b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb

Analysis

max time kernel
163s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb.exe
Size

2.8MB
MD5

d7d890e44f0e0eef72f62c54544a5aff
SHA1

3afad1a3c8f09d99b425311ae458da04a01bcaa0
SHA256

b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb
SHA512

56bf9095523ad2d780376f30136df170c98173001d673b6c0e1fc09af8374f39cfcd3892c20d920246ce28581c1f9c56951eba0fb31056a94ce5eb90bd415549
SSDEEP

49152:POFOmAT1WwoVyv69rmJCXlU2mBN3h43Dp/wPH63qvod3:20mAxMVyvacCXlcBh431/t

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1484	server.exe
1820	Hacker.com.cn.exe

Loads dropped DLL 4 IoCs

pid	Process
1820	Hacker.com.cn.exe
1820	Hacker.com.cn.exe
1820	Hacker.com.cn.exe
1820	Hacker.com.cn.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\OJOSQF.DAT	server.exe
File created	C:\Windows\Hacker.com.cn.exe	server.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	server.exe
File created	C:\Windows\uninstal.bat	server.exe
File created	C:\Windows\PCKDQW.DAT	server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	server.exe
Token: SeDebugPrivilege	1820	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1820	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4636	b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb.exe
4636	b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb.exe
1820	Hacker.com.cn.exe
1820	Hacker.com.cn.exe
1820	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 1484	4636	b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb.exe	79
PID 4636 wrote to memory of 1484	4636	b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb.exe	79
PID 4636 wrote to memory of 1484	4636	b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb.exe	79
PID 1820 wrote to memory of 900	1820	Hacker.com.cn.exe	81
PID 1820 wrote to memory of 900	1820	Hacker.com.cn.exe	81
PID 1484 wrote to memory of 5088	1484	server.exe	82
PID 1484 wrote to memory of 5088	1484	server.exe	82
PID 1484 wrote to memory of 5088	1484	server.exe	82

C:\Users\Admin\AppData\Local\Temp\b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb.exe
"C:\Users\Admin\AppData\Local\Temp\b1c8d8ca59c0ae0dde43c3e5be46c7f5d3e03d03010a7b2e14d03c24d2b834fb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp\\server.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:5088

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
851KB

MD5
b343c614f6ebb0b3eeb135d2cdc78564

SHA1
ecf52bb17bf6a24a0b2d949e7995b7f623107904

SHA256
30eefb2093bab628c036f9d7aa810dded9f4caaa78e8aa526157b4f1b0810cc2

SHA512
7060cbd4e23048f27486b502308be84d0cc7d08c5852dcf466e3040d4fdbe3aba7852602994357fcfaa9eea4df37b8237ecd868d52d9194de56e6117c7223462

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
851KB

MD5
b343c614f6ebb0b3eeb135d2cdc78564

SHA1
ecf52bb17bf6a24a0b2d949e7995b7f623107904

SHA256
30eefb2093bab628c036f9d7aa810dded9f4caaa78e8aa526157b4f1b0810cc2

SHA512
7060cbd4e23048f27486b502308be84d0cc7d08c5852dcf466e3040d4fdbe3aba7852602994357fcfaa9eea4df37b8237ecd868d52d9194de56e6117c7223462

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
851KB

MD5
b343c614f6ebb0b3eeb135d2cdc78564

SHA1
ecf52bb17bf6a24a0b2d949e7995b7f623107904

SHA256
30eefb2093bab628c036f9d7aa810dded9f4caaa78e8aa526157b4f1b0810cc2

SHA512
7060cbd4e23048f27486b502308be84d0cc7d08c5852dcf466e3040d4fdbe3aba7852602994357fcfaa9eea4df37b8237ecd868d52d9194de56e6117c7223462

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
851KB

MD5
b343c614f6ebb0b3eeb135d2cdc78564

SHA1
ecf52bb17bf6a24a0b2d949e7995b7f623107904

SHA256
30eefb2093bab628c036f9d7aa810dded9f4caaa78e8aa526157b4f1b0810cc2

SHA512
7060cbd4e23048f27486b502308be84d0cc7d08c5852dcf466e3040d4fdbe3aba7852602994357fcfaa9eea4df37b8237ecd868d52d9194de56e6117c7223462

Download Submit
C:\Windows\OJOSQF.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\OJOSQF.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\OJOSQF.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\PCKDQW.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\PCKDQW.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\PCKDQW.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\uninstal.bat

Filesize
138B

MD5
2afcf6fedbe38845bb84ffe2efc82217

SHA1
be10293c9c767ebc128366fbf17001821259ad6d

SHA256
5eb4e389ec37d15aceacc5ad575137251bbdbb3643a95db0e9522aeb1c2c5f81

SHA512
e356bc096561e4afd9c3a3d7985fa640e1d748ca5b71e7aa6ee94f9e2a76d8a62934f514dd0efa3102846311b0724a8084fecbf9fe3deb08b1bdbf6c299187b4

Download Submit
memory/1820-140-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/1820-144-0x00000000017D0000-0x00000000017E3000-memory.dmp

Filesize
76KB

Download