672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0

Analysis

max time kernel
157s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 16:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0.exe
Size

633KB
MD5

1a324aef8376979634448117ec9ed9b0
SHA1

ba8ca0346aa9cbf5f19f4a3e118759b2b78c9ec9
SHA256

672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0
SHA512

4edaccde3983604b7a6cf5982d57711c733b94d8072aa9c2260ae5bc58caf75e22d30dd0f70f22643b223cf105962ee77a22fdb1a4e86045dd84eda2d7a978c2
SSDEEP

12288:ujf0y3hvL6Yw17cnXJWUF3Z4mxxJTaZ99Pp9qjwWzyOQO:ujfMYdJzQmXJTGLp96wyybO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1372	Hacker.com.cn.ini

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.ini	672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0.exe
File opened for modification	C:\Windows\Hacker.com.cn.ini	672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0.exe
Token: SeDebugPrivilege	1372	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1372	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1248	1372	Hacker.com.cn.ini	29
PID 1372 wrote to memory of 1248	1372	Hacker.com.cn.ini	29
PID 1372 wrote to memory of 1248	1372	Hacker.com.cn.ini	29
PID 1372 wrote to memory of 1248	1372	Hacker.com.cn.ini	29

C:\Users\Admin\AppData\Local\Temp\672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0.exe
"C:\Users\Admin\AppData\Local\Temp\672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\Hacker.com.cn.ini
C:\Windows\Hacker.com.cn.ini
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.ini

Filesize
633KB

MD5
1a324aef8376979634448117ec9ed9b0

SHA1
ba8ca0346aa9cbf5f19f4a3e118759b2b78c9ec9

SHA256
672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0

SHA512
4edaccde3983604b7a6cf5982d57711c733b94d8072aa9c2260ae5bc58caf75e22d30dd0f70f22643b223cf105962ee77a22fdb1a4e86045dd84eda2d7a978c2

Download Submit
C:\Windows\Hacker.com.cn.ini

Filesize
633KB

MD5
1a324aef8376979634448117ec9ed9b0

SHA1
ba8ca0346aa9cbf5f19f4a3e118759b2b78c9ec9

SHA256
672682273a66220fc2f729bca6d09a4d034cbeb8b49f730749c05376e62b59a0

SHA512
4edaccde3983604b7a6cf5982d57711c733b94d8072aa9c2260ae5bc58caf75e22d30dd0f70f22643b223cf105962ee77a22fdb1a4e86045dd84eda2d7a978c2

Download Submit
memory/1372-63-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1372-64-0x0000000000520000-0x0000000000574000-memory.dmp

Filesize
336KB

Download
memory/1372-65-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1372-66-0x0000000000520000-0x0000000000574000-memory.dmp

Filesize
336KB

Download
memory/1832-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1832-55-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1832-56-0x0000000000840000-0x0000000000894000-memory.dmp

Filesize
336KB

Download
memory/1832-57-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/1832-61-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1832-62-0x0000000000840000-0x0000000000894000-memory.dmp

Filesize
336KB

Download