d4841c04eecd44d2483ca32c2ecdb673ea704f49023dad8995dead384018220d

General

Target

01a8b7b6c17cdd9c150bd704a572d74d.exe
Size

634KB
MD5

01a8b7b6c17cdd9c150bd704a572d74d
SHA1

983da6d7ff98e101bba46ca6756f0c4f991a0fe3
SHA256

d4841c04eecd44d2483ca32c2ecdb673ea704f49023dad8995dead384018220d
SHA512

8d910d12e5f5b9b144f9d77cb92fead4af44d259b12c74b32220a095e8a1179f36da019635b2e185d61782a1eb782ee353b3124024a5d2609d5d6d1a0111dd79
SSDEEP

12288:rJiFdnohYv6M16uxobEeCHFcKYQbX311c2obY70uulCSZe:rgFdnaS16ANeQbHRocEsR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4768	HONGCK~1.EXE
2000	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	01a8b7b6c17cdd9c150bd704a572d74d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	HONGCK~1.EXE
File opened for modification	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	HONGCK~1.EXE

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	HONGCK~1.EXE
Token: SeDebugPrivilege	2000	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2000	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4768	4392	01a8b7b6c17cdd9c150bd704a572d74d.exe	91
PID 4392 wrote to memory of 4768	4392	01a8b7b6c17cdd9c150bd704a572d74d.exe	91
PID 4392 wrote to memory of 4768	4392	01a8b7b6c17cdd9c150bd704a572d74d.exe	91
PID 2000 wrote to memory of 1884	2000	Hacker.com.cn.exe	93
PID 2000 wrote to memory of 1884	2000	Hacker.com.cn.exe	93

C:\Users\Admin\AppData\Local\Temp\01a8b7b6c17cdd9c150bd704a572d74d.exe
"C:\Users\Admin\AppData\Local\Temp\01a8b7b6c17cdd9c150bd704a572d74d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HONGCK~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HONGCK~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4768

C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe
"C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe

Filesize
652KB

MD5
d0613ad55b3797894bdbec3374378212

SHA1
c1446f188677e34f266ee32b866f486b8a6c7afb

SHA256
911b85773030f8beedaf70af98ab060ed4ff42778c0ea86d279a48daeb5b4926

SHA512
ab18985d3cb6c7bb06eff1766cba9ef2648cf951c03387e7f6c567f471721e5241efacc8b35dc356794afb73ae5fd6083e9bfc1354a1ae90b058fa44bfe68f12

Download Submit
C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe

Filesize
743KB

MD5
25c48f451bf80b8985a6a839d270c9b2

SHA1
c75edaa1adca29c559a31509264495ac1512c42b

SHA256
f316861c1828c391b454f26fd33a4735f1d831c5c0431e0ac0ae680eaeb466ab

SHA512
2035f6bc8e4997aa743c263129c0cb473c708266f39407705ed5a4dcec43e3169d37fcfff8608769b30350761a8542c1854d74d0ae6a055e79ae4b420fdbc30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HONGCK~1.EXE

Filesize
437KB

MD5
ab9fb52c61cc2b421adebd3a69f879d8

SHA1
7d8c03aaaa02c98f4219cfbb72c911dcdfa7a9c3

SHA256
9ef98fd033ec935f4409b411603a636461bcb46e239aea04e45ab3d926038ce3

SHA512
f220e88381e75f142da48e12c2f30f525bac97452ca683c3ed3b56a4be7aaa546f74412ce3613039c7bc7a1fa41cb16075f3e0d24d4a208c4614e155982b3805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HONGCK~1.EXE

Filesize
294KB

MD5
f95a164d19acbf25f937787fb8f4062e

SHA1
96e1d86564d370db3a7eb9033052a9aa7ba26f35

SHA256
5752574b71b4e9581b5ad5cea9a040cd176c1223b4a25a2e77fa72421144369f

SHA512
035e9096587d54264bbfec120c3bd23dfe26005b1a817d6fb7d7d7556dff48bc77f6fd1428a483346f77e28a1a140b6af28e66e8173c41a9fa2a4fed5cd15af6

Download Submit
memory/2000-27-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2000-23-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4392-7-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4392-12-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4392-10-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/4392-8-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4392-0-0x0000000001000000-0x0000000001105000-memory.dmp

Filesize
1.0MB

Download
memory/4392-5-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4392-3-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/4392-26-0x0000000000560000-0x00000000005B0000-memory.dmp

Filesize
320KB

Download
memory/4392-9-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4392-11-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/4392-6-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/4392-4-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4392-2-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4392-1-0x0000000000560000-0x00000000005B0000-memory.dmp

Filesize
320KB

Download
memory/4392-25-0x0000000001000000-0x0000000001105000-memory.dmp

Filesize
1.0MB

Download
memory/4768-18-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4768-24-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads