c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc

General

Target

c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe
Size

1.2MB
MD5

337e82aa994f23b2ba868eb52eed40fa
SHA1

8ea48665ec85999b07517776b27f556d6803a695
SHA256

c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc
SHA512

26139f08c2014adba5bafc3b3aeacad461ecab90c6fb83d74c63a03780cc41c35a3853489400acac4ac74801226a4bbfc32f3fbc53242f175d9b87c9201f6a73
SSDEEP

24576:kNcJihxeoe8hn2ERIYbyvG5MZtYuRyLkpTP7rKeb9:k5hx7RIuqkMZtjkkpz7r

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1176	AHong.exe

Loads dropped DLL 2 IoCs

pid	Process
1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe
2736	Process not Found

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1892-1-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1892-16-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1892-24-0x0000000010000000-0x0000000010018000-memory.dmp	upx

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MUICACHE	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2792	shutdown.exe
Token: SeRemoteShutdownPrivilege	2792	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe
1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1176	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	28
PID 1892 wrote to memory of 1176	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	28
PID 1892 wrote to memory of 1176	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	28
PID 1892 wrote to memory of 1176	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	28
PID 1892 wrote to memory of 2660	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	30
PID 1892 wrote to memory of 2660	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	30
PID 1892 wrote to memory of 2660	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	30
PID 1892 wrote to memory of 2660	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	30
PID 1892 wrote to memory of 2752	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	32
PID 1892 wrote to memory of 2752	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	32
PID 1892 wrote to memory of 2752	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	32
PID 1892 wrote to memory of 2752	1892	c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe	32
PID 2660 wrote to memory of 2792	2660	cmd.exe	34
PID 2660 wrote to memory of 2792	2660	cmd.exe	34
PID 2660 wrote to memory of 2792	2660	cmd.exe	34
PID 2660 wrote to memory of 2792	2660	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe
"C:\Users\Admin\AppData\Local\Temp\c4d799f00a1bc6a8177a6270e2f83366198f8899c263dc9c2f791e865df620dc.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\AHong.exe
  C:\Users\Admin\AppData\Local\Temp\AHong.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\mrMUyw.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\shutdown.exe
    Shutdown -a
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\\1.bat
  2⤵
  - Deletes itself
  PID:2752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\1.bat

Filesize
279B

MD5
a650f258356cdffe5fc0e70e6ed1b562

SHA1
097f2b4a64729429ef975c1f5d9a70b0fb2d0912

SHA256
dbcf698e76cf14caed49bcaa9608ad6a8d416d848eba3c0eae4f9894c8309333

SHA512
8c9f8f2d73979a112cef0cc23ceed766d8bbd5353607e43d79a0c0a21b05c2ad1eb6f478dad6cc3ed8ac783c2a45e8417ca90107c4dd91567defde61b5d2e933

Download Submit
C:\Users\Admin\AppData\1.bat

Filesize
279B

MD5
a650f258356cdffe5fc0e70e6ed1b562

SHA1
097f2b4a64729429ef975c1f5d9a70b0fb2d0912

SHA256
dbcf698e76cf14caed49bcaa9608ad6a8d416d848eba3c0eae4f9894c8309333

SHA512
8c9f8f2d73979a112cef0cc23ceed766d8bbd5353607e43d79a0c0a21b05c2ad1eb6f478dad6cc3ed8ac783c2a45e8417ca90107c4dd91567defde61b5d2e933

Download Submit
C:\Users\Admin\AppData\Local\Temp\AHong.exe

Filesize
20KB

MD5
809fd2d7b7062c2f1b8edc22509143c6

SHA1
2cf67e0799f613d3a9fcc0ece539ec9df69b6229

SHA256
b42c24e94e2dac2851dcbe0f01d84471d15b72ca9c4617427816134aac2b26ee

SHA512
7aac05bd84af2c715180f8649ca845227e16e48d6b5c1550eeff38410429874e024bd32946068a6731d50eeeb0fea2cd4fa6d5bb2b913d83df55593820ec7d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrMUyw.bat

Filesize
972B

MD5
68935795b03ad72116774832cc273817

SHA1
1b9d33b9479403c780d705947d7bbd724ad4ddce

SHA256
30e14a8f8288b6a8ebaaad6b655776cdf8532b30a2f24fa9f23b6839be95a29a

SHA512
085d7356463deafd8ff424e4661d2163400f39213fde1c3cbbe20f299aa17fa39b42d74742614a7b22760724ce2b6f250596fa19fd1a99359b98a600a01f4f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrMUyw.bat

Filesize
972B

MD5
68935795b03ad72116774832cc273817

SHA1
1b9d33b9479403c780d705947d7bbd724ad4ddce

SHA256
30e14a8f8288b6a8ebaaad6b655776cdf8532b30a2f24fa9f23b6839be95a29a

SHA512
085d7356463deafd8ff424e4661d2163400f39213fde1c3cbbe20f299aa17fa39b42d74742614a7b22760724ce2b6f250596fa19fd1a99359b98a600a01f4f7b

Download Submit
\Users\Admin\AppData\Local\Temp\AHong.exe

Filesize
20KB

MD5
809fd2d7b7062c2f1b8edc22509143c6

SHA1
2cf67e0799f613d3a9fcc0ece539ec9df69b6229

SHA256
b42c24e94e2dac2851dcbe0f01d84471d15b72ca9c4617427816134aac2b26ee

SHA512
7aac05bd84af2c715180f8649ca845227e16e48d6b5c1550eeff38410429874e024bd32946068a6731d50eeeb0fea2cd4fa6d5bb2b913d83df55593820ec7d85

Download Submit
\Users\Admin\AppData\Local\Temp\AHong.exe

Filesize
20KB

MD5
809fd2d7b7062c2f1b8edc22509143c6

SHA1
2cf67e0799f613d3a9fcc0ece539ec9df69b6229

SHA256
b42c24e94e2dac2851dcbe0f01d84471d15b72ca9c4617427816134aac2b26ee

SHA512
7aac05bd84af2c715180f8649ca845227e16e48d6b5c1550eeff38410429874e024bd32946068a6731d50eeeb0fea2cd4fa6d5bb2b913d83df55593820ec7d85

Download Submit
memory/1892-1-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1892-16-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1892-24-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing