e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5

General

Target

e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5.exe
Size

4.1MB
MD5

0faab9d78060b3b758fb60ca3590f296
SHA1

dcd5ebf0bfe2518fb8f5caa41260a227ed3644b2
SHA256

e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5
SHA512

1f35380ec375b9c1379248185568515f53b7925f7160b55fc446ae21a2b02b894abdb657966faead723f50f1b1e5a418c205c61a9f1d8658e78e44f0038faeb3
SSDEEP

49152:BwljUQVLUV9doisFOga7m3SB+st795DJe7xyjGkEKyOw56tuFKpcMxYywETUzx/y:GvUrqiuOLmCVExSFu/YwETQ4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3940	HMCL-3~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ntdll.pdb	javaw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1120	javaw.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3940	4600	e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5.exe	81
PID 4600 wrote to memory of 3940	4600	e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5.exe	81
PID 4600 wrote to memory of 3940	4600	e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5.exe	81
PID 3940 wrote to memory of 1120	3940	HMCL-3~1.EXE	82
PID 3940 wrote to memory of 1120	3940	HMCL-3~1.EXE	82
PID 1120 wrote to memory of 4004	1120	javaw.exe	83
PID 1120 wrote to memory of 4004	1120	javaw.exe	83

C:\Users\Admin\AppData\Local\Temp\e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5.exe
"C:\Users\Admin\AppData\Local\Temp\e5e0fbdcfb908f68d901b4392759ec0bd835c28f57be6fd25bf7c6d7aff7aaa5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HMCL-3~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HMCL-3~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=15 -jar "HMCL-3~1.EXE"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd ver
      4⤵
      PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HMCL-3~1.EXE

Filesize
4.4MB

MD5
a29167e249e8c1113a92bc033335b998

SHA1
71d097d12491a6e0c9e3b3bffaf98065ab322631

SHA256
bd7c8ea1eea5054a5a5c9c29c4a001c1b8f33036fccbed309801dd6f9e59234c

SHA512
f7aea383587840d34cc3eacbb87a33afb40e76f768c170407c4ea3694451f83d1778fa66647a50ef9a656e098443e1acae192eb66287a426ebe9743ee97d1738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HMCL-3~1.EXE

Filesize
4.4MB

MD5
a29167e249e8c1113a92bc033335b998

SHA1
71d097d12491a6e0c9e3b3bffaf98065ab322631

SHA256
bd7c8ea1eea5054a5a5c9c29c4a001c1b8f33036fccbed309801dd6f9e59234c

SHA512
f7aea383587840d34cc3eacbb87a33afb40e76f768c170407c4ea3694451f83d1778fa66647a50ef9a656e098443e1acae192eb66287a426ebe9743ee97d1738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hs_err_pid1120.log

Filesize
18KB

MD5
e0f4f766182e4de06ced1c536fb0412b

SHA1
4a3b360eb6171e2ffdd000414afa1cb22216a020

SHA256
5efaccccd8861316c76e16b10ad96224507f3c2d3fe625f501c93438251de624

SHA512
e1506efa3885510b6d4acf7bf710a5bd7c785abd21885b80c06c49e5cf986087b117e6851f2f7df4c8152e0f841c839c8e73b8e8510a1a82200209e847024229

Download Submit
memory/1120-140-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/1120-153-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/1120-155-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing