7b262ab0a0ac865ee929b33f0a77dd7af315c566c58fb3ed1e60b740a99bc960

General

Target

4305f76c08cdeaa949c7f4efc418f9a2.exe
Size

685KB
MD5

4305f76c08cdeaa949c7f4efc418f9a2
SHA1

ad2879785e3bd63c4d46609a5404af7971c2d0b7
SHA256

7b262ab0a0ac865ee929b33f0a77dd7af315c566c58fb3ed1e60b740a99bc960
SHA512

b79676b501ce80c4dda0e4e8361878a3299dfceda1e8ea0a6f675da4d6650209431fe6f27ae0ea043a4afe6bf703ba69bd440daa3e356725e56ffc7935322688
SSDEEP

12288:lrCx8y3OTknH5S+ycSWUAangtrJePiCmqbF3Z4mxxgCaQzwF:Xy3OTgH5FX8zZbQmXl7wF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2836	Server.exe
2632	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
868	4305f76c08cdeaa949c7f4efc418f9a2.exe
868	4305f76c08cdeaa949c7f4efc418f9a2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4305f76c08cdeaa949c7f4efc418f9a2.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	Server.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server.exe
File created	C:\Windows\uninstal.bat	Server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	Server.exe
Token: SeDebugPrivilege	2632	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2632	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2836	868	4305f76c08cdeaa949c7f4efc418f9a2.exe	16
PID 868 wrote to memory of 2836	868	4305f76c08cdeaa949c7f4efc418f9a2.exe	16
PID 868 wrote to memory of 2836	868	4305f76c08cdeaa949c7f4efc418f9a2.exe	16
PID 868 wrote to memory of 2836	868	4305f76c08cdeaa949c7f4efc418f9a2.exe	16
PID 2632 wrote to memory of 2652	2632	Hacker.com.cn.exe	19
PID 2632 wrote to memory of 2652	2632	Hacker.com.cn.exe	19
PID 2632 wrote to memory of 2652	2632	Hacker.com.cn.exe	19
PID 2632 wrote to memory of 2652	2632	Hacker.com.cn.exe	19
PID 2836 wrote to memory of 2664	2836	Server.exe	18
PID 2836 wrote to memory of 2664	2836	Server.exe	18
PID 2836 wrote to memory of 2664	2836	Server.exe	18
PID 2836 wrote to memory of 2664	2836	Server.exe	18
PID 2836 wrote to memory of 2664	2836	Server.exe	18
PID 2836 wrote to memory of 2664	2836	Server.exe	18
PID 2836 wrote to memory of 2664	2836	Server.exe	18

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  PID:2664

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:2652

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\4305f76c08cdeaa949c7f4efc418f9a2.exe
"C:\Users\Admin\AppData\Local\Temp\4305f76c08cdeaa949c7f4efc418f9a2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
44KB

MD5
acd3d6b7e571aea36a0894cd31d8960c

SHA1
61b9303d64ed1087921bb60185ad8f55264dd29e

SHA256
ed17bd488f06b316f2c752fc8213bb9c63cb9ab0e62215ba065ee799f4304775

SHA512
623b4401e63cf7f5858c6b3912418d7f7a6703cfe907cd23b454430296faff9e814200f28c46e5f75a818574a8090b8131434cf140596cde5302adbfd4e6c519

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
64KB

MD5
0d0ba42db85c8c97ff02117f16cf23e7

SHA1
cdbe7a30d86f0c793fe4dd445242eb357a271d3b

SHA256
8d5551cd72e8845ecd710da1af3c4cb0d2e5bf3b56596343cfe382306a260f73

SHA512
4ce188926a0b64dddd2bf5dc821835baf7b7c1cbe29053b9f5728264e099fa669a263f7964d1f5c50e5dee445a87f4b1f87055abf7b205825d286376225c7ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
28KB

MD5
e7107253b75ba91688392c2744fa983a

SHA1
da61a78d2bfcf4899c74ae17f4a5c328eb00a30f

SHA256
a3c04b247f411ce729a088ba92fb7807e93e52dae0267adf855f44eff12d4759

SHA512
712c51bbbe5048a04abdc727a23a3b241f3819cff9860526caa4f6aa29fd90024f168f3ad2422740e02e05e4b438ccebeef2398605252ef2af05f1d7bee3cf84

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
31KB

MD5
ff373fa37314d015a7751f78dc17d532

SHA1
212fad5faed1e2ed8513526d7799d7486c2f0ee8

SHA256
5b031a7a9c3c243b166a52c841201025f9dab0ac1cabe165a00ed8daad8dc274

SHA512
e055016475a16f232701d83764909e8b6d7e97d42fb64b3afb6bad72e9f2d2d5dc70fb1eb572348a475c3ad1744377288067929a7a0983bce86fc1fe6254dc47

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
17KB

MD5
e32ed57962d89f4be67ef6229f51ac62

SHA1
2de7d5bb1b329e5dd9df700a19d4da33ed4819ba

SHA256
ea0802429cdc5006b404f2eac67bab65eafe4b986d850eb94bfb8575c190bc82

SHA512
07d86c464c1cd698ffa2cbe9eb9a6b2e9c0ec6c995331f3578dfdc06c8f0d0eea9033c377f4447ac1344d5a290a3412f4c64ab30d38c9e9749ab9106d0c89283

Download Submit
C:\Windows\uninstal.bat

Filesize
160B

MD5
69e01c599950b5caf5cd7ec972f89682

SHA1
2d34ceced77c1f86417c00f706e06cc902b11e3b

SHA256
b46da5e666a34856e6f9763f5bef2a4879b4d33f42ea1727be44a84e76fc8e5e

SHA512
48acf4f4b87eb21a255003a18ed572efb78d5c3ad90b4529bbb16dd32b53142c8f08fe4f567d29115e2ac1fb543f71c1b9ac3dc79cc14afda84c67f72ff11ba9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
120KB

MD5
3a15e1126f040c91ee623381890acd88

SHA1
4766d7853318bcd1630fb9d537d0f1fe440818db

SHA256
14e2834f7d184542bcb9dafe1377d5ebf47810de4f25e5e87ad0d1f005c47a85

SHA512
093fc9537f7028a9814980e7d1f98feb5085058043fda4571507e67f55d5af04e01285c7d576fee537c18d8b89e05fac695d39e5352408671795c7c53bc4affb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
92KB

MD5
75ec3ea5880362fe2a3963ca34231432

SHA1
98aa4ec3daf400b5470ad0c54d3e226b82d93f03

SHA256
ea1b7a0a8a541be9b3a21e3112ea20f3229ff75b48fa1bf608314c956e92921a

SHA512
284178d3c6757b6fb970ea3e41b126d8eb552f5009d9a4eae8b9aafb923d4f951c4e3197b20ac23ef37aea6cfbddb499a3ef4fd84362b740091ff10c46d27df7

Download Submit
memory/868-11-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/868-8-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/868-21-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/868-20-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/868-19-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/868-18-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/868-17-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/868-16-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/868-15-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/868-14-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/868-13-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/868-12-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/868-3-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/868-10-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/868-9-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/868-22-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/868-7-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/868-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/868-5-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/868-4-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/868-49-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/868-23-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/868-50-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/868-0-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/868-1-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/868-24-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/868-2-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2632-48-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2632-52-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2632-56-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2836-37-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2836-47-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads