7b262ab0a0ac865ee929b33f0a77dd7af315c566c58fb3ed1e60b740a99bc960

Analysis

max time kernel
161s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4305f76c08cdeaa949c7f4efc418f9a2.exe
Size

685KB
MD5

4305f76c08cdeaa949c7f4efc418f9a2
SHA1

ad2879785e3bd63c4d46609a5404af7971c2d0b7
SHA256

7b262ab0a0ac865ee929b33f0a77dd7af315c566c58fb3ed1e60b740a99bc960
SHA512

b79676b501ce80c4dda0e4e8361878a3299dfceda1e8ea0a6f675da4d6650209431fe6f27ae0ea043a4afe6bf703ba69bd440daa3e356725e56ffc7935322688
SSDEEP

12288:lrCx8y3OTknH5S+ycSWUAangtrJePiCmqbF3Z4mxxgCaQzwF:Xy3OTgH5FX8zZbQmXl7wF

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3152	Server.exe
3616	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4305f76c08cdeaa949c7f4efc418f9a2.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	Server.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server.exe
File created	C:\Windows\uninstal.bat	Server.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	Server.exe
Token: SeDebugPrivilege	3616	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3616	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 3152	608	4305f76c08cdeaa949c7f4efc418f9a2.exe	92
PID 608 wrote to memory of 3152	608	4305f76c08cdeaa949c7f4efc418f9a2.exe	92
PID 608 wrote to memory of 3152	608	4305f76c08cdeaa949c7f4efc418f9a2.exe	92
PID 3616 wrote to memory of 3972	3616	Hacker.com.cn.exe	97
PID 3616 wrote to memory of 3972	3616	Hacker.com.cn.exe	97
PID 3152 wrote to memory of 3764	3152	Server.exe	98
PID 3152 wrote to memory of 3764	3152	Server.exe	98
PID 3152 wrote to memory of 3764	3152	Server.exe	98

C:\Users\Admin\AppData\Local\Temp\4305f76c08cdeaa949c7f4efc418f9a2.exe
"C:\Users\Admin\AppData\Local\Temp\4305f76c08cdeaa949c7f4efc418f9a2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:3764

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
743KB

MD5
568521c849079c94e09c7b82be334831

SHA1
2c72a5898e14c6020cfe501cb159bf71666a67f2

SHA256
a5ac468e5e9b8ba9624f6b34455f359d09bc82b6d9056f1ed4090625cdc4325e

SHA512
cfe971c59d46cd50540f913be5b7290a20362b7a218a11e06e23835e4a9b5a997b25da3a64ae72753f9c5dd30fbae8d982bfbf2fd321070db626ea357cf534e9

Download Submit
C:\Windows\uninstal.bat

Filesize
160B

MD5
69e01c599950b5caf5cd7ec972f89682

SHA1
2d34ceced77c1f86417c00f706e06cc902b11e3b

SHA256
b46da5e666a34856e6f9763f5bef2a4879b4d33f42ea1727be44a84e76fc8e5e

SHA512
48acf4f4b87eb21a255003a18ed572efb78d5c3ad90b4529bbb16dd32b53142c8f08fe4f567d29115e2ac1fb543f71c1b9ac3dc79cc14afda84c67f72ff11ba9

Download Submit
memory/608-0-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/608-1-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/608-2-0x00000000006D0000-0x0000000000724000-memory.dmp

Filesize
336KB

Download
memory/608-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/608-4-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/608-5-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/608-7-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/608-10-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-43-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/608-44-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-45-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-46-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-42-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/608-41-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/608-40-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/608-39-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/608-38-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-37-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/608-36-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/608-35-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/608-34-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/608-33-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/608-32-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/608-31-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/608-30-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/608-29-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-28-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-27-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-26-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-25-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-24-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-23-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-22-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-21-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-20-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-19-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-18-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-17-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-16-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-15-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-14-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-13-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/608-12-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-11-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/608-8-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/608-9-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/608-6-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/608-48-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-47-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-49-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-51-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-53-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-52-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-50-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-55-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-54-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-56-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-57-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-58-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-59-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-60-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-61-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-62-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-63-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-64-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/608-100-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/608-111-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/3152-110-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads