85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a

General

Target

85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe
Size

292KB
MD5

7d28a193f98076e664e867465f8e3036
SHA1

436149160a074611e1a37e575e36cc0e73a6ad10
SHA256

85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a
SHA512

924d277c4e4f2b24e9ae9056cc8b29a734d0b0000f6bb90356070b9ea117398619d312cb913a586296ff6091f88142d8198cf58b45e104c325a60f0d7fdb7ffb
SSDEEP

6144:qDxBj6B6kQu1WTminflPN80PxpkJP9sF2GtxvEvCOw5bImJIU:r6k+Tmin80PPesFFxMv2BImGU

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1200	Hacker.com.cn.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1768-55-0x0000000000400000-0x000000000051401B-memory.dmp	upx
behavioral1/files/0x000b00000001231c-56.dat	upx
behavioral1/files/0x000b00000001231c-59.dat	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral1/memory/1768-55-0x0000000000400000-0x000000000051401B-memory.dmp	vmprotect
behavioral1/files/0x000b00000001231c-56.dat	vmprotect
behavioral1/files/0x000b00000001231c-59.dat	vmprotect

Deletes itself 1 IoCs

pid	Process
1668	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe
File opened for modification	C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe
Token: SeDebugPrivilege	1200	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1200	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1812	1200	Hacker.com.cn.exe	28
PID 1200 wrote to memory of 1812	1200	Hacker.com.cn.exe	28
PID 1200 wrote to memory of 1812	1200	Hacker.com.cn.exe	28
PID 1200 wrote to memory of 1812	1200	Hacker.com.cn.exe	28
PID 1768 wrote to memory of 1668	1768	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe	29
PID 1768 wrote to memory of 1668	1768	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe	29
PID 1768 wrote to memory of 1668	1768	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe	29
PID 1768 wrote to memory of 1668	1768	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe	29
PID 1768 wrote to memory of 1668	1768	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe	29
PID 1768 wrote to memory of 1668	1768	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe	29
PID 1768 wrote to memory of 1668	1768	85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe	29

C:\Users\Admin\AppData\Local\Temp\85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe
"C:\Users\Admin\AppData\Local\Temp\85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:1668

C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe
"C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1812

C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe

Filesize
292KB

MD5
7d28a193f98076e664e867465f8e3036

SHA1
436149160a074611e1a37e575e36cc0e73a6ad10

SHA256
85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a

SHA512
924d277c4e4f2b24e9ae9056cc8b29a734d0b0000f6bb90356070b9ea117398619d312cb913a586296ff6091f88142d8198cf58b45e104c325a60f0d7fdb7ffb

Download Submit
C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe

Filesize
292KB

MD5
7d28a193f98076e664e867465f8e3036

SHA1
436149160a074611e1a37e575e36cc0e73a6ad10

SHA256
85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a

SHA512
924d277c4e4f2b24e9ae9056cc8b29a734d0b0000f6bb90356070b9ea117398619d312cb913a586296ff6091f88142d8198cf58b45e104c325a60f0d7fdb7ffb

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
ab4917dddcb1b2ff51aaea673379c6e0

SHA1
c82758e9d6439a4021d63406e9cb7b13dbe35fc8

SHA256
5a230b7d6c655c1c575e8adf38b3c0d19ee8afac1177a0f5a2e373a4d3956ee1

SHA512
9544ab85fd16e1ce4c09785e0863a6d2640707cde3c866ebdf71409c6132e9c367bc7e48e942f9c8c58e66cacc27698c3310928ee5321146f3c9794a3dd26d4c

Download Submit
memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1768-55-0x0000000000400000-0x000000000051401B-memory.dmp

Filesize
1.1MB

Download