70ab1fddd149d8ed04a0318df09d6434303810029d5dd7cd11ef6108e54d278f

General

Target

49d0e9c0f44585b86e8f7b593e99c802.exe
Size

638KB
MD5

49d0e9c0f44585b86e8f7b593e99c802
SHA1

44a1779fa85c55f20a1498de71e3b3b047ec8db3
SHA256

70ab1fddd149d8ed04a0318df09d6434303810029d5dd7cd11ef6108e54d278f
SHA512

fa4e07883c568bb0b686d8c9e763a657857914107cd0ca62790dc7b2cf098d7dbdbcbc07ea30c4af6bb962ccea2d034966021b65363bbc00c61267803ae8ae95
SSDEEP

12288:szX8xULJkf2iM7rJ4syL+8DJzJ8WOkoI1FOdm1c2obY7poiLfKyf96ud63K:sAWLxd4syLtDkWmI1FOdEocSohkuMK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2108	4.exe
2844	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	49d0e9c0f44585b86e8f7b593e99c802.exe
1720	49d0e9c0f44585b86e8f7b593e99c802.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	49d0e9c0f44585b86e8f7b593e99c802.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	4.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	4.exe
Token: SeDebugPrivilege	2844	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2844	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2108	1720	49d0e9c0f44585b86e8f7b593e99c802.exe	28
PID 1720 wrote to memory of 2108	1720	49d0e9c0f44585b86e8f7b593e99c802.exe	28
PID 1720 wrote to memory of 2108	1720	49d0e9c0f44585b86e8f7b593e99c802.exe	28
PID 1720 wrote to memory of 2108	1720	49d0e9c0f44585b86e8f7b593e99c802.exe	28
PID 2844 wrote to memory of 2704	2844	Hacker.com.cn.exe	30
PID 2844 wrote to memory of 2704	2844	Hacker.com.cn.exe	30
PID 2844 wrote to memory of 2704	2844	Hacker.com.cn.exe	30
PID 2844 wrote to memory of 2704	2844	Hacker.com.cn.exe	30

C:\Users\Admin\AppData\Local\Temp\49d0e9c0f44585b86e8f7b593e99c802.exe
"C:\Users\Admin\AppData\Local\Temp\49d0e9c0f44585b86e8f7b593e99c802.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2108

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
787KB

MD5
de560ab9c0078b51a784f39370a82420

SHA1
3492f27b19f28b04640699ae024bb122910522d6

SHA256
ad1b06deedda023426d01da6c3c48454d02045d2d23825ce77f699edee671699

SHA512
86183f468035b39279100b45ea9f1b317207dea15a73a61c0c881b748d3b3611a3b5057d1008a383cf93aed238dc6819ea4dfec11f8c3ba306ba4e9565cf2d2e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
704KB

MD5
e444965ff1ee6f31ee5dd022d9d1ee4f

SHA1
e3018638c5ceb4bd6e1dcc9b4da0a937add9b649

SHA256
ad7fd674e83f9c63dade4df778adcd55344e76482f77083b318722d1517fb5c4

SHA512
7f9e8fb80fefc7de6bdb047fe40e87cef0311e8d8fb3726b6c05257cf20c174738a9b1be578a399649ae526069a419283351fdb546f89d72190a353c52c21afb

Download Submit
memory/1720-7-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1720-18-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/1720-6-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1720-0-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download
memory/1720-5-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1720-3-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1720-8-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1720-9-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1720-2-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1720-4-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/1720-20-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/1720-31-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download
memory/1720-32-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/2108-28-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2108-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2108-21-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2844-27-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2844-29-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads