cf29a82a5b1592480fef0ef8f5a3ccc49721cebd64bfc0932a2709eeecaffd13

Reason

Machine shutdown

General

Target

9b1fbfd63513103ee14c85f72db99c96.exe
Size

685KB
MD5

9b1fbfd63513103ee14c85f72db99c96
SHA1

83df19cfd98ff18cde9a5335f00c96b87ba64284
SHA256

cf29a82a5b1592480fef0ef8f5a3ccc49721cebd64bfc0932a2709eeecaffd13
SHA512

06a70b75a69d8f38ebf87fadb377dab34c5306a87fa352eddd1c39528456f286f37189f4190a62f2d388b8de937414a217f17bd7168ee31f713d27f270c25123
SSDEEP

12288:3rJ7482eDChzUlPY7oMDmzZ0FDAhCF3Z4mxxqi4Fv81knkstG:7Jk82e+ax1MDs0FDAUQmXtRku

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2836	SERVER~1.EXE
2720	Hacker.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	9b1fbfd63513103ee14c85f72db99c96.exe
2080	9b1fbfd63513103ee14c85f72db99c96.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b1fbfd63513103ee14c85f72db99c96.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.exe	SERVER~1.EXE
File opened for modification	C:\Windows\Hacker.exe	SERVER~1.EXE
File created	C:\Windows\uninstal.bat	SERVER~1.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	SERVER~1.EXE
Token: SeDebugPrivilege	2720	Hacker.exe
Token: SeShutdownPrivilege	2080	9b1fbfd63513103ee14c85f72db99c96.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2720	Hacker.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2836	2080	9b1fbfd63513103ee14c85f72db99c96.exe	28
PID 2080 wrote to memory of 2836	2080	9b1fbfd63513103ee14c85f72db99c96.exe	28
PID 2080 wrote to memory of 2836	2080	9b1fbfd63513103ee14c85f72db99c96.exe	28
PID 2080 wrote to memory of 2836	2080	9b1fbfd63513103ee14c85f72db99c96.exe	28
PID 2720 wrote to memory of 1756	2720	Hacker.exe	30
PID 2720 wrote to memory of 1756	2720	Hacker.exe	30
PID 2720 wrote to memory of 1756	2720	Hacker.exe	30
PID 2720 wrote to memory of 1756	2720	Hacker.exe	30
PID 2836 wrote to memory of 2776	2836	SERVER~1.EXE	31
PID 2836 wrote to memory of 2776	2836	SERVER~1.EXE	31
PID 2836 wrote to memory of 2776	2836	SERVER~1.EXE	31
PID 2836 wrote to memory of 2776	2836	SERVER~1.EXE	31
PID 2836 wrote to memory of 2776	2836	SERVER~1.EXE	31
PID 2836 wrote to memory of 2776	2836	SERVER~1.EXE	31
PID 2836 wrote to memory of 2776	2836	SERVER~1.EXE	31

C:\Users\Admin\AppData\Local\Temp\9b1fbfd63513103ee14c85f72db99c96.exe
"C:\Users\Admin\AppData\Local\Temp\9b1fbfd63513103ee14c85f72db99c96.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2776

C:\Windows\Hacker.exe
C:\Windows\Hacker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2584

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
743KB

MD5
b2e9487a4c2f70600bb28e6dccd8ffeb

SHA1
1044b1d7151381f734e243b453742dba00f64f84

SHA256
f00029218cf5e01fd386fc84a854d39bd35068cffe0035104832836428f0a207

SHA512
d89b77770cab9cac697ca193aa42271c8d7cf7e09a1e3c6231db957d44d753b521b09a862294fee96ac0ea85c207d1a8a005317081c072df8332f22530245105

Download Submit
memory/2080-2-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2080-3-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2080-8-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2080-7-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2080-6-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2080-5-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2080-4-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2080-36-0x0000000001000000-0x000000000110E000-memory.dmp

Filesize
1.1MB

Download
memory/2080-0-0x0000000001000000-0x000000000110E000-memory.dmp

Filesize
1.1MB

Download
memory/2080-10-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2080-37-0x00000000001D0000-0x0000000000224000-memory.dmp

Filesize
336KB

Download
memory/2080-9-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x00000000001D0000-0x0000000000224000-memory.dmp

Filesize
336KB

Download
memory/2228-39-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2584-38-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2720-25-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2720-40-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2720-41-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2720-42-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2836-34-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2836-20-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads