Overview

overview

8

Static

static

e78b4163aa...60.exe

windows7-x64

8

e78b4163aa...60.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe

  • Size

    743KB

  • MD5

    38686fc6e8e7f3585b0e09f1f8f0d962

  • SHA1

    9de250d07359479fa6a212f684b79d8334433a16

  • SHA256

    e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560

  • SHA512

    4b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb

  • SSDEEP

    12288:ERyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5HpnDzt:oStU4gf2EW5A2DJr/kS4vGIk6v3HX

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
    "C:\Users\Admin\AppData\Local\Temp\e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\uninstal.bat
      2⤵
      • Deletes itself
      PID:1228
  • C:\Windows\Hacker.com.cn.exe
    C:\Windows\Hacker.com.cn.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      2⤵
        PID:1488

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Hacker.com.cn.exe
      Filesize

      743KB

      MD5

      38686fc6e8e7f3585b0e09f1f8f0d962

      SHA1

      9de250d07359479fa6a212f684b79d8334433a16

      SHA256

      e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560

      SHA512

      4b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb

      Download Submit
    • C:\Windows\Hacker.com.cn.exe
      Filesize

      743KB

      MD5

      38686fc6e8e7f3585b0e09f1f8f0d962

      SHA1

      9de250d07359479fa6a212f684b79d8334433a16

      SHA256

      e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560

      SHA512

      4b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb

      Download Submit
    • C:\Windows\uninstal.bat
      Filesize

      254B

      MD5

      862f328ef566af04eff4ec3441d2e0e3

      SHA1

      20450422b736126b92df983d4320713265cccac7

      SHA256

      26e7febb1c7e4e95a3a39d76f84e2baca41146715257ef3773c87e87e8021613

      SHA512

      b4d13ef06b11976e11da517599acd63e9cc9ce69f243c7de88e4446a5f612042930235087bec919bf9dd51c68d6a1c1c8bfd55a04fa3d32c7101025bddd244ad

      Download Submit
    • memory/1228-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1300-54-0x0000000075C31000-0x0000000075C33000-memory.dmp
      Filesize

      8KB

      Download