e8b89a1e4926e1f6d5681fd71d56dfdf6495c5a4059a81572132ac588af1c144

General

Target

c369ed3971e8d0440c6f004d113c8f14.exe
Size

772KB
MD5

c369ed3971e8d0440c6f004d113c8f14
SHA1

6787c89971ca208b92eb137e7cb69cd13517e516
SHA256

e8b89a1e4926e1f6d5681fd71d56dfdf6495c5a4059a81572132ac588af1c144
SHA512

9cb2e95a89401429b84d9413704eb7e7d1ee3c6394ce6c2e0b1d8b580db63c44dd36b647ba8dcd2c77dfb4089e6e4170d4291d926f71d73147d3eb0c065dfc11
SSDEEP

12288:7jkljTyiVFlbot4wLULXwYUexfW491duunU0/bCAUF3Z4mxx33YfeSLa/eSv8q:7jSXyiOCw2X8eZWIuuUZQmX3ItEMq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2220	SERVER~1.EXE
224	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c369ed3971e8d0440c6f004d113c8f14.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	SERVER~1.EXE
File opened for modification	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	SERVER~1.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	SERVER~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	SERVER~1.EXE
Token: SeDebugPrivilege	224	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
224	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2220	2812	c369ed3971e8d0440c6f004d113c8f14.exe	95
PID 2812 wrote to memory of 2220	2812	c369ed3971e8d0440c6f004d113c8f14.exe	95
PID 2812 wrote to memory of 2220	2812	c369ed3971e8d0440c6f004d113c8f14.exe	95
PID 224 wrote to memory of 3340	224	Hacker.com.cn.exe	101
PID 224 wrote to memory of 3340	224	Hacker.com.cn.exe	101
PID 2220 wrote to memory of 4528	2220	SERVER~1.EXE	102
PID 2220 wrote to memory of 4528	2220	SERVER~1.EXE	102
PID 2220 wrote to memory of 4528	2220	SERVER~1.EXE	102

C:\Users\Admin\AppData\Local\Temp\c369ed3971e8d0440c6f004d113c8f14.exe
"C:\Users\Admin\AppData\Local\Temp\c369ed3971e8d0440c6f004d113c8f14.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:4528

C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe
"C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4188 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
417KB

MD5
0a2f9bace096d62f36fe8fc57e31d55a

SHA1
ebfbd0d31777a1822a6c8b30701ca0a2f053d1cf

SHA256
5a5672924027b16d754f6532cdd002b1a1db9f0e6aca2940c8e0dbf3315507f7

SHA512
9cf99c0532b32fdff32613aafb298f88f400bcd6da8f0832f3cd03088e7c65cf5fda52fd9a2dc42dd5faac0667a660bcbac86aa2c98bd20b0d888b74821084ad

Download Submit
C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
memory/224-35-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/224-34-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/224-27-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2220-30-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2220-22-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2220-21-0x0000000002290000-0x000000000229A000-memory.dmp

Filesize
40KB

Download
memory/2220-20-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2812-6-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2812-0-0x0000000001000000-0x0000000001139000-memory.dmp

Filesize
1.2MB

Download
memory/2812-13-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2812-14-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2812-15-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2812-12-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2812-18-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2812-10-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/2812-7-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2812-11-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2812-5-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2812-4-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2812-31-0x0000000001000000-0x0000000001139000-memory.dmp

Filesize
1.2MB

Download
memory/2812-32-0x0000000000710000-0x0000000000764000-memory.dmp

Filesize
336KB

Download
memory/2812-2-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2812-3-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2812-1-0x0000000000710000-0x0000000000764000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads