8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb

Analysis

max time kernel
159s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 19:23

Target

8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe
Size

296KB
MD5

469a1276bb48a9a8e77d5d2411be08e0
SHA1

9c5daa6b7e9581c9b8faa76fb7d74b5a3bc48bec
SHA256

8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb
SHA512

1aeab73218e20524f3a9957577ecf58f510ca7ee190506d022ac5eb000482293cae48c9c3b4aa2a39ffbe64d31866c53c8696675c6ccd3dc7d7056ecac46956e
SSDEEP

6144:nI4KOFGYz5ZGWwV+QCDdsw5INJaM15XKjW:nI4lGY6WwV+QCDz0L156j

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1032	Hacker.com.cn.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4528-132-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/4528-133-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/files/0x000b000000022e11-134.dat	upx
behavioral2/files/0x000b000000022e11-135.dat	upx
behavioral2/memory/1032-137-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1032-138-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe
File created	C:\Windows\UNINSTAL.BAT	8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe
Token: SeDebugPrivilege	1032	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1032	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 4752	1032	Hacker.com.cn.exe	82
PID 1032 wrote to memory of 4752	1032	Hacker.com.cn.exe	82
PID 1032 wrote to memory of 4752	1032	Hacker.com.cn.exe	82
PID 4528 wrote to memory of 1148	4528	8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe	87
PID 4528 wrote to memory of 1148	4528	8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe	87
PID 4528 wrote to memory of 1148	4528	8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe	87

C:\Users\Admin\AppData\Local\Temp\8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe
"C:\Users\Admin\AppData\Local\Temp\8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\UNINSTAL.BAT
  2⤵
  PID:1148

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1032
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4528 -ip 4528
1⤵
PID:3664

C:\Windows\Hacker.com.cn.exe

Filesize
296KB

MD5
469a1276bb48a9a8e77d5d2411be08e0

SHA1
9c5daa6b7e9581c9b8faa76fb7d74b5a3bc48bec

SHA256
8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb

SHA512
1aeab73218e20524f3a9957577ecf58f510ca7ee190506d022ac5eb000482293cae48c9c3b4aa2a39ffbe64d31866c53c8696675c6ccd3dc7d7056ecac46956e

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
296KB

MD5
469a1276bb48a9a8e77d5d2411be08e0

SHA1
9c5daa6b7e9581c9b8faa76fb7d74b5a3bc48bec

SHA256
8ad538b861b632bd0926de6b0467ed3649e7fe7843c0fea5746118aeca359fcb

SHA512
1aeab73218e20524f3a9957577ecf58f510ca7ee190506d022ac5eb000482293cae48c9c3b4aa2a39ffbe64d31866c53c8696675c6ccd3dc7d7056ecac46956e

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
250B

MD5
13d73de001617fb0d67cadbb5c7a25ad

SHA1
43b8644291e191e3f51731ebfcca39084e575e6d

SHA256
d1ada5d4df2a40417ff1a1f1298e20d4d40b4653bcbd640e27d36aca1b5ac676

SHA512
e40845f16d77bda00b8c686b883a8b2cd91dc7514bddfa20ac96870fc31cbc8e0844be2752b76c7bf7769f4fae6c0d9cc3c1dea9f051581f96261d6955e32e86

Download Submit
memory/1032-137-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1032-138-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4528-132-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4528-133-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download