Analysis
-
max time kernel
131s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe
Resource
win10v20210410
General
-
Target
588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe
-
Size
743KB
-
MD5
e7303eba9d961f5a145f4270d6b2a4b1
-
SHA1
b42e698ce330f2ae0212622137814bcceb1ed58e
-
SHA256
588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c
-
SHA512
178ec653956816b1f85cf96f5fe5c69b3c510285f9eb211a2a71da6662b82ad22d039f7dc28771a0076ca700cdd14985d82e764dd22766d2c6716aad6a53fbf3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Hacker.com.cn.exepid process 2500 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
Processes:
588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exedescription ioc process File created C:\Windows\Hacker.com.cn.exe 588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe File opened for modification C:\Windows\Hacker.com.cn.exe 588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe File created C:\Windows\uninstal.bat 588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exeHacker.com.cn.exedescription pid process Token: SeDebugPrivilege 2232 588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe Token: SeDebugPrivilege 2500 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Hacker.com.cn.exepid process 2500 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Hacker.com.cn.exe588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exedescription pid process target process PID 2500 wrote to memory of 2732 2500 Hacker.com.cn.exe IEXPLORE.EXE PID 2500 wrote to memory of 2732 2500 Hacker.com.cn.exe IEXPLORE.EXE PID 2232 wrote to memory of 2848 2232 588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe cmd.exe PID 2232 wrote to memory of 2848 2232 588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe cmd.exe PID 2232 wrote to memory of 2848 2232 588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe"C:\Users\Admin\AppData\Local\Temp\588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Hacker.com.cn.exeMD5
e7303eba9d961f5a145f4270d6b2a4b1
SHA1b42e698ce330f2ae0212622137814bcceb1ed58e
SHA256588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c
SHA512178ec653956816b1f85cf96f5fe5c69b3c510285f9eb211a2a71da6662b82ad22d039f7dc28771a0076ca700cdd14985d82e764dd22766d2c6716aad6a53fbf3
-
C:\Windows\Hacker.com.cn.exeMD5
e7303eba9d961f5a145f4270d6b2a4b1
SHA1b42e698ce330f2ae0212622137814bcceb1ed58e
SHA256588c5cd951c636f8c8bab3083aba2194c1514477a959cf18bc389b183887606c
SHA512178ec653956816b1f85cf96f5fe5c69b3c510285f9eb211a2a71da6662b82ad22d039f7dc28771a0076ca700cdd14985d82e764dd22766d2c6716aad6a53fbf3
-
C:\Windows\uninstal.batMD5
8fc6e16e255d42483a77b549175ab6ea
SHA120523faa7b2797ba8436cfcbaba5c274aa088a09
SHA256a6bca35902992d0b8dbd695d5f51e5f6e0aa315b2a6adb5a80a80953060c3a53
SHA5123dd91e7595eb12237829aa81a6ba993a515784d05f8b275617db6f9fb42b5c34edc67db2fc6b632f8c4c362f0fb3d42f806ee855ac4d4413cedf1e70949c23b0
-
memory/2232-114-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/2500-117-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/2848-118-0x0000000000000000-mapping.dmp