e76ff4a68e6c6c030b32b73f630c7496ee8bbfd585ad2010b7244150429707f9

Analysis

max time kernel
0s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 10:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

66ff87e56714ca6ce36c247749d25b8b.exe
Size

680KB
MD5

66ff87e56714ca6ce36c247749d25b8b
SHA1

eda08481cb049ab43e32182a72fad007b38f1692
SHA256

e76ff4a68e6c6c030b32b73f630c7496ee8bbfd585ad2010b7244150429707f9
SHA512

346218c24ba38641f874d6ae0cbfde66bd52151f1b2fdeb465df782764453bd722c3e5216f0f359a91b0d95caeb06b2ec302b68d6891d2319c524982dec53c0b
SSDEEP

12288:Gu1s8wbQTxN2aNlPa7D5Lw95SkZPVHrtv2qTgUM1o7gFbb47pF:GlzbQVNL1gDqWkbrl9

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4856	3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	66ff87e56714ca6ce36c247749d25b8b.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\Server.jpg	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4856	4888	66ff87e56714ca6ce36c247749d25b8b.exe	24
PID 4888 wrote to memory of 4856	4888	66ff87e56714ca6ce36c247749d25b8b.exe	24
PID 4888 wrote to memory of 4856	4888	66ff87e56714ca6ce36c247749d25b8b.exe	24

C:\Users\Admin\AppData\Local\Temp\66ff87e56714ca6ce36c247749d25b8b.exe
"C:\Users\Admin\AppData\Local\Temp\66ff87e56714ca6ce36c247749d25b8b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4856

C:\program files\common files\microsoft shared\msinfo\Server.exe
"C:\program files\common files\microsoft shared\msinfo\Server.exe"
1⤵
PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4660

C:\Windows\Hacker.com.cn.ini
C:\Windows\Hacker.com.cn.ini
1⤵
PID:1808
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1808-53-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1808-58-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1808-57-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1808-56-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1808-50-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2456-39-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2456-47-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2456-54-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2456-43-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2456-42-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2456-40-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2456-41-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4856-23-0x00000000031D0000-0x00000000031D4000-memory.dmp

Filesize
16KB

Download
memory/4856-19-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4856-28-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/4856-27-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/4856-25-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/4856-24-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/4856-8-0x0000000001EA0000-0x0000000001EF4000-memory.dmp

Filesize
336KB

Download
memory/4856-22-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/4856-21-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/4856-38-0x0000000001EA0000-0x0000000001EF4000-memory.dmp

Filesize
336KB

Download
memory/4856-26-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/4856-29-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/4856-20-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4856-37-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4856-18-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4856-17-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/4856-16-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4856-15-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4856-14-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4856-11-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/4856-10-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/4856-9-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4856-7-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4888-44-0x0000000001000000-0x00000000010AD000-memory.dmp

Filesize
692KB

Download
memory/4888-0-0x0000000001000000-0x00000000010AD000-memory.dmp

Filesize
692KB

Download
memory/4888-1-0x0000000001000000-0x00000000010AD000-memory.dmp

Filesize
692KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads