Overview

overview

8

Static

static

3ce3900047...94.exe

windows7-x64

8

3ce3900047...94.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe

  • Size

    864KB

  • MD5

    531b780df04c2c67b3862b0720eb7280

  • SHA1

    ae1a521b5e0da934d3dfc792ac7e33df5c1029c5

  • SHA256

    3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794

  • SHA512

    7f954c15141a64301587b831151f032482cca730c4105ec4a9134473836f870a99367be169fd04f3d5630c6aa66c70dc7bfaddfd9775db7e5cfe2f243fc2a94e

  • SSDEEP

    24576:L1rM1vWq0u222tNqz/QmXt+ZlVP30mfWAgjLwK:LdCvFl2tgYmcVrbK

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe
    "C:\Users\Admin\AppData\Local\Temp\3ce3900047a740b4d021bed18d244d7a290568e32e160acb9476ff5254ef5794.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\uninstal.bat
        3⤵
          PID:1480
    • C:\Windows\Hacker.com.cn.ini
      C:\Windows\Hacker.com.cn.ini
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        2⤵
          PID:1976

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
        Filesize

        786KB

        MD5

        bdf3d3f96904b927292e9a6b39d3b2e5

        SHA1

        71b9a605cf243955f468960258e385497ccb98d9

        SHA256

        7eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e

        SHA512

        71aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
        Filesize

        786KB

        MD5

        bdf3d3f96904b927292e9a6b39d3b2e5

        SHA1

        71b9a605cf243955f468960258e385497ccb98d9

        SHA256

        7eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e

        SHA512

        71aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514

        Download Submit

      • C:\Windows\Hacker.com.cn.ini
        Filesize

        786KB

        MD5

        bdf3d3f96904b927292e9a6b39d3b2e5

        SHA1

        71b9a605cf243955f468960258e385497ccb98d9

        SHA256

        7eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e

        SHA512

        71aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514

        Download Submit

      • C:\Windows\Hacker.com.cn.ini
        Filesize

        786KB

        MD5

        bdf3d3f96904b927292e9a6b39d3b2e5

        SHA1

        71b9a605cf243955f468960258e385497ccb98d9

        SHA256

        7eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e

        SHA512

        71aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514

        Download Submit

      • C:\Windows\uninstal.bat
        Filesize

        150B

        MD5

        5edd682a8b1f2bf873300774f954ab03

        SHA1

        2cca4e743d02dbccf31b784ea26a60c03dcc9637

        SHA256

        a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

        SHA512

        916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

        Download Submit

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
        Filesize

        786KB

        MD5

        bdf3d3f96904b927292e9a6b39d3b2e5

        SHA1

        71b9a605cf243955f468960258e385497ccb98d9

        SHA256

        7eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e

        SHA512

        71aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514

        Download Submit

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
        Filesize

        786KB

        MD5

        bdf3d3f96904b927292e9a6b39d3b2e5

        SHA1

        71b9a605cf243955f468960258e385497ccb98d9

        SHA256

        7eda64f85575c1f6a4f251689e6ebe30ffe1ad3c098b8220a3b6a70c022e914e

        SHA512

        71aa8a3aa640afa5154738d7d42357e1c532c258fd00a7e9f8d0663528e99c4fa44100dd521c2d1997131a5cfd8d36c4c3ae8b951c9b81b365500ef66e37e514

        Download Submit

      • memory/780-56-0x00000000002B0000-0x0000000000304000-memory.dmp

        Filesize

        336KB

        Download

      • memory/780-54-0x0000000001000000-0x0000000001113000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/780-66-0x0000000001000000-0x0000000001113000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1480-65-0x0000000000000000-mapping.dmp

        Download

      • memory/1920-60-0x0000000076121000-0x0000000076123000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1920-58-0x0000000000000000-mapping.dmp

        Download