e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560

Analysis

max time kernel
144s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:40

Target

e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
Size

743KB
MD5

38686fc6e8e7f3585b0e09f1f8f0d962
SHA1

9de250d07359479fa6a212f684b79d8334433a16
SHA256

e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560
SHA512

4b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb
SSDEEP

12288:ERyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5HpnDzt:oStU4gf2EW5A2DJr/kS4vGIk6v3HX

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

Hacker.com.cn.exe

pid process

4152 Hacker.com.cn.exe

pid	process
4152	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

Processes:

e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe

description	ioc	process
File created	C:\Windows\Hacker.com.cn.exe	e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
File created	C:\Windows\uninstal.bat	e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

Hacker.com.cn.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Hacker.com.cn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exeHacker.com.cn.exe

description	pid	process
Token: SeDebugPrivilege	2344	e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe
Token: SeDebugPrivilege	4152	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Hacker.com.cn.exe

pid process

4152 Hacker.com.cn.exe

pid	process
4152	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Hacker.com.cn.exee78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe

description	pid	process	target process
PID 4152 wrote to memory of 1220	4152	Hacker.com.cn.exe	IEXPLORE.EXE
PID 4152 wrote to memory of 1220	4152	Hacker.com.cn.exe	IEXPLORE.EXE
PID 2344 wrote to memory of 5116	2344	e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe	cmd.exe
PID 2344 wrote to memory of 5116	2344	e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe	cmd.exe
PID 2344 wrote to memory of 5116	2344	e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560.exe	cmd.exe

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
2⤵
PID:5116

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
PID:1220

C:\Windows\Hacker.com.cn.exe
Filesize
743KB

MD5
38686fc6e8e7f3585b0e09f1f8f0d962

SHA1
9de250d07359479fa6a212f684b79d8334433a16

SHA256
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560

SHA512
4b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb

Download Submit
C:\Windows\Hacker.com.cn.exe
Filesize
743KB

MD5
38686fc6e8e7f3585b0e09f1f8f0d962

SHA1
9de250d07359479fa6a212f684b79d8334433a16

SHA256
e78b4163aa70e30b2c6af6794f5011b937409737a06e82d3dee94c63f41c5560

SHA512
4b69033d669018a9190da0c96a8b2b97aadcc946fe81191cc4a8349fbf537b7a4902c1e17f2c69c9d18398945225f3e3b9cb6af2af26aff95089caf7f37346eb

Download Submit
C:\Windows\uninstal.bat
Filesize
254B

MD5
862f328ef566af04eff4ec3441d2e0e3

SHA1
20450422b736126b92df983d4320713265cccac7

SHA256
26e7febb1c7e4e95a3a39d76f84e2baca41146715257ef3773c87e87e8021613

SHA512
b4d13ef06b11976e11da517599acd63e9cc9ce69f243c7de88e4446a5f612042930235087bec919bf9dd51c68d6a1c1c8bfd55a04fa3d32c7101025bddd244ad

Download Submit
memory/5116-134-0x0000000000000000-mapping.dmp

Download