a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
Size

297KB
MD5

86ba01e1c30edf9284103b0e94aaa001
SHA1

4f427b906efbbd5f7d4ab349de91893391e3a214
SHA256

a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf
SHA512

46ce2db62631c22ecf1261b4f8b4a90489f19ada9f6f5a8ab7b9ac5c31ff34a81cc8e3a13d2c12945f5304ccf87a2b2549f0a68e63586edee353c92bd9f1f09a
SSDEEP

6144:M2GtJf/f0/+p0irV7PlqL5Em5teKUfqCgT6JjrI//6pOK7/y+3OGP/5:M24fX3p0irV7mJUf7gToQXUJ7qgJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5048	Hacker.com.cn.ini

Loads dropped DLL 2 IoCs

pid	Process
5048	Hacker.com.cn.ini
5048	Hacker.com.cn.ini

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\huaxiac1\VZHATH.DAT	a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
File created	C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini	a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
File opened for modification	C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini	a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.ini

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
Token: SeDebugPrivilege	5048	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5048	Hacker.com.cn.ini

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5048	Hacker.com.cn.ini
5048	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4752	5048	Hacker.com.cn.ini	84
PID 5048 wrote to memory of 4752	5048	Hacker.com.cn.ini	84

C:\Users\Admin\AppData\Local\Temp\a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe
"C:\Users\Admin\AppData\Local\Temp\a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini
"C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini

Filesize
297KB

MD5
86ba01e1c30edf9284103b0e94aaa001

SHA1
4f427b906efbbd5f7d4ab349de91893391e3a214

SHA256
a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf

SHA512
46ce2db62631c22ecf1261b4f8b4a90489f19ada9f6f5a8ab7b9ac5c31ff34a81cc8e3a13d2c12945f5304ccf87a2b2549f0a68e63586edee353c92bd9f1f09a

Download Submit
C:\Program Files (x86)\huaxiac1\Hacker.com.cn.ini

Filesize
297KB

MD5
86ba01e1c30edf9284103b0e94aaa001

SHA1
4f427b906efbbd5f7d4ab349de91893391e3a214

SHA256
a39a2acdfbbda1cfa094f3a27ea9c886c87250f399a1ca270e306b6f0d136adf

SHA512
46ce2db62631c22ecf1261b4f8b4a90489f19ada9f6f5a8ab7b9ac5c31ff34a81cc8e3a13d2c12945f5304ccf87a2b2549f0a68e63586edee353c92bd9f1f09a

Download Submit
C:\Program Files (x86)\huaxiac1\VZHATH.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Program Files (x86)\huaxiac1\VZHATH.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Program Files (x86)\huaxiac1\VZHATH.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
memory/1944-132-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1944-133-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1944-138-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/5048-136-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/5048-137-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/5048-142-0x0000000001030000-0x0000000001042000-memory.dmp

Filesize
72KB

Download
memory/5048-143-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing