c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef

General

Target

c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe
Size

390KB
MD5

9638be64b1676650ecd07a1a453526b0
SHA1

b93e4cd7f250fedc2664f5f2de92082bb336442c
SHA256

c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef
SHA512

33c73505ce6b6a2bffa7ff5b0a0d3f52e906aafdafb8862918e1811dbbef08ce82d820693f9d0e5cef33be5cb302df6d5912413c560d5759668b13de694d236b
SSDEEP

6144:rBnLw5b+BGL/eTNQoiN72QNiGfJCocMXAcMlpPT3c2e3r4tvjbv8C2Fhn9qJcKd:F6aQLWNQ2qhCbxcY7s2e74tHMFdAJZd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2044	sxeDF0C.tmp
1992	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	sxeDF0C.tmp
File opened for modification	C:\Windows\Hacker.com.cn.exe	sxeDF0C.tmp
File created	C:\Windows\uninstal.bat	sxeDF0C.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	sxeDF0C.tmp
Token: SeDebugPrivilege	1992	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1992	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2044	1152	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	27
PID 1152 wrote to memory of 2044	1152	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	27
PID 1152 wrote to memory of 2044	1152	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	27
PID 1152 wrote to memory of 2044	1152	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	27
PID 1152 wrote to memory of 2044	1152	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	27
PID 1152 wrote to memory of 2044	1152	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	27
PID 1152 wrote to memory of 2044	1152	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	27
PID 1992 wrote to memory of 1980	1992	Hacker.com.cn.exe	29
PID 1992 wrote to memory of 1980	1992	Hacker.com.cn.exe	29
PID 1992 wrote to memory of 1980	1992	Hacker.com.cn.exe	29
PID 1992 wrote to memory of 1980	1992	Hacker.com.cn.exe	29
PID 2044 wrote to memory of 1972	2044	sxeDF0C.tmp	30
PID 2044 wrote to memory of 1972	2044	sxeDF0C.tmp	30
PID 2044 wrote to memory of 1972	2044	sxeDF0C.tmp	30
PID 2044 wrote to memory of 1972	2044	sxeDF0C.tmp	30
PID 2044 wrote to memory of 1972	2044	sxeDF0C.tmp	30
PID 2044 wrote to memory of 1972	2044	sxeDF0C.tmp	30
PID 2044 wrote to memory of 1972	2044	sxeDF0C.tmp	30

C:\Users\Admin\AppData\Local\Temp\c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe
"C:\Users\Admin\AppData\Local\Temp\c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\sxeDF0C.tmp
  "\sxeDF0C.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:1972

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
6fdd95bf298723f3838dde39d122c89b

SHA1
ca1380c6cb9a960cb50972d482cf751216c0c7c3

SHA256
eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

SHA512
2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
6fdd95bf298723f3838dde39d122c89b

SHA1
ca1380c6cb9a960cb50972d482cf751216c0c7c3

SHA256
eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

SHA512
2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

Download Submit
C:\Windows\uninstal.bat

Filesize
78B

MD5
62ec0bbbf3cf098aa92b02c9e4e76ad6

SHA1
2154327db254cdd4597cc23425e9aea9c196d5a7

SHA256
f08c99f8ba7d61b638f03460d242789fc43a32c4e26d790a5d5bdc063e0dd694

SHA512
8af4f28744ecf7a7b076f53a46fb9a51b76de0985f2163726a47a1f696dda94b35145edc03ee8fe39fd49b919b7a41d39281d134e65bcd6a7dbd067e928b1398

Download Submit
C:\sxeDF0C.tmp

Filesize
743KB

MD5
6fdd95bf298723f3838dde39d122c89b

SHA1
ca1380c6cb9a960cb50972d482cf751216c0c7c3

SHA256
eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

SHA512
2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

Download Submit
C:\sxeDF0C.tmp

Filesize
743KB

MD5
6fdd95bf298723f3838dde39d122c89b

SHA1
ca1380c6cb9a960cb50972d482cf751216c0c7c3

SHA256
eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

SHA512
2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

Download Submit
memory/1152-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing