e02121138494c3d9dd2fd562645cc3ac1eafa1f28c8fe8e7f2c072f80734e5ad

General

Target

00b90a228239015a6ae5e91f645300af.exe
Size

2.3MB
MD5

00b90a228239015a6ae5e91f645300af
SHA1

0b94ebb85712d03a5b4f545833a055420a23e321
SHA256

e02121138494c3d9dd2fd562645cc3ac1eafa1f28c8fe8e7f2c072f80734e5ad
SHA512

9fd2054d4341d703a66d93d6aa58de0a2f2113e6dcea0eccb5082d5a6b36e22a4cc96df8df0921b744fec12e5a3651f00ecce53826c9a9ba2fb2fcd5daa5e54e
SSDEEP

49152:fDfK+gW5pdhoi11+qkPmMbi+Ncu87dlzhDhgMMMZMMMACh43Dp/wPHv:fDfz33dhR11Rkg7NeMMMZMMMACh431/G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2704	KartRider.exe
1140	Server_Setup.exe
2952	Hacker.com.cn.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Server_Setup.exe	00b90a228239015a6ae5e91f645300af.exe
File created	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe
File created	C:\Windows\KartRider.exe	00b90a228239015a6ae5e91f645300af.exe
File opened for modification	C:\Windows\KartRider.exe	00b90a228239015a6ae5e91f645300af.exe
File created	C:\Windows\Server_Setup.exe	00b90a228239015a6ae5e91f645300af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	Server_Setup.exe
Token: SeDebugPrivilege	2952	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2704	2372	00b90a228239015a6ae5e91f645300af.exe	28
PID 2372 wrote to memory of 2704	2372	00b90a228239015a6ae5e91f645300af.exe	28
PID 2372 wrote to memory of 2704	2372	00b90a228239015a6ae5e91f645300af.exe	28
PID 2372 wrote to memory of 2704	2372	00b90a228239015a6ae5e91f645300af.exe	28
PID 2372 wrote to memory of 1140	2372	00b90a228239015a6ae5e91f645300af.exe	29
PID 2372 wrote to memory of 1140	2372	00b90a228239015a6ae5e91f645300af.exe	29
PID 2372 wrote to memory of 1140	2372	00b90a228239015a6ae5e91f645300af.exe	29
PID 2372 wrote to memory of 1140	2372	00b90a228239015a6ae5e91f645300af.exe	29
PID 2372 wrote to memory of 1140	2372	00b90a228239015a6ae5e91f645300af.exe	29
PID 2372 wrote to memory of 1140	2372	00b90a228239015a6ae5e91f645300af.exe	29
PID 2372 wrote to memory of 1140	2372	00b90a228239015a6ae5e91f645300af.exe	29
PID 2952 wrote to memory of 2636	2952	Hacker.com.cn.exe	31
PID 2952 wrote to memory of 2636	2952	Hacker.com.cn.exe	31
PID 2952 wrote to memory of 2636	2952	Hacker.com.cn.exe	31
PID 2952 wrote to memory of 2636	2952	Hacker.com.cn.exe	31

C:\Users\Admin\AppData\Local\Temp\00b90a228239015a6ae5e91f645300af.exe
"C:\Users\Admin\AppData\Local\Temp\00b90a228239015a6ae5e91f645300af.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\KartRider.exe
  "C:\Windows\KartRider.exe"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\Server_Setup.exe
  "C:\Windows\Server_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1140

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
6860e48870281c5773da51c8639eb85b

SHA1
5a461e8a1960f26794c0e770805dda188e3526bc

SHA256
eb87882a1d7cd501c13d19be7b28be404461cdc6ba7aaee8e37cf590b5ca6232

SHA512
60836ea884b0e2be2567ed425038407c27dcaf082d3e722abcd7489661fbadd756be9cb36e58cab6bbccfe61a92c576d5cb611fb2f21787d8a3aeb36223f36c3

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
386KB

MD5
bcdc7a6de0727f4979ecfd91126c31d6

SHA1
e86e0e76b144a6e722692048faba7e82f63c1564

SHA256
70f6a1707fb95947f1e109184823b7d2354fc35eb1c5639b1c435abd8106fd5b

SHA512
0fffb4792ffcf09972cbf38a5b08472bca0144bff9cf14aa18f69870ba4628a0114e867a17407ad40116f84ba141e955865125443d6aff7a573a2c0f4088c96b

Download Submit
C:\Windows\KartRider.exe

Filesize
1024KB

MD5
f29daae0197b7493e87d85fcdcee63c1

SHA1
c45704ddfa976e1a108e11853152caf3df5050af

SHA256
f4363fb343cdb58774512fb8dc090b3e0a4dd6fe7b17b4b7eff5e766ba8dfae6

SHA512
da0fbc7e71e61353ae13850e126288eea359272aff090c4e876ee125abec1d9e9e2b7907837ef9778b401db6fb0b626563772fc06c85a9536a5506d465a10dfd

Download Submit
C:\Windows\Server_Setup.exe

Filesize
381KB

MD5
f83e420a416fbcecafb0875428644a36

SHA1
8e4be15ff05f979752e02e4a32fc2c515036cb3c

SHA256
eea4dbb7159c9fffe02e2090c5f3ed9f4fc2b4861e71f657aada60f3c5356e78

SHA512
6b7b34a0e3ef8e7708398edef4d0c37edb5244562e5c40d3fe55510a953559cc978f503a10f1ec2c57171546499f2571a19da9fa835e6624dd6ef1392c2462f5

Download Submit
C:\Windows\Server_Setup.exe

Filesize
95KB

MD5
aeaed8b36885bfe15a60d2f646b7e006

SHA1
e6d73d24ad8c394037ea7d09bbba1000188de00c

SHA256
35dfe920afde090dca52cf98882b408f3dad8a28df40488e63e49893324291a7

SHA512
fccb840619b27c97b88c95b3c9650b55c1a46e78c86345a97a9e637c6da504066864bbf8fec44db37c9ad0b235a7914236befafb473cb3e55d50f7701f81b222

Download Submit
C:\Windows\Server_Setup.exe

Filesize
93KB

MD5
09dac8343651a62e2eb76001acbe38a8

SHA1
fd5bbf9c160a1420d9a65ec6d5e83757bfca8829

SHA256
161d8c2911a1744aa11fa12f9e1081791d6a94faab64f4b0a14d70fd12ae77b1

SHA512
0c7bc18977e9454ad4325876cae6aa8fd8e669df8dd52d560b9d3fce5d1d5100f4d775cbe4deaa9d4e478d9d604570fd4dad5b0ef2844353dc0dccae441ab281

Download Submit
memory/1140-19-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2372-12-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2704-20-0x0000000000400000-0x00000000009D8000-memory.dmp

Filesize
5.8MB

Download
memory/2952-17-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2952-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing