de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac

Analysis

max time kernel
108s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 10:41

Target

de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
Size

704KB
MD5

08c1234dc53beb2bf27a86b471edc2c0
SHA1

3c723ebfc5f418da9fb982084cebcacc02a5f2f5
SHA256

de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac
SHA512

d6b9ac57d63c38a515b87109cf2d37ea17c2a5e19e1c80de69c31db04e62690e61690aa83e8e7c265a77cd0fd8688fd2b015fac2346442c6382f41651731b7eb
SSDEEP

12288:TRycYktU4g/n/t0EW5A0ckOvJwQ5oalK+Geh4v6jIk6bQQ52LwRg08S5nt1/qs:txnU4gf2EW5AdHJr1kMh4vOIk6LXl

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1260	NoHacker.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\NoHacker.cn.exe	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
File created	C:\Windows\UNINSTAL.BAT	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
File created	C:\Windows\NoHacker.cn.exe	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2788	4012	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
Token: SeDebugPrivilege	1260	NoHacker.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1260	NoHacker.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 4728	1260	NoHacker.cn.exe	84
PID 1260 wrote to memory of 4728	1260	NoHacker.cn.exe	84
PID 4012 wrote to memory of 936	4012	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	90
PID 4012 wrote to memory of 936	4012	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	90
PID 4012 wrote to memory of 936	4012	de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe	90

C:\Users\Admin\AppData\Local\Temp\de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe
"C:\Users\Admin\AppData\Local\Temp\de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 636
  2⤵
  - Program crash
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\UNINSTAL.BAT
  2⤵
  PID:936

C:\Windows\NoHacker.cn.exe
C:\Windows\NoHacker.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4012 -ip 4012
1⤵
PID:4456

C:\Windows\NoHacker.cn.exe

Filesize
704KB

MD5
08c1234dc53beb2bf27a86b471edc2c0

SHA1
3c723ebfc5f418da9fb982084cebcacc02a5f2f5

SHA256
de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac

SHA512
d6b9ac57d63c38a515b87109cf2d37ea17c2a5e19e1c80de69c31db04e62690e61690aa83e8e7c265a77cd0fd8688fd2b015fac2346442c6382f41651731b7eb

Download Submit
C:\Windows\NoHacker.cn.exe

Filesize
704KB

MD5
08c1234dc53beb2bf27a86b471edc2c0

SHA1
3c723ebfc5f418da9fb982084cebcacc02a5f2f5

SHA256
de246594785814bc5abf7aa308b29d45c76ca63dfb8ea4a75c21f1cd48931bac

SHA512
d6b9ac57d63c38a515b87109cf2d37ea17c2a5e19e1c80de69c31db04e62690e61690aa83e8e7c265a77cd0fd8688fd2b015fac2346442c6382f41651731b7eb

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
250B

MD5
41153eb3146451fe29511254fe0cd009

SHA1
fe526e37c55b48c18489b2ae6b3f82b5a78ca341

SHA256
05cbbbb33371fbd1492326b1a0257294b346b3ad2183cd8b3c36213e59ee2bca

SHA512
ec49c399c163e0281a6d563cdb0c4095c6a350ee0dfb6219293e19ba1fc67522c595a065fb6f43f569e7c1f206f950fa8fdc391aaae78be058ddaf750ed3a7bc

Download Submit
memory/1260-135-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1260-138-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4012-132-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download