ca246fd47f3db6baa87ff92b716cae1911f48c38abc594ec26f21610d9bff849

General

Target

7ff8c3459eb228c163b18c6aa8fb633f.exe
Size

699KB
MD5

7ff8c3459eb228c163b18c6aa8fb633f
SHA1

0b5d63ca6cdd728adf46ab02dcf08b3aa63a641c
SHA256

ca246fd47f3db6baa87ff92b716cae1911f48c38abc594ec26f21610d9bff849
SHA512

f294d09643238d30116008ab2f52f4616316d7d01496f429ab1018311cb73136f1c365e84abee129d1d602f8dc17082d83dce6a97d445230d7229f2a7f565ffa
SSDEEP

12288:bufgk5TDo0ceDZAKD3IqJmiqmr9/qtF3Z4mxxaoJwUp4YAMnf/Ur:Kfg+Dt9AKD3ZJmi/AQmXaouU+3d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3096	SERVER~1.EXE
4456	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7ff8c3459eb228c163b18c6aa8fb633f.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	SERVER~1.EXE
File opened for modification	C:\Windows\Hacker.com.cn.exe	SERVER~1.EXE
File created	C:\Windows\uninstal.bat	SERVER~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	SERVER~1.EXE
Token: SeDebugPrivilege	4456	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4456	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3096	3508	7ff8c3459eb228c163b18c6aa8fb633f.exe	84
PID 3508 wrote to memory of 3096	3508	7ff8c3459eb228c163b18c6aa8fb633f.exe	84
PID 3508 wrote to memory of 3096	3508	7ff8c3459eb228c163b18c6aa8fb633f.exe	84
PID 4456 wrote to memory of 3616	4456	Hacker.com.cn.exe	86
PID 4456 wrote to memory of 3616	4456	Hacker.com.cn.exe	86
PID 3096 wrote to memory of 2520	3096	SERVER~1.EXE	87
PID 3096 wrote to memory of 2520	3096	SERVER~1.EXE	87
PID 3096 wrote to memory of 2520	3096	SERVER~1.EXE	87

C:\Users\Admin\AppData\Local\Temp\7ff8c3459eb228c163b18c6aa8fb633f.exe
"C:\Users\Admin\AppData\Local\Temp\7ff8c3459eb228c163b18c6aa8fb633f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:2520

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
298KB

MD5
5168b7d1f11f899dbc899237c4ec329b

SHA1
86f3c2bbe371926c4ccfca68bfa686434b8ae082

SHA256
0ead2181026f9347fb67ab7fe569a2f5b5af0f55632a0ee9a0e59dce1501bfa3

SHA512
ed0306f862d31885516e8683564befa600641f47190db4a5b0340a19b80164c87899c038c7644827150bf2bf575f98d88f64c7462868f49f6daea1bc2bceeeb2

Download Submit
C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
memory/3096-38-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3096-30-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/3508-16-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/3508-19-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3508-7-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3508-6-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/3508-8-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3508-9-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/3508-10-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3508-11-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/3508-12-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/3508-13-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3508-14-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3508-15-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3508-0-0x0000000001000000-0x0000000001166000-memory.dmp

Filesize
1.4MB

Download
memory/3508-17-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3508-18-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/3508-5-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3508-20-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3508-21-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/3508-22-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3508-23-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3508-24-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3508-4-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3508-3-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3508-41-0x00000000008E0000-0x0000000000934000-memory.dmp

Filesize
336KB

Download
memory/3508-2-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3508-1-0x00000000008E0000-0x0000000000934000-memory.dmp

Filesize
336KB

Download
memory/3508-40-0x0000000001000000-0x0000000001166000-memory.dmp

Filesize
1.4MB

Download
memory/4456-35-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4456-42-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads