Analysis

  • max time kernel
    117s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 13:55

General

  • Target

    c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe

  • Size

    390KB

  • MD5

    9638be64b1676650ecd07a1a453526b0

  • SHA1

    b93e4cd7f250fedc2664f5f2de92082bb336442c

  • SHA256

    c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef

  • SHA512

    33c73505ce6b6a2bffa7ff5b0a0d3f52e906aafdafb8862918e1811dbbef08ce82d820693f9d0e5cef33be5cb302df6d5912413c560d5759668b13de694d236b

  • SSDEEP

    6144:rBnLw5b+BGL/eTNQoiN72QNiGfJCocMXAcMlpPT3c2e3r4tvjbv8C2Fhn9qJcKd:F6aQLWNQ2qhCbxcY7s2e74tHMFdAJZd

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe
    "C:\Users\Admin\AppData\Local\Temp\c5ec20b30d980831daa007ff7d3c1c48e7095fac123b9256d86301168ff975ef.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\sxeC625.tmp
      "\sxeC625.tmp"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
        3⤵
          PID:1812
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 284
        2⤵
        • Program crash
        PID:3584
    • C:\Windows\Hacker.com.cn.exe
      C:\Windows\Hacker.com.cn.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        2⤵
          PID:1520
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 632 -ip 632
        1⤵
          PID:3992

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Hacker.com.cn.exe

          Filesize

          743KB

          MD5

          6fdd95bf298723f3838dde39d122c89b

          SHA1

          ca1380c6cb9a960cb50972d482cf751216c0c7c3

          SHA256

          eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

          SHA512

          2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

        • C:\Windows\Hacker.com.cn.exe

          Filesize

          743KB

          MD5

          6fdd95bf298723f3838dde39d122c89b

          SHA1

          ca1380c6cb9a960cb50972d482cf751216c0c7c3

          SHA256

          eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

          SHA512

          2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

        • C:\Windows\uninstal.bat

          Filesize

          78B

          MD5

          aa140c0adc26149d42bae2cdf2b15330

          SHA1

          5c44a0d2cae6edef91a1602b1db40ea0cbb77f2f

          SHA256

          8a36608ed53f2a6d84306587f0317962a18b19e826e4640c923a5d5d486489ef

          SHA512

          ab43e337e6c856a2df0675f52914567a16b13718b6765d6bb5d8002120652d384e6d880f912f0a9bccb7f13ee85a62733ccb9eb25510f0166ed67efa4d21ee19

        • C:\sxeC587.tmp

          Filesize

          15KB

          MD5

          bd815b61f9948f93aface4033fbb4423

          SHA1

          b5391484009b39053fc8b1bba63d444969bafcfa

          SHA256

          b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

          SHA512

          a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

        • C:\sxeC587.tmp

          Filesize

          15KB

          MD5

          bd815b61f9948f93aface4033fbb4423

          SHA1

          b5391484009b39053fc8b1bba63d444969bafcfa

          SHA256

          b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

          SHA512

          a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

        • C:\sxeC625.tmp

          Filesize

          743KB

          MD5

          6fdd95bf298723f3838dde39d122c89b

          SHA1

          ca1380c6cb9a960cb50972d482cf751216c0c7c3

          SHA256

          eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

          SHA512

          2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

        • C:\sxeC625.tmp

          Filesize

          743KB

          MD5

          6fdd95bf298723f3838dde39d122c89b

          SHA1

          ca1380c6cb9a960cb50972d482cf751216c0c7c3

          SHA256

          eda7251543d693812569cc7b7f27dd00f9bcde3b4b768c78aa1603ef0e4bbe66

          SHA512

          2e2fc86585f841151d76f3b288a3889bdf096cd01cc3b6496998136faedb69727ad2fce01b3e93680903911b0d5355081ed20765e21b28f2f03df0cc511e0f0f

        • memory/632-134-0x0000000000781000-0x0000000000783000-memory.dmp

          Filesize

          8KB