b3b684904a61c87001ff0ff19ddbfd07410d4d224097c9cfa30feba91f7a0eb0

General

Target

87dda89cfa280497c6cff544dcd4c4ba.exe
Size

688KB
MD5

87dda89cfa280497c6cff544dcd4c4ba
SHA1

f915d276d3b04bb3d875b7e795423a6100108111
SHA256

b3b684904a61c87001ff0ff19ddbfd07410d4d224097c9cfa30feba91f7a0eb0
SHA512

0abb050c441a2b74c1b95ae3e09e10d9f0505693bef52987a7e8196c6e6b405b42666e1b85f77bc3f058560a4ae23f0f6c39612c21daac6c793870706d8da2cb
SSDEEP

12288:xAQxS1qPBfvhFzMiAplPozy/SZoKF3Z4mxxKoEtlK+kt9T2M8:ZSUJvhFAdo2/yoKQmXDG9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1560	system.exe
1928	360tray.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	87dda89cfa280497c6cff544dcd4c4ba.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	system.exe
File created	C:\Windows\360tray.exe	system.exe
File opened for modification	C:\Windows\360tray.exe	system.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	360tray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	360tray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	360tray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	360tray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	360tray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	system.exe
Token: SeDebugPrivilege	1928	360tray.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1928	360tray.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 1560	708	87dda89cfa280497c6cff544dcd4c4ba.exe	15
PID 708 wrote to memory of 1560	708	87dda89cfa280497c6cff544dcd4c4ba.exe	15
PID 708 wrote to memory of 1560	708	87dda89cfa280497c6cff544dcd4c4ba.exe	15
PID 1560 wrote to memory of 1388	1560	system.exe	49
PID 1560 wrote to memory of 1388	1560	system.exe	49
PID 1560 wrote to memory of 1388	1560	system.exe	49
PID 1928 wrote to memory of 5044	1928	360tray.exe	50
PID 1928 wrote to memory of 5044	1928	360tray.exe	50

C:\Users\Admin\AppData\Local\Temp\87dda89cfa280497c6cff544dcd4c4ba.exe
"C:\Users\Admin\AppData\Local\Temp\87dda89cfa280497c6cff544dcd4c4ba.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\system.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:1388

C:\Program Files\Internet ExploreR\iexplore.exe
"C:\Program Files\Internet ExploreR\iexplore.exe"
1⤵
PID:5044

C:\Windows\360tray.exe
C:\Windows\360tray.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\system.exe

Filesize
75KB

MD5
7f8f3936309282e39ad667a080376917

SHA1
57c40b978309859e19e9a4f03b813ce302f88a07

SHA256
2b8fced31cc16ff5a87301fb5ca919a0b987ab472408375515643737af440f3c

SHA512
b87fcbb4b3dd4d3da16822d11e63080513bb59620990195092e361eb4bef6ce04a039b85c986a839ddd36599b8a805c93f9d03fb89ac384c0f305e5c83135fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\system.exe

Filesize
49KB

MD5
86a67d695f4c6ce8df9b60fd11a147e6

SHA1
26d09b230e94cb59aeb7605bf93fb6dfd93ba29e

SHA256
946a2ac599f308d63d7ee673741ad3c137a351ea653dbc331cabb5a3384476a7

SHA512
50696ec653f977ba87d0b2c583a6a07923660c1914f707e42f5f67792b44f055d0a3668245ee76e3780e434855275d1e9f5004e47c8696cd5dc6badb39529c6c

Download Submit
C:\Windows\360tray.exe

Filesize
18KB

MD5
0145de162d0e36de0eeed28a6c74ada6

SHA1
0ce897763e1d5d448e5a26fc353f17796aefa808

SHA256
93c77005f8df313b6e242ef6511548a879a978c44b0d50880ce9c24a3e1082da

SHA512
5f073d219bc11fdd5164799ea1b73488e3d91462afa53ee415042752462c2fdaba2a64d982a6f9330779c836f8f7c22ff172914473fb9ee8f4e5f4fe3d0ef0ea

Download Submit
C:\Windows\360tray.exe

Filesize
195KB

MD5
4676639c112ce7fe28448f64e3b9cb18

SHA1
cb4b630f764bb8371cf8d4a8ba538c6560d19520

SHA256
2298ba6735ab2e8c91fc9dbe60f97a25a9af5d4289f664781110f35111622161

SHA512
002f30a82828460952dc8d69f1cbd97fc2020448ab9153a91a2073b0448493fa94bd4fd272d6e7ed8b68d3cc329ef62ee2c8ef468d66f59d903d60d633ff6396

Download Submit
C:\Windows\360tray.exe

Filesize
126KB

MD5
a65d1a34af01f24b11c6e13f1229c857

SHA1
529df59ab3ab432c031542008c77d3e4a4e75760

SHA256
06b528a4b55d26e9eaa2cc244211993a84789723d8d7bd2e491efb3fb89b29fe

SHA512
c139a4fe74727281de5c641b88cdc4b1fad1d33eb1cc96834f9a834124946db8cf3f069731de4db90b36e32aed381394e73ccda00873fa55ed4211e07a011182

Download Submit
C:\Windows\uninstal.bat

Filesize
160B

MD5
39e2f5f2febf13c001df320853c06bbc

SHA1
c500b67ca755a97060398f50491f3217e216c9a3

SHA256
fb76a588ad019882a45aeed8dbe5f82223797aa923b02a19110c4f55f78586a6

SHA512
94890ab2edbcd884d6dad6d36543e6497e3e8146b950f484d97f3f4786da16169385d79a293bb2f92621ac9cfa9dbf149ad6c96dce8e2430b58d2d361b940c8b

Download Submit
memory/708-2-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/708-6-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/708-15-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/708-14-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/708-13-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/708-12-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/708-11-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/708-10-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/708-9-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/708-8-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/708-7-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/708-0-0x0000000001000000-0x000000000110F000-memory.dmp

Filesize
1.1MB

Download
memory/708-5-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/708-4-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/708-3-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/708-1-0x0000000000570000-0x00000000005C4000-memory.dmp

Filesize
336KB

Download
memory/708-33-0x0000000000570000-0x00000000005C4000-memory.dmp

Filesize
336KB

Download
memory/708-16-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/708-32-0x0000000001000000-0x000000000110F000-memory.dmp

Filesize
1.1MB

Download
memory/708-17-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-31-0x0000000000400000-0x00000000004D1200-memory.dmp

Filesize
836KB

Download
memory/1560-25-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1928-30-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1928-35-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads