Analysis
-
max time kernel
144s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:40
Static task
static1
Behavioral task
behavioral1
Sample
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
Resource
win10v2004-20221111-en
General
-
Target
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
-
Size
743KB
-
MD5
38686fc6e8e7f3585b0e09f1f8f0d962
-
SHA1
9de250d07359479fa6a212f684b79d8334433a16
-
SHA256
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560
-
SHA512
4b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb
-
SSDEEP
12288:ERyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5HpnDzt:oStU4gf2EW5A2DJr/kS4vGIk6v3HX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Hacker.com.cn.exepid process 4152 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
Processes:
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exedescription ioc process File created C:\Windows\Hacker.com.cn.exe e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe File opened for modification C:\Windows\Hacker.com.cn.exe e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe File created C:\Windows\uninstal.bat e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Hacker.com.cn.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exeHacker.com.cn.exedescription pid process Token: SeDebugPrivilege 2344 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe Token: SeDebugPrivilege 4152 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Hacker.com.cn.exepid process 4152 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Hacker.com.cn.exee78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exedescription pid process target process PID 4152 wrote to memory of 1220 4152 Hacker.com.cn.exe IEXPLORE.EXE PID 4152 wrote to memory of 1220 4152 Hacker.com.cn.exe IEXPLORE.EXE PID 2344 wrote to memory of 5116 2344 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe PID 2344 wrote to memory of 5116 2344 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe PID 2344 wrote to memory of 5116 2344 e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe"C:\Users\Admin\AppData\Local\Temp\e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:5116
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1220
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Hacker.com.cn.exeFilesize
743KB
MD538686fc6e8e7f3585b0e09f1f8f0d962
SHA19de250d07359479fa6a212f684b79d8334433a16
SHA256e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560
SHA5124b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb
-
C:\Windows\Hacker.com.cn.exeFilesize
743KB
MD538686fc6e8e7f3585b0e09f1f8f0d962
SHA19de250d07359479fa6a212f684b79d8334433a16
SHA256e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560
SHA5124b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb
-
C:\Windows\uninstal.batFilesize
254B
MD5862f328ef566af04eff4ec3441d2e0e3
SHA120450422b736126b92df983d4320713265cccac7
SHA25626e7febb1c7e4e95a3a39d76f84e2baca41146715257ef3773c87e87e8021613
SHA512b4d13ef06b11976e11da517599acd63e9cc9ce69f243c7de88e4446a5f612042930235087bec919bf9dd51c68d6a1c1c8bfd55a04fa3d32c7101025bddd244ad
-
memory/5116-134-0x0000000000000000-mapping.dmp