e569629ea4cdac44d18ebf193b021a4c1d187a97176015c317ee75364ac8533f

Analysis

max time kernel
131s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c76286034161bfb771a311f5238e032b.exe
Size

710KB
MD5

c76286034161bfb771a311f5238e032b
SHA1

f24a3e262484d837df6633a3b187a2d51c76ee5b
SHA256

e569629ea4cdac44d18ebf193b021a4c1d187a97176015c317ee75364ac8533f
SHA512

31f1a48c86e598c06e715cc13939a23291f4a5090bcb68243fe8441b2e4b904113919c91441e2769d723c4d8e01e23f37d767a9894fd23f6f216044372bef903
SSDEEP

12288:39xEIhI1gi4kRFpKaqkbmgiZmdcccvpohF3Z4mxx4lv1+mRrzMD/QvV:LEIhugi4uFpKQmgigNcsQmXOhKm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2068	www.hmhk.cn.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	www.hmhk.cn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HgzServer\www.hmhk.cn.exe	c76286034161bfb771a311f5238e032b.exe
File opened for modification	C:\Program Files (x86)\HgzServer\www.hmhk.cn.exe	c76286034161bfb771a311f5238e032b.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	www.hmhk.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59FCF634-D7F0-4964-A503-4C97CCC66D18}\12-64-0c-69-3a-63	www.hmhk.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-64-0c-69-3a-63\WpadDecisionTime = 20a35e7fb275da01	www.hmhk.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-64-0c-69-3a-63\WpadDecision = "0"	www.hmhk.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	www.hmhk.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	www.hmhk.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	www.hmhk.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59FCF634-D7F0-4964-A503-4C97CCC66D18}\WpadDecisionTime = 20a35e7fb275da01	www.hmhk.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	www.hmhk.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-64-0c-69-3a-63\WpadDecisionReason = "1"	www.hmhk.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	www.hmhk.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0059000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	www.hmhk.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	www.hmhk.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	www.hmhk.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59FCF634-D7F0-4964-A503-4C97CCC66D18}\WpadDecisionReason = "1"	www.hmhk.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	www.hmhk.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0059000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	www.hmhk.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-64-0c-69-3a-63\WpadDecisionTime = e0f8dab0b275da01	www.hmhk.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	www.hmhk.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59FCF634-D7F0-4964-A503-4C97CCC66D18}	www.hmhk.cn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-64-0c-69-3a-63	www.hmhk.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	www.hmhk.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-64-0c-69-3a-63\WpadDetectedUrl	www.hmhk.cn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59FCF634-D7F0-4964-A503-4C97CCC66D18}\WpadDecisionTime = e0f8dab0b275da01	www.hmhk.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59FCF634-D7F0-4964-A503-4C97CCC66D18}\WpadDecision = "0"	www.hmhk.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59FCF634-D7F0-4964-A503-4C97CCC66D18}\WpadNetworkName = "Network 3"	www.hmhk.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	www.hmhk.cn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	www.hmhk.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	c76286034161bfb771a311f5238e032b.exe
Token: SeDebugPrivilege	2068	www.hmhk.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	www.hmhk.cn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1656	2068	www.hmhk.cn.exe	29
PID 2068 wrote to memory of 1656	2068	www.hmhk.cn.exe	29
PID 2068 wrote to memory of 1656	2068	www.hmhk.cn.exe	29
PID 2068 wrote to memory of 1656	2068	www.hmhk.cn.exe	29

C:\Users\Admin\AppData\Local\Temp\c76286034161bfb771a311f5238e032b.exe
"C:\Users\Admin\AppData\Local\Temp\c76286034161bfb771a311f5238e032b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Program Files (x86)\HgzServer\www.hmhk.cn.exe
"C:\Program Files (x86)\HgzServer\www.hmhk.cn.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HgzServer\www.hmhk.cn.exe

Filesize
710KB

MD5
c76286034161bfb771a311f5238e032b

SHA1
f24a3e262484d837df6633a3b187a2d51c76ee5b

SHA256
e569629ea4cdac44d18ebf193b021a4c1d187a97176015c317ee75364ac8533f

SHA512
31f1a48c86e598c06e715cc13939a23291f4a5090bcb68243fe8441b2e4b904113919c91441e2769d723c4d8e01e23f37d767a9894fd23f6f216044372bef903

Download Submit
C:\Program Files (x86)\HgzServer\www.hmhk.cn.exe

Filesize
485KB

MD5
0f9c937803c3994e4cdb35aed05df32c

SHA1
3b0a8f87926b3d58b3027873a9822674af69a1ce

SHA256
dd354ea394de9a3390544a3817f204bd1445cbac3fbb3cf0ae91d5377458999a

SHA512
9459230034cbdf19cb33c316f763853e680204838c6f49884b4b70da60c3a8ac051be97864951d5d6a2ac3081dfbffaef6e3eddadae1a4df09e2f1f1b46c33bf

Download Submit
memory/2512-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2512-1-0x0000000000530000-0x0000000000584000-memory.dmp

Filesize
336KB

Download
memory/2512-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2512-9-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2512-8-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2512-7-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2512-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2512-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2512-4-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2512-3-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2512-2-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2512-11-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-14-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-15-0x0000000003370000-0x00000000033B0000-memory.dmp

Filesize
256KB

Download
memory/2512-16-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-17-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-18-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-19-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-20-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-21-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-22-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-23-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-24-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-25-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-26-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-27-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-28-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-29-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-30-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-31-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-32-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-33-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-34-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-35-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-36-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-37-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-38-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-39-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-41-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-42-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-43-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-44-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-45-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-48-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-49-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-50-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-51-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-52-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-53-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-54-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-55-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-56-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-57-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-58-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-59-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-60-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-62-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-63-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-65-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-66-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-67-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-64-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-61-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-46-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2512-95-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download