bd94e02ef57b48630052735deaf106ceb9cc46210c00861089edcc215f5922b2

General

Target

beff20e7865a5316ebc5c38656ab1d0d.exe
Size

636KB
MD5

beff20e7865a5316ebc5c38656ab1d0d
SHA1

0deb7eb0234c6e8248dfa2f0f0bd277cb30eda95
SHA256

bd94e02ef57b48630052735deaf106ceb9cc46210c00861089edcc215f5922b2
SHA512

cd3149f617d0b591f1a59d1e29e7d6bbd10511123b703ae15e7a5d439283d7ee4ea6e34285665aeaf1e5bf8d89e6f9062e86b517ce42c9b2de057219220bb59b
SSDEEP

12288:Qq9R/qQ/rf/yzNA3zbhLh7H1zeU1c2obY7CwbweS2vprIe:19dqQjf/yBA31l1zeWocOlGrIe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2908	4.exe
2672	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
1044	beff20e7865a5316ebc5c38656ab1d0d.exe
1044	beff20e7865a5316ebc5c38656ab1d0d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	beff20e7865a5316ebc5c38656ab1d0d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	4.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	4.exe
File created	C:\Windows\uninstal.bat	4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	4.exe
Token: SeDebugPrivilege	2672	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2672	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2908	1044	beff20e7865a5316ebc5c38656ab1d0d.exe	28
PID 1044 wrote to memory of 2908	1044	beff20e7865a5316ebc5c38656ab1d0d.exe	28
PID 1044 wrote to memory of 2908	1044	beff20e7865a5316ebc5c38656ab1d0d.exe	28
PID 1044 wrote to memory of 2908	1044	beff20e7865a5316ebc5c38656ab1d0d.exe	28
PID 2672 wrote to memory of 2444	2672	Hacker.com.cn.exe	30
PID 2672 wrote to memory of 2444	2672	Hacker.com.cn.exe	30
PID 2672 wrote to memory of 2444	2672	Hacker.com.cn.exe	30
PID 2672 wrote to memory of 2444	2672	Hacker.com.cn.exe	30
PID 2908 wrote to memory of 2644	2908	4.exe	31
PID 2908 wrote to memory of 2644	2908	4.exe	31
PID 2908 wrote to memory of 2644	2908	4.exe	31
PID 2908 wrote to memory of 2644	2908	4.exe	31
PID 2908 wrote to memory of 2644	2908	4.exe	31
PID 2908 wrote to memory of 2644	2908	4.exe	31
PID 2908 wrote to memory of 2644	2908	4.exe	31

C:\Users\Admin\AppData\Local\Temp\beff20e7865a5316ebc5c38656ab1d0d.exe
"C:\Users\Admin\AppData\Local\Temp\beff20e7865a5316ebc5c38656ab1d0d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2644

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
150B

MD5
5edd682a8b1f2bf873300774f954ab03

SHA1
2cca4e743d02dbccf31b784ea26a60c03dcc9637

SHA256
a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

SHA512
916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
787KB

MD5
4fe559e36f4cbabb80dfa5e1cff23758

SHA1
b05179a294b010bbc7d010ece77e3eb2779e5f79

SHA256
11fdb8df4544147de8d816e4cac41c5bfa8c17fa09289a7be4e96e0b4e518010

SHA512
d7906a6ce071ccf15789e77e9ca3ccdceea0b4dd632de78c5eb492b015c4d1ad0d21e949531019c3fd7244110241dca8f43b5142e9c06a8b96f083603b4ae851

Download Submit
memory/1044-7-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1044-42-0x00000000002A0000-0x00000000002F0000-memory.dmp

Filesize
320KB

Download
memory/1044-9-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1044-8-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1044-0-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/1044-6-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1044-5-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1044-2-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1044-13-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/1044-12-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1044-11-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1044-10-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1044-20-0x0000000002E90000-0x0000000002F5F000-memory.dmp

Filesize
828KB

Download
memory/1044-23-0x0000000002E90000-0x0000000002F5F000-memory.dmp

Filesize
828KB

Download
memory/1044-41-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/1044-1-0x00000000002A0000-0x00000000002F0000-memory.dmp

Filesize
320KB

Download
memory/1044-30-0x0000000001000000-0x0000000001104000-memory.dmp

Filesize
1.0MB

Download
memory/2672-29-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2672-31-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2672-44-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2672-46-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2908-40-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2908-22-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2908-24-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads