76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d

Analysis

max time kernel
97s
max time network
123s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d.exe
Size

276KB
MD5

88c53bf1bd3bfc900ce77df14b7b15eb
SHA1

418ed06132429bc13b18cf9ad2ac4c38065a7a28
SHA256

76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d
SHA512

0b6aaf3aef8b45a32a618a9f74d7105fd4056a0161abd51c20969fe662957a266da7331c8446f38b2cbe505b406dccc8ba46245da4f3abb4c9549e18e2eb13a5
SSDEEP

6144:2V0/Sd+f24uKmQCfcRHkn2Bxd07hWKcdKJQD/K91tetU4o:Q1bKmfcREn2TS7kdKOD/KAK4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	Hacker.com.cn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d.exe
Token: SeDebugPrivilege	1924	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1924	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1600	1924	Hacker.com.cn.exe	28
PID 1924 wrote to memory of 1600	1924	Hacker.com.cn.exe	28
PID 1924 wrote to memory of 1600	1924	Hacker.com.cn.exe	28
PID 1924 wrote to memory of 1600	1924	Hacker.com.cn.exe	28

C:\Users\Admin\AppData\Local\Temp\76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d.exe
"C:\Users\Admin\AppData\Local\Temp\76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
276KB

MD5
88c53bf1bd3bfc900ce77df14b7b15eb

SHA1
418ed06132429bc13b18cf9ad2ac4c38065a7a28

SHA256
76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d

SHA512
0b6aaf3aef8b45a32a618a9f74d7105fd4056a0161abd51c20969fe662957a266da7331c8446f38b2cbe505b406dccc8ba46245da4f3abb4c9549e18e2eb13a5

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
276KB

MD5
88c53bf1bd3bfc900ce77df14b7b15eb

SHA1
418ed06132429bc13b18cf9ad2ac4c38065a7a28

SHA256
76e70878519012fea7a1c80425cdbbc65f2f1b16c2a0fbb796a0330ec8f1b74d

SHA512
0b6aaf3aef8b45a32a618a9f74d7105fd4056a0161abd51c20969fe662957a266da7331c8446f38b2cbe505b406dccc8ba46245da4f3abb4c9549e18e2eb13a5

Download Submit
memory/1924-61-0x0000000000400000-0x000000000050A200-memory.dmp

Filesize
1.0MB

Download
memory/1924-62-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1924-65-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1924-64-0x0000000000400000-0x000000000050A200-memory.dmp

Filesize
1.0MB

Download
memory/2028-54-0x0000000000400000-0x000000000050A200-memory.dmp

Filesize
1.0MB

Download
memory/2028-55-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/2028-56-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/2028-57-0x0000000000400000-0x000000000050A200-memory.dmp

Filesize
1.0MB

Download
memory/2028-63-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download