3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c

Analysis

max time kernel
189s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 14:50

Target

3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe
Size

743KB
MD5

0db87f76fac97ce9369b23171249d706
SHA1

b68a53e777b3d6bd2ab4d63b976084d1d160e593
SHA256

3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c
SHA512

73c5d28ee100ac7fcc7962a75014286c3371d8f631eb59af063d051c41d2fd624c805fc2e35da4b33941556465ed703cfdc0062af33e8b872c38c81c9891c928
SSDEEP

12288:GRyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5Hpnrzy:yStU4gf2EW5A2DJr/kS4vGIk6v3Hf

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
2556	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe
File created	C:\Windows\uninstal.bat	3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe
Token: SeDebugPrivilege	2556	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1516	2556	Hacker.com.cn.exe	79
PID 2556 wrote to memory of 1516	2556	Hacker.com.cn.exe	79
PID 5108 wrote to memory of 2388	5108	3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe	80
PID 5108 wrote to memory of 2388	5108	3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe	80
PID 5108 wrote to memory of 2388	5108	3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe	80

C:\Users\Admin\AppData\Local\Temp\3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe
"C:\Users\Admin\AppData\Local\Temp\3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:2388

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1516

C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
0db87f76fac97ce9369b23171249d706

SHA1
b68a53e777b3d6bd2ab4d63b976084d1d160e593

SHA256
3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c

SHA512
73c5d28ee100ac7fcc7962a75014286c3371d8f631eb59af063d051c41d2fd624c805fc2e35da4b33941556465ed703cfdc0062af33e8b872c38c81c9891c928

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
0db87f76fac97ce9369b23171249d706

SHA1
b68a53e777b3d6bd2ab4d63b976084d1d160e593

SHA256
3bb2d9c586248e783ef5bc805ca4a117593b7463be128b2c5bc30dcc934c296c

SHA512
73c5d28ee100ac7fcc7962a75014286c3371d8f631eb59af063d051c41d2fd624c805fc2e35da4b33941556465ed703cfdc0062af33e8b872c38c81c9891c928

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
ad9093366cddce0e49f07586ca667e4e

SHA1
0ea6a7abd344c8e42ff9e806f01b7091c3aaca09

SHA256
a6231045207dbbe3a4ece4f9738039044dba970e5311935611d4c0bde7672d84

SHA512
49eb7b317663d54fd38c78f7d675ea25bc3d82281dd9df3207244fd5236bc27e67ed69748987af9ef336e976b178f5f42800aa0e5d5bbc21ebe0cd079d60299f

Download Submit