de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac

Analysis

max time kernel
137s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 10:41

Target

de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
Size

704KB
MD5

08c1234dc53beb2bf27a86b471edc2c0
SHA1

3c723ebfc5f418da9fb982084cebcacc02a5f2f5
SHA256

de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac
SHA512

d6b9ac57d63c38a515b87109cf2d37ea17c2a5e19e1c80de69c31db04e62690e61690aa83e8e7c265a77cd0fd8688fd2b015fac2346442c6382f41651731b7eb
SSDEEP

12288:TRycYktU4g/n/t0EW5A0ckOvJwQ5oalK+Geh4v6jIk6bQQ52LwRg08S5nt1/qs:txnU4gf2EW5AdHJr1kMh4vOIk6LXl

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1640	NoHacker.cn.exe

Deletes itself 1 IoCs

pid	Process
764	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\NoHacker.cn.exe	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
File opened for modification	C:\Windows\NoHacker.cn.exe	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
File created	C:\Windows\UNINSTAL.BAT	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	996	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
Token: SeDebugPrivilege	1640	NoHacker.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1640	NoHacker.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1164	1640	NoHacker.cn.exe	28
PID 1640 wrote to memory of 1164	1640	NoHacker.cn.exe	28
PID 1640 wrote to memory of 1164	1640	NoHacker.cn.exe	28
PID 1640 wrote to memory of 1164	1640	NoHacker.cn.exe	28
PID 996 wrote to memory of 764	996	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	29
PID 996 wrote to memory of 764	996	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	29
PID 996 wrote to memory of 764	996	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	29
PID 996 wrote to memory of 764	996	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	29
PID 996 wrote to memory of 764	996	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	29
PID 996 wrote to memory of 764	996	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	29
PID 996 wrote to memory of 764	996	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	29

C:\Users\Admin\AppData\Local\Temp\de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
"C:\Users\Admin\AppData\Local\Temp\de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  PID:764

C:\Windows\NoHacker.cn.exe
C:\Windows\NoHacker.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1164

C:\Windows\NoHacker.cn.exe

Filesize
704KB

MD5
08c1234dc53beb2bf27a86b471edc2c0

SHA1
3c723ebfc5f418da9fb982084cebcacc02a5f2f5

SHA256
de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac

SHA512
d6b9ac57d63c38a515b87109cf2d37ea17c2a5e19e1c80de69c31db04e62690e61690aa83e8e7c265a77cd0fd8688fd2b015fac2346442c6382f41651731b7eb

Download Submit
C:\Windows\NoHacker.cn.exe

Filesize
704KB

MD5
08c1234dc53beb2bf27a86b471edc2c0

SHA1
3c723ebfc5f418da9fb982084cebcacc02a5f2f5

SHA256
de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac

SHA512
d6b9ac57d63c38a515b87109cf2d37ea17c2a5e19e1c80de69c31db04e62690e61690aa83e8e7c265a77cd0fd8688fd2b015fac2346442c6382f41651731b7eb

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
250B

MD5
41153eb3146451fe29511254fe0cd009

SHA1
fe526e37c55b48c18489b2ae6b3f82b5a78ca341

SHA256
05cbbbb33371fbd1492326b1a0257294b346b3ad2183cd8b3c36213e59ee2bca

SHA512
ec49c399c163e0281a6d563cdb0c4095c6a350ee0dfb6219293e19ba1fc67522c595a065fb6f43f569e7c1f206f950fa8fdc391aaae78be058ddaf750ed3a7bc

Download Submit
memory/996-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/996-55-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1640-59-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1640-62-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download