66349384c0eec6d6522913323e631b734d95f4b1d9a7bf858b40ad7d0a0dd99e

General

Target

5755efd4e347c9c30e898023adcb2ffe.exe
Size

419KB
MD5

5755efd4e347c9c30e898023adcb2ffe
SHA1

bb8792eef67cb4ee9c5d523e1bcaaea8fdbce2c5
SHA256

66349384c0eec6d6522913323e631b734d95f4b1d9a7bf858b40ad7d0a0dd99e
SHA512

4b3bba46b17248a4575e756cd7dadac9f0e6479547572699bfff880b504ca92e16775254073420df7d19c2bbaca657fe408aab61638f74d14559d99c2b310f86
SSDEEP

12288:0Z3/DYraQS9xo+BDL1qy54taMLKYzZx4V:6LYraQS9y+FL1bOtaMLjzZx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2020	system.cn

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	system.cn

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1992	5755efd4e347c9c30e898023adcb2ffe.exe
2020	system.cn

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system.cn	5755efd4e347c9c30e898023adcb2ffe.exe
File opened for modification	C:\Windows\system.cn	5755efd4e347c9c30e898023adcb2ffe.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	system.cn
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	system.cn
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0092000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	system.cn
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F80674A-42C7-47B1-AFB1-EA923152C959}\WpadDecisionTime = a065e43c8f45da01	system.cn
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F80674A-42C7-47B1-AFB1-EA923152C959}\WpadDecision = "0"	system.cn
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F80674A-42C7-47B1-AFB1-EA923152C959}\WpadNetworkName = "Network 3"	system.cn
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F80674A-42C7-47B1-AFB1-EA923152C959}\56-21-11-31-c3-46	system.cn
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-21-11-31-c3-46\WpadDecisionTime = a065e43c8f45da01	system.cn
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	system.cn
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-21-11-31-c3-46	system.cn
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-21-11-31-c3-46\WpadDecision = "0"	system.cn
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	system.cn
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	system.cn
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	system.cn
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	system.cn
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F80674A-42C7-47B1-AFB1-EA923152C959}	system.cn
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1F80674A-42C7-47B1-AFB1-EA923152C959}\WpadDecisionReason = "1"	system.cn
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	system.cn
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	system.cn
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	system.cn
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	system.cn
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	system.cn
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-21-11-31-c3-46\WpadDecisionReason = "1"	system.cn
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	system.cn

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	5755efd4e347c9c30e898023adcb2ffe.exe
Token: SeDebugPrivilege	2020	system.cn

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2020	system.cn

C:\Users\Admin\AppData\Local\Temp\5755efd4e347c9c30e898023adcb2ffe.exe
"C:\Users\Admin\AppData\Local\Temp\5755efd4e347c9c30e898023adcb2ffe.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system.cn
C:\Windows\system.cn
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system.cn

Filesize
419KB

MD5
5755efd4e347c9c30e898023adcb2ffe

SHA1
bb8792eef67cb4ee9c5d523e1bcaaea8fdbce2c5

SHA256
66349384c0eec6d6522913323e631b734d95f4b1d9a7bf858b40ad7d0a0dd99e

SHA512
4b3bba46b17248a4575e756cd7dadac9f0e6479547572699bfff880b504ca92e16775254073420df7d19c2bbaca657fe408aab61638f74d14559d99c2b310f86

Download Submit
memory/1992-0-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1992-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1992-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1992-9-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2020-6-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2020-7-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2020-10-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2020-11-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2020-13-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2020-19-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing