516c89f50dbead71086c9ace225d93e44cfc4cdc766eee260b862e6f8c54effc

General

Target

028d30baa392ded38f2bcae455a176f7.exe
Size

636KB
MD5

028d30baa392ded38f2bcae455a176f7
SHA1

ab5a81efd31fda615a65cbce951df710f1ffbc27
SHA256

516c89f50dbead71086c9ace225d93e44cfc4cdc766eee260b862e6f8c54effc
SHA512

a8262147b476090c1869f4ca4308624a3f3fc43a1cc04d857c7e1c9ed9d7d4a8dbf49eea285b0b8df6b23e81c4f3b1a515120b31b628e23d2523ee2f707787a9
SSDEEP

12288:LDrMEFm5VXlLmFCacTfCPLBEGeASVf0/c1c2obY7m5d/QOUrZkavgxT:LUSKVBUCaWfCPCxVc/+ocISr+L5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2184	4.exe
2892	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
1052	028d30baa392ded38f2bcae455a176f7.exe
1052	028d30baa392ded38f2bcae455a176f7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	028d30baa392ded38f2bcae455a176f7.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	4.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	4.exe
File created	C:\Windows\uninstal.bat	4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	4.exe
Token: SeDebugPrivilege	2892	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2892	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2184	1052	028d30baa392ded38f2bcae455a176f7.exe	14
PID 1052 wrote to memory of 2184	1052	028d30baa392ded38f2bcae455a176f7.exe	14
PID 1052 wrote to memory of 2184	1052	028d30baa392ded38f2bcae455a176f7.exe	14
PID 1052 wrote to memory of 2184	1052	028d30baa392ded38f2bcae455a176f7.exe	14
PID 2892 wrote to memory of 2764	2892	Hacker.com.cn.exe	29
PID 2892 wrote to memory of 2764	2892	Hacker.com.cn.exe	29
PID 2892 wrote to memory of 2764	2892	Hacker.com.cn.exe	29
PID 2892 wrote to memory of 2764	2892	Hacker.com.cn.exe	29
PID 2184 wrote to memory of 2720	2184	4.exe	32
PID 2184 wrote to memory of 2720	2184	4.exe	32
PID 2184 wrote to memory of 2720	2184	4.exe	32
PID 2184 wrote to memory of 2720	2184	4.exe	32
PID 2184 wrote to memory of 2720	2184	4.exe	32
PID 2184 wrote to memory of 2720	2184	4.exe	32
PID 2184 wrote to memory of 2720	2184	4.exe	32

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  PID:2720

C:\Users\Admin\AppData\Local\Temp\028d30baa392ded38f2bcae455a176f7.exe
"C:\Users\Admin\AppData\Local\Temp\028d30baa392ded38f2bcae455a176f7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1052

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:2764

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
48KB

MD5
b6df3f6daaf4b09ad7028460e444bdfc

SHA1
01ea49a63c896520e4cc9144e3187ac198527bfe

SHA256
2ee0824785355d3198f9e4818bc26b8aa8dc39cb52efa587e3ef394394c17822

SHA512
dd2f58f43c4db36c0c4bc51629b03d54294cfa2a2d5e9e7a2402cbffcffcf88fcdb2a62ee03a1dd68bc0aa01b022e46024cbeb2f44f4b40cb52a57339e1a51c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
10KB

MD5
bf2be90cb145cc9ef8e87a89902afcb3

SHA1
974d86fd6080989a70dba2b359b4d2e187bd5d1f

SHA256
b03d451d6e53006ad7fb7e932c08369842f971424a6f86d40790e95242fb5f42

SHA512
ce0066bd9281aa4de0be8e46ebf2c34cb8fa32a3fed8d30400e92124b10aa112b46bd3fa62d2ace48c0b32018f6650105a578a3a2cd5e4a1e1a2f5b422043b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
97KB

MD5
e9468be90d74409a43e2a2c65e7f319d

SHA1
f7db6890c21615ad8330c0489b09f3d799e88c7e

SHA256
f9f8b58c03ac6c787a044b1a0e2cdd39cccb52b7ba65860450bd931cda99bd0e

SHA512
48eaa76ce94560f6e616242c371aa5183a702cfcc19084a711bce79c3f78c979c05f441fed7459ab8af9930093691c76e87f03f466b25e897cf1569da20832f9

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
85KB

MD5
0286c1932e40010d3815e9204b3f4220

SHA1
b928c16af90bb67d515ccf00148707aca9d6ff4d

SHA256
c0eb4c6fb791ff589dc72e0f0f502471671ff4a4a1bf50ca579c00c86eafaffa

SHA512
a5401488933258a5a33e8ef45ca8b34c71beed72756a397495f132199af8a40750a3e49051234a14579605850cbfd478fb445dfcc8ba79a5d5f648f34e18be6f

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
73KB

MD5
2c92a846e773de797f306f313ae9f8b1

SHA1
04ceccbf2abb1b9e60ffb6e6c6da4d30777c7b67

SHA256
456e7c6d574e7766716dc071ad13b9326c4673188167fa10e899542763424d82

SHA512
3e0e6e0a253fe26cb97aa3c6a6042d8c525c749f059f485ef92e31bf7e536a8485b2b6a2345c9c09ad30800531ca1d0716a00448a19e62f76d7b92c9ba6a9aff

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
5edd682a8b1f2bf873300774f954ab03

SHA1
2cca4e743d02dbccf31b784ea26a60c03dcc9637

SHA256
a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

SHA512
916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
66KB

MD5
87e775a46f10b498ece22f920c13ac09

SHA1
a3a8b96225fbe1d1cb77cafc1a9ff51c9815c285

SHA256
3b8be1b500d58aa063bceae307651792d6485d6388425f751116c78a23d72afa

SHA512
5f577605c8f8d76a27b00d45300e1aa480859be8525ed14e06a15866cab3820443a1b528573b9479a3a3a57c1f805d1bc6b4d1d6ea4bcc69f1b3620de0ebbdb1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
52KB

MD5
719c986b95585341b93985a3c5b45a6e

SHA1
6f665b3b8590dc6a7c91dc18470f6651c7d0f0d0

SHA256
28f7e9695f305c71bdc5ca770bd25efb6a3af3be708a294062777c7561ebf9da

SHA512
214f08830fefdedbfa18eea009993616684d7cef773ad4688a27a6a7ea9cf99fd4e209de40d13bbc5f6df379b3051b4511aeed1396f42474a5ad9d8e63e0b776

Download Submit
memory/1052-18-0x0000000002E40000-0x0000000002F0F000-memory.dmp

Filesize
828KB

Download
memory/1052-38-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/1052-20-0x0000000002E40000-0x0000000002F0F000-memory.dmp

Filesize
828KB

Download
memory/1052-7-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1052-6-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1052-5-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1052-4-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1052-3-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1052-2-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1052-1-0x0000000000350000-0x00000000003A0000-memory.dmp

Filesize
320KB

Download
memory/1052-0-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/1052-9-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/1052-8-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2184-25-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2184-21-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2184-37-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2892-27-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2892-29-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2892-40-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2892-41-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2892-43-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2892-47-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads