36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968

Analysis

max time kernel
146s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe
Size

588KB
MD5

525af99b50cf1b617eeab18abcd6b720
SHA1

b0c1fede01bbea0bda136203f4d1737d62fbf383
SHA256

36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968
SHA512

1c686b5f6ffa49ffbc579eb1b91adc9b13a5dc3e4980f15c3877d9757d1652c2d67518342180fa11984d9231e02f65e5baa63526c34bc55bbf73fc7651f3b6dc
SSDEEP

12288:qXlDsbimsmiX16OqQEsR+stI7/K0SqwUozFk00HwR:qqbvC6OqQEsR0uUoBwwR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Hacker.com.cn.ini

pid process

2032 Hacker.com.cn.ini

pid	process
2032	Hacker.com.cn.ini

Drops file in System32 directory 3 IoCs

Processes:

36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exeHacker.com.cn.ini

description	ioc	process
File created	C:\Windows\SysWOW64\Hacker.com.cn.ini	36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe
File opened for modification	C:\Windows\SysWOW64\Hacker.com.cn.ini	36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe
File opened for modification	C:\Windows\SysWOW64\Hacker.com.cn.ini	Hacker.com.cn.ini

Drops file in Windows directory 1 IoCs

Processes:

36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe

description ioc process

File created C:\Windows\uninstal.bat 36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe

description	ioc	process
File created	C:\Windows\uninstal.bat	36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exeHacker.com.cn.ini

description	pid	process
Token: SeDebugPrivilege	3548	36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe
Token: SeDebugPrivilege	2032	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe

description	pid	process	target process
PID 3548 wrote to memory of 4280	3548	36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe	cmd.exe
PID 3548 wrote to memory of 4280	3548	36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe	cmd.exe
PID 3548 wrote to memory of 4280	3548	36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe
"C:\Users\Admin\AppData\Local\Temp\36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
2⤵
PID:4280

C:\Windows\SysWOW64\Hacker.com.cn.ini
C:\Windows\SysWOW64\Hacker.com.cn.ini
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hacker.com.cn.ini

Filesize
588KB

MD5
525af99b50cf1b617eeab18abcd6b720

SHA1
b0c1fede01bbea0bda136203f4d1737d62fbf383

SHA256
36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968

SHA512
1c686b5f6ffa49ffbc579eb1b91adc9b13a5dc3e4980f15c3877d9757d1652c2d67518342180fa11984d9231e02f65e5baa63526c34bc55bbf73fc7651f3b6dc

Download Submit
C:\Windows\SysWOW64\Hacker.com.cn.ini

Filesize
588KB

MD5
525af99b50cf1b617eeab18abcd6b720

SHA1
b0c1fede01bbea0bda136203f4d1737d62fbf383

SHA256
36dfb40c63c015c950e7544cadcde7ad20df705ca74a89d858badc0364f6a968

SHA512
1c686b5f6ffa49ffbc579eb1b91adc9b13a5dc3e4980f15c3877d9757d1652c2d67518342180fa11984d9231e02f65e5baa63526c34bc55bbf73fc7651f3b6dc

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
1735b1ef6ed3f3713e5b14bb237e3654

SHA1
5399cd5d942d0612cf49aad182d62cb37ee15aa0

SHA256
f00b5ba0136e14ace2e111163672882280a2bf0118daa86c75335e5fe964b388

SHA512
59cee4d81dc8a540e2cd6173503d6ba11b5ac8356b5efe689d09189853948fa9c9ab83a86f4e4c5f97d5f72e826ccb33414444e333d3dc9e19db13d58751fd3e

Download Submit
memory/2032-136-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2032-137-0x0000000000AB0000-0x0000000000B04000-memory.dmp

Filesize
336KB

Download
memory/2032-139-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3548-132-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3548-133-0x0000000000AA0000-0x0000000000AF4000-memory.dmp

Filesize
336KB

Download
memory/3548-138-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4280-140-0x0000000000000000-mapping.dmp

Download