aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94

Analysis

max time kernel
129s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe
Size

794KB
MD5

03ebf4ac4e91682849e685e9e26a0730
SHA1

afab39ac2c1c716dd6c8eae15cff638a4c32295c
SHA256

aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94
SHA512

2f0faf063dee3e6e9e4a097035a68938e0ec4bada0100e715ff25767899b13a5e9b0a6fc411081b4ad8fd95ca9b91cee3bac73f08b8035fe9cdff988db1691cc
SSDEEP

12288:SRyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5HpnrfIXd:+StU4gf2EW5A2DJr/kS4vGIk6v3HrW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2228	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe
2312	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe
File created	C:\Windows\uninstal.bat	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe
Token: SeDebugPrivilege	2228	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2228	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2312	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe
2312	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 680	2228	Hacker.com.cn.exe	81
PID 2228 wrote to memory of 680	2228	Hacker.com.cn.exe	81
PID 2312 wrote to memory of 3084	2312	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe	82
PID 2312 wrote to memory of 3084	2312	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe	82
PID 2312 wrote to memory of 3084	2312	aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe	82

C:\Users\Admin\AppData\Local\Temp\aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe
"C:\Users\Admin\AppData\Local\Temp\aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:3084

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SQETLY.TMP

Filesize
51KB

MD5
aefafdd5c9b62db20fd28e0f935263e8

SHA1
3df1cb906cc6180776143b3cc8dd77d2d6956d59

SHA256
9550cb7dcb5aae17c30239da490f44b782c0be45f626073a83cfafd45c9e8d3e

SHA512
e3e953bcede18dbd183defe2e60c1ba654cec65eaa7a8d483f262b77d76cdbba1a13a9adfd8804f586ccf6ae69f3053f8963d9d4c1193df17a5209fa06c53d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQETLY.TMP

Filesize
51KB

MD5
aefafdd5c9b62db20fd28e0f935263e8

SHA1
3df1cb906cc6180776143b3cc8dd77d2d6956d59

SHA256
9550cb7dcb5aae17c30239da490f44b782c0be45f626073a83cfafd45c9e8d3e

SHA512
e3e953bcede18dbd183defe2e60c1ba654cec65eaa7a8d483f262b77d76cdbba1a13a9adfd8804f586ccf6ae69f3053f8963d9d4c1193df17a5209fa06c53d40

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
794KB

MD5
03ebf4ac4e91682849e685e9e26a0730

SHA1
afab39ac2c1c716dd6c8eae15cff638a4c32295c

SHA256
aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94

SHA512
2f0faf063dee3e6e9e4a097035a68938e0ec4bada0100e715ff25767899b13a5e9b0a6fc411081b4ad8fd95ca9b91cee3bac73f08b8035fe9cdff988db1691cc

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
794KB

MD5
03ebf4ac4e91682849e685e9e26a0730

SHA1
afab39ac2c1c716dd6c8eae15cff638a4c32295c

SHA256
aa322f621f0854fcd491b18df6ba2e0819154c520b9d09b4ce016075b900ea94

SHA512
2f0faf063dee3e6e9e4a097035a68938e0ec4bada0100e715ff25767899b13a5e9b0a6fc411081b4ad8fd95ca9b91cee3bac73f08b8035fe9cdff988db1691cc

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
c46ace1ddd4881dd621e2ba3caf506c4

SHA1
0cf7b3ad8e9ebf611cc3c0a9fc53bfe4f8323a4c

SHA256
b579787a69ccde11a8f58d460ad7a40cca9385d572efae4ccef49aeecd3f2374

SHA512
3b25479f1a1d0b73f66035cb3cfc8e76b7725ff7e4208be7ec6fa356d0e8c155c26cd5e2b684dfe9d6fe4e66360e2c80ed80327cac9e3b1abefdc0102991330b

Download Submit
memory/2312-134-0x00000000022A0000-0x00000000022B1000-memory.dmp

Filesize
68KB

Download