Analysis
-
max time kernel
117s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 13:55
Static task
static1
Behavioral task
behavioral1
Sample
c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe
Resource
win10v2004-20220901-en
General
-
Target
c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe
-
Size
390KB
-
MD5
9638be64b1676650ecd07a1a453526b0
-
SHA1
b93e4cd7f250fedc2664f5f2de92082bb336442c
-
SHA256
c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef
-
SHA512
33c73505ce6b6a2bffa7ff5b0a0d3f52e906aafdafb8862918e1811dbbef08ce82d820693f9d0e5cef33be5cb302df6d5912413c560d5759668b13de694d236b
-
SSDEEP
6144:rBnLw5b+BGL/eTNQoiN72QNiGfJCocMXAcMlpPT3c2e3r4tvjbv8C2Fhn9qJcKd:F6aQLWNQ2qhCbxcY7s2e74tHMFdAJZd
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3404 sxeC625.tmp 4208 Hacker.com.cn.exe -
Loads dropped DLL 2 IoCs
pid Process 632 c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe 632 c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe sxeC625.tmp File opened for modification C:\Windows\Hacker.com.cn.exe sxeC625.tmp File created C:\Windows\uninstal.bat sxeC625.tmp -
Program crash 1 IoCs
pid pid_target Process procid_target 3584 632 WerFault.exe 81 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3404 sxeC625.tmp Token: SeDebugPrivilege 4208 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4208 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 632 wrote to memory of 3404 632 c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe 82 PID 632 wrote to memory of 3404 632 c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe 82 PID 632 wrote to memory of 3404 632 c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe 82 PID 4208 wrote to memory of 1520 4208 Hacker.com.cn.exe 84 PID 4208 wrote to memory of 1520 4208 Hacker.com.cn.exe 84 PID 3404 wrote to memory of 1812 3404 sxeC625.tmp 85 PID 3404 wrote to memory of 1812 3404 sxeC625.tmp 85 PID 3404 wrote to memory of 1812 3404 sxeC625.tmp 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe"C:\Users\Admin\AppData\Local\Temp\c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\sxeC625.tmp"\sxeC625.tmp"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵PID:1812
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 2842⤵
- Program crash
PID:3584
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 632 -ip 6321⤵PID:3992
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
743KB
MD56fdd95bf298723f3838dde39d122c89b
SHA1ca1380c6cb9a960cb50972d482cf751216c0c7c3
SHA256eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66
SHA5122e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f
-
Filesize
743KB
MD56fdd95bf298723f3838dde39d122c89b
SHA1ca1380c6cb9a960cb50972d482cf751216c0c7c3
SHA256eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66
SHA5122e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f
-
Filesize
78B
MD5aa140c0adc26149d42bae2cdf2b15330
SHA15c44a0d2cae6edef91a1602b1db40ea0cbb77f2f
SHA2568a36608ed53f2a6d84306587f0317962a18b19e826e4640c923a5d5d486489ef
SHA512ab43e337e6c856a2df0675f52914567a16b13718b6765d6bb5d8002120652d384e6d880f912f0a9bccb7f13ee85a62733ccb9eb25510f0166ed67efa4d21ee19
-
Filesize
15KB
MD5bd815b61f9948f93aface4033fbb4423
SHA1b5391484009b39053fc8b1bba63d444969bafcfa
SHA256b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76
SHA512a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71
-
Filesize
15KB
MD5bd815b61f9948f93aface4033fbb4423
SHA1b5391484009b39053fc8b1bba63d444969bafcfa
SHA256b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76
SHA512a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71
-
Filesize
743KB
MD56fdd95bf298723f3838dde39d122c89b
SHA1ca1380c6cb9a960cb50972d482cf751216c0c7c3
SHA256eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66
SHA5122e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f
-
Filesize
743KB
MD56fdd95bf298723f3838dde39d122c89b
SHA1ca1380c6cb9a960cb50972d482cf751216c0c7c3
SHA256eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66
SHA5122e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f