4678f587420c2e5b0d36545f84c0add26c99ff80c40e611d1c89143e30cae215

General

Target

751adf5ecbf0e57c3870b117201bd97a.exe
Size

691KB
MD5

751adf5ecbf0e57c3870b117201bd97a
SHA1

bf19f350bc8c3efb371feed74a08cfafffeb3037
SHA256

4678f587420c2e5b0d36545f84c0add26c99ff80c40e611d1c89143e30cae215
SHA512

e487885ef268fad64b613bb234236e707fd7c9faf5208e2de1bf264a785c359ca3eb4a7449813df3d8b864ac61f65e69f0ee949100a0042e8b382fcc5c9bfbc6
SSDEEP

12288:9LHAnRDs4sSZA+gxIhTQAYcGJScvcgVhrRQ6DqF3Z4mxxXoEtlK+kt9T2MRzE0:9LgK41Z+SdG3vRhrRQ6WQmX4GQ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

1.exeHacker.com.cn.exe

pid process

2724 1.exe
2852 Hacker.com.cn.exe
Loads dropped DLL 2 IoCs

Processes:

751adf5ecbf0e57c3870b117201bd97a.exe

pid process

2528 751adf5ecbf0e57c3870b117201bd97a.exe
2528 751adf5ecbf0e57c3870b117201bd97a.exe

pid	process
2724	1.exe
2852	Hacker.com.cn.exe

pid	process
2528	751adf5ecbf0e57c3870b117201bd97a.exe
2528	751adf5ecbf0e57c3870b117201bd97a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

751adf5ecbf0e57c3870b117201bd97a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	751adf5ecbf0e57c3870b117201bd97a.exe

Drops file in Windows directory 2 IoCs

Processes:

1.exe

description ioc process

File created C:\Windows\Hacker.com.cn.exe 1.exe
File opened for modification C:\Windows\Hacker.com.cn.exe 1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1.exeHacker.com.cn.exe

description pid process

Token: SeDebugPrivilege 2724 1.exe
Token: SeDebugPrivilege 2852 Hacker.com.cn.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Hacker.com.cn.exe

pid process

2852 Hacker.com.cn.exe

description	ioc	process
File created	C:\Windows\Hacker.com.cn.exe	1.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	1.exe

description	pid	process
Token: SeDebugPrivilege	2724	1.exe
Token: SeDebugPrivilege	2852	Hacker.com.cn.exe

pid	process
2852	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

751adf5ecbf0e57c3870b117201bd97a.exeHacker.com.cn.exe

description	pid	process	target process
PID 2528 wrote to memory of 2724	2528	751adf5ecbf0e57c3870b117201bd97a.exe	1.exe
PID 2528 wrote to memory of 2724	2528	751adf5ecbf0e57c3870b117201bd97a.exe	1.exe
PID 2528 wrote to memory of 2724	2528	751adf5ecbf0e57c3870b117201bd97a.exe	1.exe
PID 2528 wrote to memory of 2724	2528	751adf5ecbf0e57c3870b117201bd97a.exe	1.exe
PID 2852 wrote to memory of 916	2852	Hacker.com.cn.exe	IEXPLORE.EXE
PID 2852 wrote to memory of 916	2852	Hacker.com.cn.exe	IEXPLORE.EXE
PID 2852 wrote to memory of 916	2852	Hacker.com.cn.exe	IEXPLORE.EXE
PID 2852 wrote to memory of 916	2852	Hacker.com.cn.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe
"C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2852

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
Filesize
633KB

MD5
87cd14e42463c615163b41722ead55b0

SHA1
377b0a72ab469a5cbdf0db33a77425a577934f56

SHA256
a5ae15466de97171d0c7c37f07380f8c53d30d52c1dc54b0e9bd9a171f3ef6c0

SHA512
0939587f2b6ec40768a6c24a6ef699ca89cb9ce31e7471ea22c5667798e4420b0c51420118c9bcf52e0c397746405114aab204b56bad1edad8c901e29b5d9349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
Filesize
327KB

MD5
3b64923f450aaf62b72bc464748750ce

SHA1
fe37044804b5cbad6d8ceacdb6809033153cc7b0

SHA256
dc8cdb623a4c35bc6dd8f16ea1a5175111ec0c4a08a7e8181da3eb513c268f3a

SHA512
d9953d84f50b5a25acae179f1303140741c4d34ce01fab0d3cec51338fd1f3bd694733b34d24438d71f607edd40e95b960ba29ad41a2aa2f27a5b633c9726364

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
Filesize
743KB

MD5
b98674a3b72348c8198b443719c9e730

SHA1
d167b93c2c8780286f605e952efdc1a974bb579e

SHA256
4ddf26da506428e92302815daee5803616aaf5361e0365eebc0899255b9aa53f

SHA512
32407bfa0f8cd1939617087e89c02402df8e2f18691957138c0bff846cc1e7aacd303b976d5fb13a318aa5d7fbad3e9486c1ce64848a5210a8ddd76acf0b82cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
Filesize
555KB

MD5
424a13b36cdd7059ae8c5e94fd51a49a

SHA1
2cce49eeaa9a80ef065234e88dce2e10daa79bb5

SHA256
cbbcb1e1fe5e9d0fef5e335e7abe48874ceb9776abc36e559741334387592405

SHA512
7941bd133d62fc690a15b7fdd6808269e72ab2df62bb4b4767dc4776bd6b9d8c7ebb54d468f1460047006f8d972e34036c52953816e51121ae88aa4acb694e50

Download Submit
memory/2528-18-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2528-19-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2528-11-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2528-10-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2528-9-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2528-8-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2528-5-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2528-4-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2528-2-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2528-15-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2528-16-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2528-17-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2528-0-0x0000000001000000-0x00000000010BD000-memory.dmp

Filesize
756KB

Download
memory/2528-12-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2528-20-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2528-13-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2528-14-0x0000000003120000-0x0000000003123000-memory.dmp

Filesize
12KB

Download
memory/2528-3-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2528-36-0x0000000001000000-0x00000000010BD000-memory.dmp

Filesize
756KB

Download
memory/2528-1-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/2528-37-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/2724-35-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2724-28-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2852-33-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2852-38-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2852-39-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2852-40-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2852-44-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads