Overview

overview

8

Static

static

16eaf442dd...47.exe

windows7-x64

8

16eaf442dd...47.exe

windows10-2004-x64

Analysis

  • max time kernel
    118s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 23:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16eaf442dd4be2979f1a566ed08d7a657401a7b31bbaacd8dc6bd4f1c60e3447.exe

  • Size

    744KB

  • MD5

    43109ee16f35012fa016007274da3930

  • SHA1

    57c427c5e371c7b4d41988b444e0fbfa1d2b2f37

  • SHA256

    16eaf442dd4be2979f1a566ed08d7a657401a7b31bbaacd8dc6bd4f1c60e3447

  • SHA512

    f866780b406a60e21854a5ce61f1a55371f32aa495f693461fecbef2c68604dfdcddcd3b5b3f08f20b754b72cfca2f14f2fa508c1f04b44e21b395c3fcd6c81c

  • SSDEEP

    12288:WRn8S++U4u/n/80dW5A0zyW6JwQ5oAlK+GbxvZ/Ik9kQQ52LYRg08yPwrRrk:i8MU4ufxdW5A2sJr/khxvZIk963Y

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16eaf442dd4be2979f1a566ed08d7a657401a7b31bbaacd8dc6bd4f1c60e3447.exe
    "C:\Users\Admin\AppData\Local\Temp\16eaf442dd4be2979f1a566ed08d7a657401a7b31bbaacd8dc6bd4f1c60e3447.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\65137367.BAT
      2⤵
      • Deletes itself
      PID:916
  • C:\PRogram Files\Hacker.com.cn.exe
    "C:\PRogram Files\Hacker.com.cn.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:976

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PRogram Files\Hacker.com.cn.exe
      Filesize

      744KB

      MD5

      43109ee16f35012fa016007274da3930

      SHA1

      57c427c5e371c7b4d41988b444e0fbfa1d2b2f37

      SHA256

      16eaf442dd4be2979f1a566ed08d7a657401a7b31bbaacd8dc6bd4f1c60e3447

      SHA512

      f866780b406a60e21854a5ce61f1a55371f32aa495f693461fecbef2c68604dfdcddcd3b5b3f08f20b754b72cfca2f14f2fa508c1f04b44e21b395c3fcd6c81c

      Download Submit
    • C:\Program Files\Hacker.com.cn.exe
      Filesize

      744KB

      MD5

      43109ee16f35012fa016007274da3930

      SHA1

      57c427c5e371c7b4d41988b444e0fbfa1d2b2f37

      SHA256

      16eaf442dd4be2979f1a566ed08d7a657401a7b31bbaacd8dc6bd4f1c60e3447

      SHA512

      f866780b406a60e21854a5ce61f1a55371f32aa495f693461fecbef2c68604dfdcddcd3b5b3f08f20b754b72cfca2f14f2fa508c1f04b44e21b395c3fcd6c81c

      Download Submit
    • C:\Windows\65137367.BAT
      Filesize

      254B

      MD5

      fc589d5051e363fa08cda9a062aebd10

      SHA1

      f1859120d65a29ccf5d287bdf5cba76b5b96e18c

      SHA256

      43cee8ef2159b4d0621f40ff2750ca1a6ae3fd578842a6ab71068ce374d62ce9

      SHA512

      30135609ce83caf3e3f5046c8e4a5e743f1e46f122e77e3cace4755b4256ef7a7bc84981d87e005ced5e4c3ec0d65f93f62e417a141ec30a3612c678be895447

      Download Submit
    • memory/748-54-0x0000000075B11000-0x0000000075B13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/916-58-0x0000000000000000-mapping.dmp
      Download