Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:33
Static task
static1
Behavioral task
behavioral1
Sample
751adf5ecbf0e57c3870b117201bd97a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
751adf5ecbf0e57c3870b117201bd97a.exe
Resource
win10v2004-20231215-en
General
-
Target
751adf5ecbf0e57c3870b117201bd97a.exe
-
Size
691KB
-
MD5
751adf5ecbf0e57c3870b117201bd97a
-
SHA1
bf19f350bc8c3efb371feed74a08cfafffeb3037
-
SHA256
4678f587420c2e5b0d36545f84c0add26c99ff80c40e611d1c89143e30cae215
-
SHA512
e487885ef268fad64b613bb234236e707fd7c9faf5208e2de1bf264a785c359ca3eb4a7449813df3d8b864ac61f65e69f0ee949100a0042e8b382fcc5c9bfbc6
-
SSDEEP
12288:9LHAnRDs4sSZA+gxIhTQAYcGJScvcgVhrRQ6DqF3Z4mxxXoEtlK+kt9T2MRzE0:9LgK41Z+SdG3vRhrRQ6WQmX4GQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
1.exeHacker.com.cn.exepid process 2724 1.exe 2852 Hacker.com.cn.exe -
Loads dropped DLL 2 IoCs
Processes:
751adf5ecbf0e57c3870b117201bd97a.exepid process 2528 751adf5ecbf0e57c3870b117201bd97a.exe 2528 751adf5ecbf0e57c3870b117201bd97a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
751adf5ecbf0e57c3870b117201bd97a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 751adf5ecbf0e57c3870b117201bd97a.exe -
Drops file in Windows directory 2 IoCs
Processes:
1.exedescription ioc process File created C:\Windows\Hacker.com.cn.exe 1.exe File opened for modification C:\Windows\Hacker.com.cn.exe 1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1.exeHacker.com.cn.exedescription pid process Token: SeDebugPrivilege 2724 1.exe Token: SeDebugPrivilege 2852 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Hacker.com.cn.exepid process 2852 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
751adf5ecbf0e57c3870b117201bd97a.exeHacker.com.cn.exedescription pid process target process PID 2528 wrote to memory of 2724 2528 751adf5ecbf0e57c3870b117201bd97a.exe 1.exe PID 2528 wrote to memory of 2724 2528 751adf5ecbf0e57c3870b117201bd97a.exe 1.exe PID 2528 wrote to memory of 2724 2528 751adf5ecbf0e57c3870b117201bd97a.exe 1.exe PID 2528 wrote to memory of 2724 2528 751adf5ecbf0e57c3870b117201bd97a.exe 1.exe PID 2852 wrote to memory of 916 2852 Hacker.com.cn.exe IEXPLORE.EXE PID 2852 wrote to memory of 916 2852 Hacker.com.cn.exe IEXPLORE.EXE PID 2852 wrote to memory of 916 2852 Hacker.com.cn.exe IEXPLORE.EXE PID 2852 wrote to memory of 916 2852 Hacker.com.cn.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe"C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exeFilesize
633KB
MD587cd14e42463c615163b41722ead55b0
SHA1377b0a72ab469a5cbdf0db33a77425a577934f56
SHA256a5ae15466de97171d0c7c37f07380f8c53d30d52c1dc54b0e9bd9a171f3ef6c0
SHA5120939587f2b6ec40768a6c24a6ef699ca89cb9ce31e7471ea22c5667798e4420b0c51420118c9bcf52e0c397746405114aab204b56bad1edad8c901e29b5d9349
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exeFilesize
327KB
MD53b64923f450aaf62b72bc464748750ce
SHA1fe37044804b5cbad6d8ceacdb6809033153cc7b0
SHA256dc8cdb623a4c35bc6dd8f16ea1a5175111ec0c4a08a7e8181da3eb513c268f3a
SHA512d9953d84f50b5a25acae179f1303140741c4d34ce01fab0d3cec51338fd1f3bd694733b34d24438d71f607edd40e95b960ba29ad41a2aa2f27a5b633c9726364
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exeFilesize
743KB
MD5b98674a3b72348c8198b443719c9e730
SHA1d167b93c2c8780286f605e952efdc1a974bb579e
SHA2564ddf26da506428e92302815daee5803616aaf5361e0365eebc0899255b9aa53f
SHA51232407bfa0f8cd1939617087e89c02402df8e2f18691957138c0bff846cc1e7aacd303b976d5fb13a318aa5d7fbad3e9486c1ce64848a5210a8ddd76acf0b82cd
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exeFilesize
555KB
MD5424a13b36cdd7059ae8c5e94fd51a49a
SHA12cce49eeaa9a80ef065234e88dce2e10daa79bb5
SHA256cbbcb1e1fe5e9d0fef5e335e7abe48874ceb9776abc36e559741334387592405
SHA5127941bd133d62fc690a15b7fdd6808269e72ab2df62bb4b4767dc4776bd6b9d8c7ebb54d468f1460047006f8d972e34036c52953816e51121ae88aa4acb694e50
-
memory/2528-18-0x0000000003150000-0x0000000003151000-memory.dmpFilesize
4KB
-
memory/2528-19-0x0000000003140000-0x0000000003141000-memory.dmpFilesize
4KB
-
memory/2528-11-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/2528-10-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/2528-9-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/2528-8-0x0000000000420000-0x0000000000421000-memory.dmpFilesize
4KB
-
memory/2528-5-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/2528-4-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/2528-2-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/2528-15-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/2528-16-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2528-17-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/2528-0-0x0000000001000000-0x00000000010BD000-memory.dmpFilesize
756KB
-
memory/2528-12-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB
-
memory/2528-20-0x00000000031B0000-0x00000000031B1000-memory.dmpFilesize
4KB
-
memory/2528-13-0x0000000003130000-0x0000000003131000-memory.dmpFilesize
4KB
-
memory/2528-14-0x0000000003120000-0x0000000003123000-memory.dmpFilesize
12KB
-
memory/2528-3-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/2528-36-0x0000000001000000-0x00000000010BD000-memory.dmpFilesize
756KB
-
memory/2528-1-0x00000000003B0000-0x0000000000404000-memory.dmpFilesize
336KB
-
memory/2528-37-0x00000000003B0000-0x0000000000404000-memory.dmpFilesize
336KB
-
memory/2724-35-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2724-28-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2852-33-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2852-38-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2852-39-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2852-40-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2852-44-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB