bd2fc42023cb245d21498c5a80d777ff70ff7999a2d161e16b2e449038432ad8

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6618445dfeaa1bf57c1d61d4cdf98bc.exe
Size

712KB
MD5

b6618445dfeaa1bf57c1d61d4cdf98bc
SHA1

f24408a4405efd6c0d8046b7fa67b0069d2709b5
SHA256

bd2fc42023cb245d21498c5a80d777ff70ff7999a2d161e16b2e449038432ad8
SHA512

dee741d884297aca174d66ca96c371098132bb324d5040e74be963146f5105c6f34e64ebcaa9c733ead96e78c628ffaebc9f66e257fbd10e8e630bb6a08db94f
SSDEEP

12288:oT32nRMfInKh5UaEBTEdcuKBV72Mq7qh0r2zBJkTw1c2obY7qvgjRt1l0g:832n3C5hqwdpKB12Mq7pKV/ocXx0g

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2000	89.exe
2556	Hacker.com.cn.ini

Loads dropped DLL 3 IoCs

pid	Process
1784	b6618445dfeaa1bf57c1d61d4cdf98bc.exe
1784	b6618445dfeaa1bf57c1d61d4cdf98bc.exe
2000	89.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6618445dfeaa1bf57c1d61d4cdf98bc.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Hacker.com.cn.ini

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.ini	89.exe
File opened for modification	C:\Windows\Hacker.com.cn.ini	89.exe
File created	C:\Windows\uninstal.bat	89.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-51-e3-63-31-20\WpadDecision = "0"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F4A51B90-578D-4F42-8980-0E4F2E0AADC3}\WpadDecisionTime = 50a38ead756fda01	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F4A51B90-578D-4F42-8980-0E4F2E0AADC3}\WpadDecisionReason = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F4A51B90-578D-4F42-8980-0E4F2E0AADC3}\WpadDecision = "0"	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F4A51B90-578D-4F42-8980-0E4F2E0AADC3}	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-51-e3-63-31-20\WpadDecisionReason = "1"	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F4A51B90-578D-4F42-8980-0E4F2E0AADC3}\WpadNetworkName = "Network 3"	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Hacker.com.cn.ini
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-51-e3-63-31-20\WpadDetectedUrl	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-51-e3-63-31-20\WpadDecisionTime = 50a38ead756fda01	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-51-e3-63-31-20	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F4A51B90-578D-4F42-8980-0E4F2E0AADC3}\WpadDecisionTime = b00e6e7b756fda01	Hacker.com.cn.ini
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F4A51B90-578D-4F42-8980-0E4F2E0AADC3}\02-51-e3-63-31-20	Hacker.com.cn.ini
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-51-e3-63-31-20\WpadDecisionTime = b00e6e7b756fda01	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Hacker.com.cn.ini

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	89.exe
Token: SeDebugPrivilege	2556	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2000	1784	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	28
PID 1784 wrote to memory of 2000	1784	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	28
PID 1784 wrote to memory of 2000	1784	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	28
PID 1784 wrote to memory of 2000	1784	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	28
PID 1784 wrote to memory of 2000	1784	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	28
PID 1784 wrote to memory of 2000	1784	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	28
PID 1784 wrote to memory of 2000	1784	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	28
PID 2000 wrote to memory of 2416	2000	89.exe	30
PID 2000 wrote to memory of 2416	2000	89.exe	30
PID 2000 wrote to memory of 2416	2000	89.exe	30
PID 2000 wrote to memory of 2416	2000	89.exe	30
PID 2000 wrote to memory of 2416	2000	89.exe	30
PID 2000 wrote to memory of 2416	2000	89.exe	30
PID 2000 wrote to memory of 2416	2000	89.exe	30
PID 2556 wrote to memory of 2948	2556	Hacker.com.cn.ini	31
PID 2556 wrote to memory of 2948	2556	Hacker.com.cn.ini	31
PID 2556 wrote to memory of 2948	2556	Hacker.com.cn.ini	31
PID 2556 wrote to memory of 2948	2556	Hacker.com.cn.ini	31

C:\Users\Admin\AppData\Local\Temp\b6618445dfeaa1bf57c1d61d4cdf98bc.exe
"C:\Users\Admin\AppData\Local\Temp\b6618445dfeaa1bf57c1d61d4cdf98bc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\89.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\89.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2416

C:\Windows\Hacker.com.cn.ini
C:\Windows\Hacker.com.cn.ini
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
152B

MD5
c799b445928854e743af7cbcffcb51b6

SHA1
b46bc3d275c31a7d2f34a8f5b1053c616f588f7c

SHA256
dfd028445207bba1f2d410c6d6512c8825708762a4f610d4fa504549f5b6a96f

SHA512
3021d2ba62b2d8d14a1be2c469e7ff844ea4abb23770ddb15c59dfefab230ab147e2573a5d99c1f62207e20f03267ce953788ad7651706e5d134dcd7edbc4905

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\89.exe

Filesize
411KB

MD5
92f456b56baf54f813543981847aca06

SHA1
62d44ecbb19bd9116fba4d44d1ed9fa4c1c10c03

SHA256
75c6a684d53d25ef57ce983d337baf61a7218bfe02a61fb37473d3940dd9b7a9

SHA512
fd922413e6aa263babe6ebc33c7f3cd6046cbd5fca3f14eaff71f7d4fa4a5dd272972510d624c34cbf7f355e101eb7988c74941efd1158920ae921b86c127855

Download Submit
memory/1784-32-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/1784-1-0x00000000003E0000-0x0000000000430000-memory.dmp

Filesize
320KB

Download
memory/1784-2-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/1784-12-0x0000000002F00000-0x0000000002FCC000-memory.dmp

Filesize
816KB

Download
memory/1784-3-0x0000000002B10000-0x0000000002B13000-memory.dmp

Filesize
12KB

Download
memory/1784-33-0x00000000003E0000-0x0000000000430000-memory.dmp

Filesize
320KB

Download
memory/1784-0-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/2000-16-0x0000000000A60000-0x0000000000B2C000-memory.dmp

Filesize
816KB

Download
memory/2000-31-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2000-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-23-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2556-21-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-35-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-37-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2556-40-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads