86552fba77400f1359af00f97a27e7820e1b6c1469b598ea499152f450a2095c

Analysis

max time kernel
136s
max time network
157s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05676168e4ed43f6ea3cb1783b735283.exe
Size

292KB
MD5

05676168e4ed43f6ea3cb1783b735283
SHA1

7ed674ae3f4f9393a155b132dec7b39800b38367
SHA256

86552fba77400f1359af00f97a27e7820e1b6c1469b598ea499152f450a2095c
SHA512

db4fdfd54f7387e7f1125eb90eae56e96ef1cf0d885fc3903046fb5e2067086ffc3062e1b9d60a089845b82c558b0454e00bd3c8047e09a66ce8ecf4414ad485
SSDEEP

6144:H+b/aw1CWomVowlPBrt8yJn3ZG6zhbJbABGuT9XHZO6lqUzqB:cFsHmPpaqpnzhbBNuT9X5O6Ne

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2000	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	Hacker.com.cn.ini

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.ini

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.ini	05676168e4ed43f6ea3cb1783b735283.exe
File opened for modification	C:\Windows\Hacker.com.cn.ini	05676168e4ed43f6ea3cb1783b735283.exe
File created	C:\Windows\uninstal.bat	05676168e4ed43f6ea3cb1783b735283.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00af000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77247D66-7A1C-4793-80A3-8B5D16B7DAF9}\WpadDecisionReason = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77247D66-7A1C-4793-80A3-8B5D16B7DAF9}\WpadDecision = "0"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77247D66-7A1C-4793-80A3-8B5D16B7DAF9}\32-ca-7b-f4-e5-1a	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77247D66-7A1C-4793-80A3-8B5D16B7DAF9}\WpadDecisionTime = 80585145013bda01	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77247D66-7A1C-4793-80A3-8B5D16B7DAF9}\WpadNetworkName = "Network 3"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ca-7b-f4-e5-1a\WpadDecisionReason = "1"	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ca-7b-f4-e5-1a\WpadDecisionTime = 80585145013bda01	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ca-7b-f4-e5-1a\WpadDecision = "0"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ca-7b-f4-e5-1a	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ca-7b-f4-e5-1a\WpadDetectedUrl	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00af000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77247D66-7A1C-4793-80A3-8B5D16B7DAF9}\WpadDecisionTime = e0d52e7b013bda01	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77247D66-7A1C-4793-80A3-8B5D16B7DAF9}	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ca-7b-f4-e5-1a\WpadDecisionTime = e0d52e7b013bda01	Hacker.com.cn.ini

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	05676168e4ed43f6ea3cb1783b735283.exe
Token: SeDebugPrivilege	2196	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2196	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1540	2196	Hacker.com.cn.ini	29
PID 2196 wrote to memory of 1540	2196	Hacker.com.cn.ini	29
PID 2196 wrote to memory of 1540	2196	Hacker.com.cn.ini	29
PID 2196 wrote to memory of 1540	2196	Hacker.com.cn.ini	29
PID 1964 wrote to memory of 2000	1964	05676168e4ed43f6ea3cb1783b735283.exe	31
PID 1964 wrote to memory of 2000	1964	05676168e4ed43f6ea3cb1783b735283.exe	31
PID 1964 wrote to memory of 2000	1964	05676168e4ed43f6ea3cb1783b735283.exe	31
PID 1964 wrote to memory of 2000	1964	05676168e4ed43f6ea3cb1783b735283.exe	31
PID 1964 wrote to memory of 2000	1964	05676168e4ed43f6ea3cb1783b735283.exe	31
PID 1964 wrote to memory of 2000	1964	05676168e4ed43f6ea3cb1783b735283.exe	31
PID 1964 wrote to memory of 2000	1964	05676168e4ed43f6ea3cb1783b735283.exe	31

C:\Users\Admin\AppData\Local\Temp\05676168e4ed43f6ea3cb1783b735283.exe
"C:\Users\Admin\AppData\Local\Temp\05676168e4ed43f6ea3cb1783b735283.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2000

C:\Windows\Hacker.com.cn.ini
C:\Windows\Hacker.com.cn.ini
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.ini

Filesize
292KB

MD5
05676168e4ed43f6ea3cb1783b735283

SHA1
7ed674ae3f4f9393a155b132dec7b39800b38367

SHA256
86552fba77400f1359af00f97a27e7820e1b6c1469b598ea499152f450a2095c

SHA512
db4fdfd54f7387e7f1125eb90eae56e96ef1cf0d885fc3903046fb5e2067086ffc3062e1b9d60a089845b82c558b0454e00bd3c8047e09a66ce8ecf4414ad485

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
dfe981ff29435fddabf543fb62cd9d17

SHA1
057b65f12cb8db226450dad9c36ac17b72e853b9

SHA256
0371329badc63ef1356d62babf8231a408085f85cb2dd604a1ea67112f515374

SHA512
50dfd417d3399b4fab831a7416adbd89e92eeb85bac61a5bee72c0340258d5720c58ee3e25a63a24316e54e91dfad85c0d268917883b86577d1d9ffa60f86d0d

Download Submit
memory/1964-0-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1964-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1964-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1964-15-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2196-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2196-17-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2196-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2196-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download