98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10

Analysis

max time kernel
167s
max time network
174s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe
Size

1.8MB
MD5

cd068948f91a40f5ad7d4b81d4d4c4b1
SHA1

bb2c1ea0be7524ea5d347d468f6e384470fdfd26
SHA256

98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10
SHA512

32a72b39c27b2162b3ca7bada231d51c07548e40cd519812a1fbf0c4936727acd927c6aff8b6a4f488b15a51226320b099f5c48f8f468b123df683141d051a47
SSDEEP

49152:AvOh43Dp/wPHfDosYsvD/DX+y4onCYDoD5:5h431/cosYsvD/D+donCYUV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2028	dawd.exe
1716	Server_Setup.exe
268	Hacker.com.cn.exe

Loads dropped DLL 8 IoCs

pid	Process
1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe
1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe
1112	cmd.exe
1360	cmd.exe
1112	cmd.exe
1716	Server_Setup.exe
1716	Server_Setup.exe
1716	Server_Setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	Server_Setup.exe
Token: SeDebugPrivilege	268	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
268	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe
2028	dawd.exe
2028	dawd.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 1360	1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe	28
PID 1012 wrote to memory of 1360	1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe	28
PID 1012 wrote to memory of 1360	1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe	28
PID 1012 wrote to memory of 1360	1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe	28
PID 1012 wrote to memory of 1112	1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe	29
PID 1012 wrote to memory of 1112	1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe	29
PID 1012 wrote to memory of 1112	1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe	29
PID 1012 wrote to memory of 1112	1012	98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe	29
PID 1112 wrote to memory of 2028	1112	cmd.exe	32
PID 1112 wrote to memory of 2028	1112	cmd.exe	32
PID 1112 wrote to memory of 2028	1112	cmd.exe	32
PID 1112 wrote to memory of 2028	1112	cmd.exe	32
PID 1360 wrote to memory of 1716	1360	cmd.exe	33
PID 1360 wrote to memory of 1716	1360	cmd.exe	33
PID 1360 wrote to memory of 1716	1360	cmd.exe	33
PID 1360 wrote to memory of 1716	1360	cmd.exe	33
PID 1360 wrote to memory of 1716	1360	cmd.exe	33
PID 1360 wrote to memory of 1716	1360	cmd.exe	33
PID 1360 wrote to memory of 1716	1360	cmd.exe	33
PID 268 wrote to memory of 856	268	Hacker.com.cn.exe	35
PID 268 wrote to memory of 856	268	Hacker.com.cn.exe	35
PID 268 wrote to memory of 856	268	Hacker.com.cn.exe	35
PID 268 wrote to memory of 856	268	Hacker.com.cn.exe	35

C:\Users\Admin\AppData\Local\Temp\98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe
"C:\Users\Admin\AppData\Local\Temp\98c77372d6a72fad96c1023a8951d329dadd8846dc48c5a698940804c590ae10.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\Server_Setup.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe
    C:\Users\Admin\AppData\Local\Temp\\Server_Setup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\dawd.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\dawd.exe
    C:\Users\Admin\AppData\Local\Temp\\dawd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2028

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:268
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
743KB

MD5
ac59419a32dd6d84311017253c4ea975

SHA1
10767f1277ee482670fafd5ed4d4468586c3e431

SHA256
9e2f369ae596090b7c8932ee564db3decb5187d6e8ff6bb1e2b9b33c37143ca6

SHA512
0e2031e1aebcfbb5f13fcbce649fc4ee2f7783ebddb941575fa4328e68c3c0a7c1d415c3bcbebda801da0b1618ca5b435a149fc1fe2905620879c68ecefd44ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
743KB

MD5
ac59419a32dd6d84311017253c4ea975

SHA1
10767f1277ee482670fafd5ed4d4468586c3e431

SHA256
9e2f369ae596090b7c8932ee564db3decb5187d6e8ff6bb1e2b9b33c37143ca6

SHA512
0e2031e1aebcfbb5f13fcbce649fc4ee2f7783ebddb941575fa4328e68c3c0a7c1d415c3bcbebda801da0b1618ca5b435a149fc1fe2905620879c68ecefd44ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\dawd.exe

Filesize
548KB

MD5
aa3a55627bf85980ff7a5ad6941d31b6

SHA1
1239b96dcfea11d1f6e6e1228836659ac0670e7e

SHA256
d9368ed71d565abcd14bd6c3fac5d4896d9b195d112cad9fbdd2c03793ca399a

SHA512
ab1c91c37164936b33349a615a9695d113f3fbe7ca198553c18ff4c7cd3c5f56b13c2693c36798df04ca6779bfd976fd47ca28c5a2ee588d3449f757b65b9b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\dawd.exe

Filesize
548KB

MD5
aa3a55627bf85980ff7a5ad6941d31b6

SHA1
1239b96dcfea11d1f6e6e1228836659ac0670e7e

SHA256
d9368ed71d565abcd14bd6c3fac5d4896d9b195d112cad9fbdd2c03793ca399a

SHA512
ab1c91c37164936b33349a615a9695d113f3fbe7ca198553c18ff4c7cd3c5f56b13c2693c36798df04ca6779bfd976fd47ca28c5a2ee588d3449f757b65b9b89

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
ac59419a32dd6d84311017253c4ea975

SHA1
10767f1277ee482670fafd5ed4d4468586c3e431

SHA256
9e2f369ae596090b7c8932ee564db3decb5187d6e8ff6bb1e2b9b33c37143ca6

SHA512
0e2031e1aebcfbb5f13fcbce649fc4ee2f7783ebddb941575fa4328e68c3c0a7c1d415c3bcbebda801da0b1618ca5b435a149fc1fe2905620879c68ecefd44ff

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
ac59419a32dd6d84311017253c4ea975

SHA1
10767f1277ee482670fafd5ed4d4468586c3e431

SHA256
9e2f369ae596090b7c8932ee564db3decb5187d6e8ff6bb1e2b9b33c37143ca6

SHA512
0e2031e1aebcfbb5f13fcbce649fc4ee2f7783ebddb941575fa4328e68c3c0a7c1d415c3bcbebda801da0b1618ca5b435a149fc1fe2905620879c68ecefd44ff

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
743KB

MD5
ac59419a32dd6d84311017253c4ea975

SHA1
10767f1277ee482670fafd5ed4d4468586c3e431

SHA256
9e2f369ae596090b7c8932ee564db3decb5187d6e8ff6bb1e2b9b33c37143ca6

SHA512
0e2031e1aebcfbb5f13fcbce649fc4ee2f7783ebddb941575fa4328e68c3c0a7c1d415c3bcbebda801da0b1618ca5b435a149fc1fe2905620879c68ecefd44ff

Download Submit
\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
743KB

MD5
ac59419a32dd6d84311017253c4ea975

SHA1
10767f1277ee482670fafd5ed4d4468586c3e431

SHA256
9e2f369ae596090b7c8932ee564db3decb5187d6e8ff6bb1e2b9b33c37143ca6

SHA512
0e2031e1aebcfbb5f13fcbce649fc4ee2f7783ebddb941575fa4328e68c3c0a7c1d415c3bcbebda801da0b1618ca5b435a149fc1fe2905620879c68ecefd44ff

Download Submit
\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
743KB

MD5
ac59419a32dd6d84311017253c4ea975

SHA1
10767f1277ee482670fafd5ed4d4468586c3e431

SHA256
9e2f369ae596090b7c8932ee564db3decb5187d6e8ff6bb1e2b9b33c37143ca6

SHA512
0e2031e1aebcfbb5f13fcbce649fc4ee2f7783ebddb941575fa4328e68c3c0a7c1d415c3bcbebda801da0b1618ca5b435a149fc1fe2905620879c68ecefd44ff

Download Submit
\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
743KB

MD5
ac59419a32dd6d84311017253c4ea975

SHA1
10767f1277ee482670fafd5ed4d4468586c3e431

SHA256
9e2f369ae596090b7c8932ee564db3decb5187d6e8ff6bb1e2b9b33c37143ca6

SHA512
0e2031e1aebcfbb5f13fcbce649fc4ee2f7783ebddb941575fa4328e68c3c0a7c1d415c3bcbebda801da0b1618ca5b435a149fc1fe2905620879c68ecefd44ff

Download Submit
\Users\Admin\AppData\Local\Temp\dawd.exe

Filesize
548KB

MD5
aa3a55627bf85980ff7a5ad6941d31b6

SHA1
1239b96dcfea11d1f6e6e1228836659ac0670e7e

SHA256
d9368ed71d565abcd14bd6c3fac5d4896d9b195d112cad9fbdd2c03793ca399a

SHA512
ab1c91c37164936b33349a615a9695d113f3fbe7ca198553c18ff4c7cd3c5f56b13c2693c36798df04ca6779bfd976fd47ca28c5a2ee588d3449f757b65b9b89

Download Submit
\Users\Admin\AppData\Local\Temp\dawd.exe

Filesize
548KB

MD5
aa3a55627bf85980ff7a5ad6941d31b6

SHA1
1239b96dcfea11d1f6e6e1228836659ac0670e7e

SHA256
d9368ed71d565abcd14bd6c3fac5d4896d9b195d112cad9fbdd2c03793ca399a

SHA512
ab1c91c37164936b33349a615a9695d113f3fbe7ca198553c18ff4c7cd3c5f56b13c2693c36798df04ca6779bfd976fd47ca28c5a2ee588d3449f757b65b9b89

Download Submit
memory/1012-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1012-57-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1012-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download