8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec

Analysis

max time kernel
142s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 13:56

Target

8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe
Size

743KB
MD5

a8a7ea867d8b3c4ffed8a86a9b0fa42c
SHA1

4124426cf2b083435843ece1573af129cd70bf48
SHA256

8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec
SHA512

c111393c65ed741010264e61b56d80f6cfde45bce19ceefe79a33e3f4e1055093a96cd7d25454f9a25abd3a353b553d7565c218410565292110fed17d53c7591
SSDEEP

12288:kRyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5HpnPzvT:IStU4gf2EW5A2DJr/kS4vGIk6v3Hb7

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
764	Hacker.com.cn.exe

Deletes itself 1 IoCs

pid	Process
1908	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe
File created	C:\Windows\uninstal.bat	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe
Token: SeDebugPrivilege	764	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
764	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 1684	764	Hacker.com.cn.exe	28
PID 764 wrote to memory of 1684	764	Hacker.com.cn.exe	28
PID 764 wrote to memory of 1684	764	Hacker.com.cn.exe	28
PID 764 wrote to memory of 1684	764	Hacker.com.cn.exe	28
PID 856 wrote to memory of 1908	856	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe	29
PID 856 wrote to memory of 1908	856	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe	29
PID 856 wrote to memory of 1908	856	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe	29
PID 856 wrote to memory of 1908	856	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe	29
PID 856 wrote to memory of 1908	856	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe	29
PID 856 wrote to memory of 1908	856	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe	29
PID 856 wrote to memory of 1908	856	8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe	29

C:\Users\Admin\AppData\Local\Temp\8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe
"C:\Users\Admin\AppData\Local\Temp\8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:1908

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1684

C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
a8a7ea867d8b3c4ffed8a86a9b0fa42c

SHA1
4124426cf2b083435843ece1573af129cd70bf48

SHA256
8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec

SHA512
c111393c65ed741010264e61b56d80f6cfde45bce19ceefe79a33e3f4e1055093a96cd7d25454f9a25abd3a353b553d7565c218410565292110fed17d53c7591

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
a8a7ea867d8b3c4ffed8a86a9b0fa42c

SHA1
4124426cf2b083435843ece1573af129cd70bf48

SHA256
8f2b09ed60c03a1cab3b05f518dd190bce2480a5c9026ff4e085cd8fe2acc7ec

SHA512
c111393c65ed741010264e61b56d80f6cfde45bce19ceefe79a33e3f4e1055093a96cd7d25454f9a25abd3a353b553d7565c218410565292110fed17d53c7591

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
8658f28481a0e663c7ee6a57fd31d615

SHA1
93b2ccca13e89850b690acedc6dd77a39c8eb913

SHA256
41ef9a78e2624cfa493485631413eb2080542e9a2c77950868a3c41003d0ec75

SHA512
9845395d193dc164a0d2fc23227c5e2aa8c6b5d1a18c58bdf1467d374d415b20f95b99200b5c7ca7c229800ec9236275727ad736bf9cb5feccc49b9a8362bde0

Download Submit
memory/856-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download