99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb

General

Target

99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe
Size

693KB
MD5

6ec313496af11b0a57701ee582afdb33
SHA1

ddb29725e8520a9a0de4a4c1aa54a7900322a1f9
SHA256

99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb
SHA512

ce7a731113f0a527092ee90b7b037096081464157100372ae044fba321c5647f5894511445dc0b517a5e104756fd8f4db6718eab21242fa96b43f1ef56a4cb0b
SSDEEP

12288:Nsq1LZBSk8s/uWr+FpKqy3RlU3rZA0MKHUTTfxyF3Z4mxxWCDP0QFqrjAi0V08:Nsqp/Se/4RMRGb7MKuTpyQmX57YeVF

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b000000012306-54.dat	aspack_v212_v242
behavioral1/files/0x000b000000012306-55.dat	aspack_v212_v242
behavioral1/files/0x000b000000012306-57.dat	aspack_v212_v242
behavioral1/files/0x000b000000012306-59.dat	aspack_v212_v242
behavioral1/files/0x000800000001231c-62.dat	aspack_v212_v242
behavioral1/files/0x000800000001231c-64.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
1508	SERVER~1.EXE
364	Hack48.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe
1996	99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hack48.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	SERVER~1.EXE
File created	C:\Windows\Hack48.com.cn.exe	SERVER~1.EXE
File opened for modification	C:\Windows\Hack48.com.cn.exe	SERVER~1.EXE

Modifies data under HKEY_USERS 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hack48.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hack48.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hack48.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2AE254A0-F732-484A-97FB-E0C90807DC4B}\WpadDecisionTime = 004207e35809d901	Hack48.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hack48.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hack48.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hack48.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hack48.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0048000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hack48.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2AE254A0-F732-484A-97FB-E0C90807DC4B}	Hack48.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2AE254A0-F732-484A-97FB-E0C90807DC4B}\WpadNetworkName = "Network 2"	Hack48.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-de-de-26-22-3d\WpadDecisionTime = 004207e35809d901	Hack48.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hack48.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2AE254A0-F732-484A-97FB-E0C90807DC4B}\WpadDecisionReason = "1"	Hack48.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2AE254A0-F732-484A-97FB-E0C90807DC4B}\WpadDecision = "0"	Hack48.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-de-de-26-22-3d\WpadDecision = "0"	Hack48.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hack48.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-de-de-26-22-3d\WpadDetectedUrl	Hack48.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hack48.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hack48.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-de-de-26-22-3d	Hack48.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2AE254A0-F732-484A-97FB-E0C90807DC4B}\52-de-de-26-22-3d	Hack48.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-de-de-26-22-3d\WpadDecisionReason = "1"	Hack48.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hack48.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hack48.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	SERVER~1.EXE
Token: SeDebugPrivilege	364	Hack48.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
364	Hack48.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1508	1996	99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe	28
PID 1996 wrote to memory of 1508	1996	99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe	28
PID 1996 wrote to memory of 1508	1996	99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe	28
PID 1996 wrote to memory of 1508	1996	99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe	28
PID 364 wrote to memory of 568	364	Hack48.com.cn.exe	30
PID 364 wrote to memory of 568	364	Hack48.com.cn.exe	30
PID 364 wrote to memory of 568	364	Hack48.com.cn.exe	30
PID 364 wrote to memory of 568	364	Hack48.com.cn.exe	30
PID 1508 wrote to memory of 1116	1508	SERVER~1.EXE	31
PID 1508 wrote to memory of 1116	1508	SERVER~1.EXE	31
PID 1508 wrote to memory of 1116	1508	SERVER~1.EXE	31
PID 1508 wrote to memory of 1116	1508	SERVER~1.EXE	31
PID 1508 wrote to memory of 1116	1508	SERVER~1.EXE	31
PID 1508 wrote to memory of 1116	1508	SERVER~1.EXE	31
PID 1508 wrote to memory of 1116	1508	SERVER~1.EXE	31

C:\Users\Admin\AppData\Local\Temp\99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe
"C:\Users\Admin\AppData\Local\Temp\99cc03acd9c33e6488ccade071c2e1be1274c3361c5e2bb907e98bcc3ced73fb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:1116

C:\Windows\Hack48.com.cn.exe
C:\Windows\Hack48.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
292KB

MD5
ffb4145e4bfe57301410e99dca9386a5

SHA1
5627c477c67fcda4211a5e1b4ec32ee074008a91

SHA256
e7fa430efc41837882331b060107b51cd8784f1d1a0454944dbdc75ab007d3c9

SHA512
7bd45fc4be22b3009ac3045b4753ec9f0d862a7d0f819cbab9c320bed5445b98d97e1939ca7e81ceb0d67256da72af101e339edf54352eb5abbd28dcc1ebe0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
292KB

MD5
ffb4145e4bfe57301410e99dca9386a5

SHA1
5627c477c67fcda4211a5e1b4ec32ee074008a91

SHA256
e7fa430efc41837882331b060107b51cd8784f1d1a0454944dbdc75ab007d3c9

SHA512
7bd45fc4be22b3009ac3045b4753ec9f0d862a7d0f819cbab9c320bed5445b98d97e1939ca7e81ceb0d67256da72af101e339edf54352eb5abbd28dcc1ebe0aa

Download Submit
C:\Windows\Hack48.com.cn.exe

Filesize
292KB

MD5
ffb4145e4bfe57301410e99dca9386a5

SHA1
5627c477c67fcda4211a5e1b4ec32ee074008a91

SHA256
e7fa430efc41837882331b060107b51cd8784f1d1a0454944dbdc75ab007d3c9

SHA512
7bd45fc4be22b3009ac3045b4753ec9f0d862a7d0f819cbab9c320bed5445b98d97e1939ca7e81ceb0d67256da72af101e339edf54352eb5abbd28dcc1ebe0aa

Download Submit
C:\Windows\Hack48.com.cn.exe

Filesize
292KB

MD5
ffb4145e4bfe57301410e99dca9386a5

SHA1
5627c477c67fcda4211a5e1b4ec32ee074008a91

SHA256
e7fa430efc41837882331b060107b51cd8784f1d1a0454944dbdc75ab007d3c9

SHA512
7bd45fc4be22b3009ac3045b4753ec9f0d862a7d0f819cbab9c320bed5445b98d97e1939ca7e81ceb0d67256da72af101e339edf54352eb5abbd28dcc1ebe0aa

Download Submit
C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
292KB

MD5
ffb4145e4bfe57301410e99dca9386a5

SHA1
5627c477c67fcda4211a5e1b4ec32ee074008a91

SHA256
e7fa430efc41837882331b060107b51cd8784f1d1a0454944dbdc75ab007d3c9

SHA512
7bd45fc4be22b3009ac3045b4753ec9f0d862a7d0f819cbab9c320bed5445b98d97e1939ca7e81ceb0d67256da72af101e339edf54352eb5abbd28dcc1ebe0aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
292KB

MD5
ffb4145e4bfe57301410e99dca9386a5

SHA1
5627c477c67fcda4211a5e1b4ec32ee074008a91

SHA256
e7fa430efc41837882331b060107b51cd8784f1d1a0454944dbdc75ab007d3c9

SHA512
7bd45fc4be22b3009ac3045b4753ec9f0d862a7d0f819cbab9c320bed5445b98d97e1939ca7e81ceb0d67256da72af101e339edf54352eb5abbd28dcc1ebe0aa

Download Submit
memory/1508-58-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1996-61-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/1996-60-0x0000000001000000-0x0000000001162000-memory.dmp

Filesize
1.4MB

Download
memory/1996-66-0x0000000001000000-0x0000000001162000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing