516c89f50dbead71086c9ace225d93e44cfc4cdc766eee260b862e6f8c54effc

General

Target

028d30baa392ded38f2bcae455a176f7.exe
Size

636KB
MD5

028d30baa392ded38f2bcae455a176f7
SHA1

ab5a81efd31fda615a65cbce951df710f1ffbc27
SHA256

516c89f50dbead71086c9ace225d93e44cfc4cdc766eee260b862e6f8c54effc
SHA512

a8262147b476090c1869f4ca4308624a3f3fc43a1cc04d857c7e1c9ed9d7d4a8dbf49eea285b0b8df6b23e81c4f3b1a515120b31b628e23d2523ee2f707787a9
SSDEEP

12288:LDrMEFm5VXlLmFCacTfCPLBEGeASVf0/c1c2obY7m5d/QOUrZkavgxT:LUSKVBUCaWfCPCxVc/+ocISr+L5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4108	4.exe
1300	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	028d30baa392ded38f2bcae455a176f7.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	4.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	4.exe
File created	C:\Windows\uninstal.bat	4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4108	4.exe
Token: SeDebugPrivilege	1300	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1300	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 4108	652	028d30baa392ded38f2bcae455a176f7.exe	89
PID 652 wrote to memory of 4108	652	028d30baa392ded38f2bcae455a176f7.exe	89
PID 652 wrote to memory of 4108	652	028d30baa392ded38f2bcae455a176f7.exe	89
PID 1300 wrote to memory of 3124	1300	Hacker.com.cn.exe	92
PID 1300 wrote to memory of 3124	1300	Hacker.com.cn.exe	92
PID 4108 wrote to memory of 2832	4108	4.exe	94
PID 4108 wrote to memory of 2832	4108	4.exe	94
PID 4108 wrote to memory of 2832	4108	4.exe	94

C:\Users\Admin\AppData\Local\Temp\028d30baa392ded38f2bcae455a176f7.exe
"C:\Users\Admin\AppData\Local\Temp\028d30baa392ded38f2bcae455a176f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:2832

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
787KB

MD5
a30336d371608f71943393ddb200d32c

SHA1
f268b8699aceb9e991e3666cac8742348549f0fa

SHA256
c88d942555db5f17f13fa05c332cbc58715b082c095798416f1fe7e35258fe14

SHA512
6f4e8afef425811f130e5946377d87db38c4fd90ab96c4428685c59f8f32f8c2a5cb84844bc40c3f70735927fea7c0c8ce9f9d25a55435befd888fbe756dbdc5

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
5edd682a8b1f2bf873300774f954ab03

SHA1
2cca4e743d02dbccf31b784ea26a60c03dcc9637

SHA256
a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

SHA512
916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

Download Submit
memory/652-7-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/652-25-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/652-8-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/652-0-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/652-5-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/652-6-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/652-4-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/652-3-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/652-2-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/652-1-0x00000000006A0000-0x00000000006F0000-memory.dmp

Filesize
320KB

Download
memory/652-26-0x00000000006A0000-0x00000000006F0000-memory.dmp

Filesize
320KB

Download
memory/652-9-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1300-21-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1300-28-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/1300-29-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4108-24-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/4108-16-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4108-14-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads