738a3d1d51554e6478b58dfc5c7b562964061cec79a3e29942699d37949bea4b

General

Target

2397467adbc5766b0bb32b034df73af0.exe
Size

688KB
MD5

2397467adbc5766b0bb32b034df73af0
SHA1

31e3a64320254117ac6640ee93ce2e55a6720d34
SHA256

738a3d1d51554e6478b58dfc5c7b562964061cec79a3e29942699d37949bea4b
SHA512

9c3787b1ed1fd689fd2013a040cc778779378a07217676eb795d602d2dab14f720487cddc2665a045fbe4b912ee92b90b0a9b637a053bc74ece74e66f8a04479
SSDEEP

12288:V/TP+KWs0eJXK9LP1QAjPJr5iEF3Z4mxx8DqVTVOCy:VrGK6gXGLtQ2PJroEQmXbVTzy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2916	1.exe
2900	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	2397467adbc5766b0bb32b034df73af0.exe
2280	2397467adbc5766b0bb32b034df73af0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2397467adbc5766b0bb32b034df73af0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	1.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	1.exe
Token: SeDebugPrivilege	2900	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2900	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2916	2280	2397467adbc5766b0bb32b034df73af0.exe	28
PID 2280 wrote to memory of 2916	2280	2397467adbc5766b0bb32b034df73af0.exe	28
PID 2280 wrote to memory of 2916	2280	2397467adbc5766b0bb32b034df73af0.exe	28
PID 2280 wrote to memory of 2916	2280	2397467adbc5766b0bb32b034df73af0.exe	28
PID 2900 wrote to memory of 2876	2900	Hacker.com.cn.exe	30
PID 2900 wrote to memory of 2876	2900	Hacker.com.cn.exe	30
PID 2900 wrote to memory of 2876	2900	Hacker.com.cn.exe	30
PID 2900 wrote to memory of 2876	2900	Hacker.com.cn.exe	30

C:\Users\Admin\AppData\Local\Temp\2397467adbc5766b0bb32b034df73af0.exe
"C:\Users\Admin\AppData\Local\Temp\2397467adbc5766b0bb32b034df73af0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
756KB

MD5
e1d7d41f4eca27beca09c3f31e0c2e70

SHA1
b6270b13bfebd111a37498f9379fae5d6225fcdb

SHA256
12640de72fd9d5a1d7293e33556552f8e77dd1f2ea545dde825490d5e112e1a1

SHA512
fa9794a021cff0791ac21a3cce99c41812e1ea8845046fc55b926490ff43da44723997eb0405a00c12106700fc7b60129e1a8aa1765cc1e48037dd54dbf59c54

Download Submit
memory/2280-9-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2280-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2280-21-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2280-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2280-19-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2280-18-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2280-17-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2280-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2280-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2280-14-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2280-4-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2280-12-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2280-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2280-23-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2280-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2280-0-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2280-22-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2280-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2280-13-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2280-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2280-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2280-24-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2280-25-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2280-26-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x00000000002F0000-0x0000000000344000-memory.dmp

Filesize
336KB

Download
memory/2280-43-0x00000000002F0000-0x0000000000344000-memory.dmp

Filesize
336KB

Download
memory/2280-42-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2900-40-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2900-44-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2900-45-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2900-46-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2900-50-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2916-41-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2916-34-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads