ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97

Analysis

max time kernel
160s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe
Size

293KB
MD5

9fd3eff3b9678097b592e1693f5e8f1b
SHA1

d20a55fc81c4dcd5a46f211d2de1e9306512f1d1
SHA256

ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97
SHA512

0b0c23a9be99d42169f2f2ac05e9c13586d24aea0bf2abf3a8aac2d6b821adba99caa624f363a5f7d73ae20309cb1bac43a3dedcb3deb7d6921cb13e7faecb42
SSDEEP

6144:tZeG8/Bpdrjz2t19brNAPPbAGlQksbU2xGajuRHqD:tZeDjdrH2JgBsGais

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4864	Yexiao.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Yexiao.com.cn.exe	ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe
File opened for modification	C:\Windows\Yexiao.com.cn.exe	ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe
File created	C:\Windows\uninstal.bat	ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe
Token: SeDebugPrivilege	4864	Yexiao.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4864	Yexiao.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4916	4864	Yexiao.com.cn.exe	80
PID 4864 wrote to memory of 4916	4864	Yexiao.com.cn.exe	80
PID 3612 wrote to memory of 4840	3612	ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe	81
PID 3612 wrote to memory of 4840	3612	ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe	81
PID 3612 wrote to memory of 4840	3612	ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe	81

C:\Users\Admin\AppData\Local\Temp\ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe
"C:\Users\Admin\AppData\Local\Temp\ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4840

C:\Windows\Yexiao.com.cn.exe
C:\Windows\Yexiao.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Yexiao.com.cn.exe

Filesize
293KB

MD5
9fd3eff3b9678097b592e1693f5e8f1b

SHA1
d20a55fc81c4dcd5a46f211d2de1e9306512f1d1

SHA256
ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97

SHA512
0b0c23a9be99d42169f2f2ac05e9c13586d24aea0bf2abf3a8aac2d6b821adba99caa624f363a5f7d73ae20309cb1bac43a3dedcb3deb7d6921cb13e7faecb42

Download Submit
C:\Windows\Yexiao.com.cn.exe

Filesize
293KB

MD5
9fd3eff3b9678097b592e1693f5e8f1b

SHA1
d20a55fc81c4dcd5a46f211d2de1e9306512f1d1

SHA256
ee98297a5c51fa7948f21e51b68fd97b887acac6b8fa7e639a36b6a73153fc97

SHA512
0b0c23a9be99d42169f2f2ac05e9c13586d24aea0bf2abf3a8aac2d6b821adba99caa624f363a5f7d73ae20309cb1bac43a3dedcb3deb7d6921cb13e7faecb42

Download Submit
C:\Windows\uninstal.bat

Filesize
2KB

MD5
ab62acc616cac6260db73917a32724c9

SHA1
c0ad4685fc69ccabad184fbe5ecb2987b08cde76

SHA256
8d6a0c65e6ed5eff4a248f57416a1d44921ca53af70d4d8d4ed17cc7b38275dd

SHA512
f1b36a807a1b28bf297f5ae9302c9e64eccdf8be302d2dccc6c1986c425c9f4b3de7cb270e27214a5454491b6007c6a21e90fcb0cc817281764c72756c966e88

Download Submit
memory/3612-132-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/3612-133-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4840-137-0x0000000000000000-mapping.dmp

Download
memory/4864-136-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4864-138-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4864-140-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download