f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7

General

Target

f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe
Size

316KB
MD5

8ba6496918e6a28bb44e6ff4675225ae
SHA1

6ce62b9284e939a846904cf61765a9c0fb2db205
SHA256

f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7
SHA512

5876e380bf8c081f41773599267ef2a7152c41db386dd9eb68e77048b2aa42552fa1489b824edcd33d649802b74dabd8689cbc737ac4f9a45d3bc761e13643ff
SSDEEP

6144:85DVzBjn7ctC85AtZA/kimSk/wOw6z+pkT8hcJ2le:855dj7C5RZhaw4+48hG2le

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
788	Hacker.com.cn.exe

Deletes itself 1 IoCs

pid	Process
1524	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe
File created	C:\Windows\UNINSTAL.BAT	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\WpadDecision = "0"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-99-f0-1e-37-37\WpadDecisionTime = 70cead96450cd901	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-99-f0-1e-37-37\WpadDecision = "0"	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\WpadDecisionTime = 70cead96450cd901	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\WpadNetworkName = "Network 2"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\6e-99-f0-1e-37-37	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-99-f0-1e-37-37\WpadDecisionReason = "1"	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-99-f0-1e-37-37	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe
Token: SeDebugPrivilege	788	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
788	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 1644	788	Hacker.com.cn.exe	29
PID 788 wrote to memory of 1644	788	Hacker.com.cn.exe	29
PID 788 wrote to memory of 1644	788	Hacker.com.cn.exe	29
PID 788 wrote to memory of 1644	788	Hacker.com.cn.exe	29
PID 752 wrote to memory of 1524	752	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe	30
PID 752 wrote to memory of 1524	752	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe	30
PID 752 wrote to memory of 1524	752	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe	30
PID 752 wrote to memory of 1524	752	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe	30
PID 752 wrote to memory of 1524	752	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe	30
PID 752 wrote to memory of 1524	752	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe	30
PID 752 wrote to memory of 1524	752	f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe	30

C:\Users\Admin\AppData\Local\Temp\f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe
"C:\Users\Admin\AppData\Local\Temp\f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  PID:1524

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:788
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
316KB

MD5
8ba6496918e6a28bb44e6ff4675225ae

SHA1
6ce62b9284e939a846904cf61765a9c0fb2db205

SHA256
f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7

SHA512
5876e380bf8c081f41773599267ef2a7152c41db386dd9eb68e77048b2aa42552fa1489b824edcd33d649802b74dabd8689cbc737ac4f9a45d3bc761e13643ff

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
316KB

MD5
8ba6496918e6a28bb44e6ff4675225ae

SHA1
6ce62b9284e939a846904cf61765a9c0fb2db205

SHA256
f51b9c6a5ae28f7d98ca5502fc4615fd49e8b54c12acdded697afd63771cbaf7

SHA512
5876e380bf8c081f41773599267ef2a7152c41db386dd9eb68e77048b2aa42552fa1489b824edcd33d649802b74dabd8689cbc737ac4f9a45d3bc761e13643ff

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
254B

MD5
80e1503d9fceefdf691cfc33b4ddabaf

SHA1
01e31365ec75056107d5e439f64c6a7372784e65

SHA256
230b96ce4961d06c7836b46194010ed19316856b0204c8b840d5a671cfbfa132

SHA512
ba8344c4449df0730d5735d45b18b62fc6e0d449a5e5a539fe7379a8cc1baf1c92ffe486f6061fbd5f23db224252f1cd0ba92a78e4112937899d53d77b0ad5f0

Download Submit
memory/752-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/752-55-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/788-59-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing