c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef

General

Target

c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe
Size

390KB
MD5

9638be64b1676650ecd07a1a453526b0
SHA1

b93e4cd7f250fedc2664f5f2de92082bb336442c
SHA256

c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef
SHA512

33c73505ce6b6a2bffa7ff5b0a0d3f52e906aafdafb8862918e1811dbbef08ce82d820693f9d0e5cef33be5cb302df6d5912413c560d5759668b13de694d236b
SSDEEP

6144:rBnLw5b+BGL/eTNQoiN72QNiGfJCocMXAcMlpPT3c2e3r4tvjbv8C2Fhn9qJcKd:F6aQLWNQ2qhCbxcY7s2e74tHMFdAJZd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3404	sxeC625.tmp
4208	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
632	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe
632	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	sxeC625.tmp
File opened for modification	C:\Windows\Hacker.com.cn.exe	sxeC625.tmp
File created	C:\Windows\uninstal.bat	sxeC625.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3584	632	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	sxeC625.tmp
Token: SeDebugPrivilege	4208	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4208	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3404	632	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	82
PID 632 wrote to memory of 3404	632	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	82
PID 632 wrote to memory of 3404	632	c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe	82
PID 4208 wrote to memory of 1520	4208	Hacker.com.cn.exe	84
PID 4208 wrote to memory of 1520	4208	Hacker.com.cn.exe	84
PID 3404 wrote to memory of 1812	3404	sxeC625.tmp	85
PID 3404 wrote to memory of 1812	3404	sxeC625.tmp	85
PID 3404 wrote to memory of 1812	3404	sxeC625.tmp	85

C:\Users\Admin\AppData\Local\Temp\c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe
"C:\Users\Admin\AppData\Local\Temp\c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632
- C:\sxeC625.tmp
  "\sxeC625.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:1812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 284
  2⤵
  - Program crash
  PID:3584

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 632 -ip 632
1⤵
PID:3992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
6fdd95bf298723f3838dde39d122c89b

SHA1
ca1380c6cb9a960cb50972d482cf751216c0c7c3

SHA256
eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

SHA512
2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
6fdd95bf298723f3838dde39d122c89b

SHA1
ca1380c6cb9a960cb50972d482cf751216c0c7c3

SHA256
eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

SHA512
2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

Download Submit
C:\Windows\uninstal.bat

Filesize
78B

MD5
aa140c0adc26149d42bae2cdf2b15330

SHA1
5c44a0d2cae6edef91a1602b1db40ea0cbb77f2f

SHA256
8a36608ed53f2a6d84306587f0317962a18b19e826e4640c923a5d5d486489ef

SHA512
ab43e337e6c856a2df0675f52914567a16b13718b6765d6bb5d8002120652d384e6d880f912f0a9bccb7f13ee85a62733ccb9eb25510f0166ed67efa4d21ee19

Download Submit
C:\sxeC587.tmp

Filesize
15KB

MD5
bd815b61f9948f93aface4033fbb4423

SHA1
b5391484009b39053fc8b1bba63d444969bafcfa

SHA256
b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

SHA512
a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

Download Submit
C:\sxeC587.tmp

Filesize
15KB

MD5
bd815b61f9948f93aface4033fbb4423

SHA1
b5391484009b39053fc8b1bba63d444969bafcfa

SHA256
b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

SHA512
a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

Download Submit
C:\sxeC625.tmp

Filesize
743KB

MD5
6fdd95bf298723f3838dde39d122c89b

SHA1
ca1380c6cb9a960cb50972d482cf751216c0c7c3

SHA256
eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

SHA512
2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

Download Submit
C:\sxeC625.tmp

Filesize
743KB

MD5
6fdd95bf298723f3838dde39d122c89b

SHA1
ca1380c6cb9a960cb50972d482cf751216c0c7c3

SHA256
eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

SHA512
2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

Download Submit
memory/632-134-0x0000000000781000-0x0000000000783000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing