a9724025f65fe8d1c8349c997381cba43b69b01ae9bcbbac776b91aebd14ab4e

General

Target

062afcf4bc4cae5b76a1bfa4168f5b7e.exe
Size

688KB
MD5

062afcf4bc4cae5b76a1bfa4168f5b7e
SHA1

eef756f2289ca0e8da36895580b2a85501db58c6
SHA256

a9724025f65fe8d1c8349c997381cba43b69b01ae9bcbbac776b91aebd14ab4e
SHA512

3ae59eb3013603b7afa513e688fb1112867add06bb7b83faa9caf5df1139bb42c3f4485e31036abf40d3f5a3483a0d55c5a644a77d648e4d907d73be67a86e04
SSDEEP

12288:S+ldOo5gkI8T73A5vmvyVwyF3Z4mxxp8VBO+fMlLYve5yM4:zgi73Asq5QmXp8VBO+q56

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
64	4.exe
4612	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	062afcf4bc4cae5b76a1bfa4168f5b7e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	4.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	64	4.exe
Token: SeDebugPrivilege	4612	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4612	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 64	2952	062afcf4bc4cae5b76a1bfa4168f5b7e.exe	18
PID 2952 wrote to memory of 64	2952	062afcf4bc4cae5b76a1bfa4168f5b7e.exe	18
PID 2952 wrote to memory of 64	2952	062afcf4bc4cae5b76a1bfa4168f5b7e.exe	18
PID 4612 wrote to memory of 4840	4612	Hacker.com.cn.exe	19
PID 4612 wrote to memory of 4840	4612	Hacker.com.cn.exe	19

C:\Users\Admin\AppData\Local\Temp\062afcf4bc4cae5b76a1bfa4168f5b7e.exe
"C:\Users\Admin\AppData\Local\Temp\062afcf4bc4cae5b76a1bfa4168f5b7e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:64

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:4840

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-33-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/64-39-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2952-17-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2952-13-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2952-27-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2952-4-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2952-26-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2952-25-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2952-24-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2952-23-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2952-14-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/2952-21-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2952-20-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2952-19-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2952-18-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2952-0-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2952-5-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2952-16-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2952-22-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2952-15-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2952-12-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2952-11-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2952-10-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2952-9-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2952-1-0x0000000000670000-0x00000000006C4000-memory.dmp

Filesize
336KB

Download
memory/2952-2-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2952-8-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2952-7-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2952-6-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2952-3-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2952-41-0x0000000000670000-0x00000000006C4000-memory.dmp

Filesize
336KB

Download
memory/2952-40-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/4612-38-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/4612-42-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads