bd2fc42023cb245d21498c5a80d777ff70ff7999a2d161e16b2e449038432ad8

General

Target

b6618445dfeaa1bf57c1d61d4cdf98bc.exe
Size

712KB
MD5

b6618445dfeaa1bf57c1d61d4cdf98bc
SHA1

f24408a4405efd6c0d8046b7fa67b0069d2709b5
SHA256

bd2fc42023cb245d21498c5a80d777ff70ff7999a2d161e16b2e449038432ad8
SHA512

dee741d884297aca174d66ca96c371098132bb324d5040e74be963146f5105c6f34e64ebcaa9c733ead96e78c628ffaebc9f66e257fbd10e8e630bb6a08db94f
SSDEEP

12288:oT32nRMfInKh5UaEBTEdcuKBV72Mq7qh0r2zBJkTw1c2obY7qvgjRt1l0g:832n3C5hqwdpKB12Mq7pKV/ocXx0g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5056	89.exe
4176	Hacker.com.cn.ini

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6618445dfeaa1bf57c1d61d4cdf98bc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	89.exe
File created	C:\Windows\Hacker.com.cn.ini	89.exe
File opened for modification	C:\Windows\Hacker.com.cn.ini	89.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1560	5056	WerFault.exe	90
1660	4176	WerFault.exe	97

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.ini

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	89.exe
Token: SeDebugPrivilege	4176	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4176	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 5056	3336	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	90
PID 3336 wrote to memory of 5056	3336	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	90
PID 3336 wrote to memory of 5056	3336	b6618445dfeaa1bf57c1d61d4cdf98bc.exe	90
PID 4176 wrote to memory of 2748	4176	Hacker.com.cn.ini	100
PID 4176 wrote to memory of 2748	4176	Hacker.com.cn.ini	100
PID 5056 wrote to memory of 3252	5056	89.exe	101
PID 5056 wrote to memory of 3252	5056	89.exe	101
PID 5056 wrote to memory of 3252	5056	89.exe	101

C:\Users\Admin\AppData\Local\Temp\b6618445dfeaa1bf57c1d61d4cdf98bc.exe
"C:\Users\Admin\AppData\Local\Temp\b6618445dfeaa1bf57c1d61d4cdf98bc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\89.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\89.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 540
    3⤵
    - Program crash
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5056 -ip 5056
1⤵
PID:2124

C:\Windows\Hacker.com.cn.ini
C:\Windows\Hacker.com.cn.ini
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 224
  2⤵
  - Program crash
  PID:1660
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4176 -ip 4176
1⤵
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\89.exe

Filesize
411KB

MD5
92f456b56baf54f813543981847aca06

SHA1
62d44ecbb19bd9116fba4d44d1ed9fa4c1c10c03

SHA256
75c6a684d53d25ef57ce983d337baf61a7218bfe02a61fb37473d3940dd9b7a9

SHA512
fd922413e6aa263babe6ebc33c7f3cd6046cbd5fca3f14eaff71f7d4fa4a5dd272972510d624c34cbf7f355e101eb7988c74941efd1158920ae921b86c127855

Download Submit
C:\Windows\uninstal.bat

Filesize
152B

MD5
c799b445928854e743af7cbcffcb51b6

SHA1
b46bc3d275c31a7d2f34a8f5b1053c616f588f7c

SHA256
dfd028445207bba1f2d410c6d6512c8825708762a4f610d4fa504549f5b6a96f

SHA512
3021d2ba62b2d8d14a1be2c469e7ff844ea4abb23770ddb15c59dfefab230ab147e2573a5d99c1f62207e20f03267ce953788ad7651706e5d134dcd7edbc4905

Download Submit
memory/3336-22-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/3336-0-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/3336-5-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3336-4-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3336-2-0x00000000008E0000-0x0000000000930000-memory.dmp

Filesize
320KB

Download
memory/3336-1-0x0000000001000000-0x00000000010BE000-memory.dmp

Filesize
760KB

Download
memory/3336-23-0x00000000008E0000-0x0000000000930000-memory.dmp

Filesize
320KB

Download
memory/3336-3-0x0000000002A20000-0x0000000002A23000-memory.dmp

Filesize
12KB

Download
memory/4176-18-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/4176-16-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4176-25-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/5056-21-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5056-12-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/5056-10-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads