9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16

General

Target

9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16.exe
Size

1.2MB
MD5

11b084f40cde217ccfba12740e196b82
SHA1

e8c35d9f0b5cec779d1ca04171c440d4dcf0a89f
SHA256

9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16
SHA512

68849762ee2a64c5798c8858e304700ed619c647011a1c6a2ed0763abed652b2ae69b34a48f0ebab863bccc07fb29ce20d738d852a6e55cd65fa1bc1fb24443d
SSDEEP

24576:shufXBD6QmXyVTzrMu042Hkuk9z9tlgX00rl7NkJUlkFhUYmb2EnB05sBe:shufXBXmi1MTHUxtyeJUlknuhB0d

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1744	temp.exe
1528	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
1600	9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16.exe
1600	9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	temp.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	temp.exe
File created	C:\Windows\uninstal.bat	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	temp.exe
Token: SeDebugPrivilege	1528	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1528	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1744	1600	9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16.exe	27
PID 1600 wrote to memory of 1744	1600	9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16.exe	27
PID 1600 wrote to memory of 1744	1600	9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16.exe	27
PID 1600 wrote to memory of 1744	1600	9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16.exe	27
PID 1744 wrote to memory of 240	1744	temp.exe	29
PID 1744 wrote to memory of 240	1744	temp.exe	29
PID 1744 wrote to memory of 240	1744	temp.exe	29
PID 1744 wrote to memory of 240	1744	temp.exe	29
PID 1744 wrote to memory of 240	1744	temp.exe	29
PID 1744 wrote to memory of 240	1744	temp.exe	29
PID 1744 wrote to memory of 240	1744	temp.exe	29

C:\Users\Admin\AppData\Local\Temp\9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16.exe
"C:\Users\Admin\AppData\Local\Temp\9cf97b9419d0d8c4748bc4725aabde4d52bd3dcad129c6b0d9d3c71119a1af16.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:240

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
799KB

MD5
aa245e648f6a64e3081a7eb4ebbf0ef5

SHA1
d57a72db02af376e354b42d5186cb77b24d8c5e1

SHA256
affdf9cfa189fa9a0b24edaeaa45c5d8dc0445c0da12e3b8d361b50e5cd1d1c6

SHA512
1649833f511349aba1dbbd15697f6f707cf7b3c37603b7284af6e47f9a1e27cca04469690ce47447d4e48780d3821a73049102e810495e664f811cf3b2dc8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
799KB

MD5
aa245e648f6a64e3081a7eb4ebbf0ef5

SHA1
d57a72db02af376e354b42d5186cb77b24d8c5e1

SHA256
affdf9cfa189fa9a0b24edaeaa45c5d8dc0445c0da12e3b8d361b50e5cd1d1c6

SHA512
1649833f511349aba1dbbd15697f6f707cf7b3c37603b7284af6e47f9a1e27cca04469690ce47447d4e48780d3821a73049102e810495e664f811cf3b2dc8e0c

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
799KB

MD5
aa245e648f6a64e3081a7eb4ebbf0ef5

SHA1
d57a72db02af376e354b42d5186cb77b24d8c5e1

SHA256
affdf9cfa189fa9a0b24edaeaa45c5d8dc0445c0da12e3b8d361b50e5cd1d1c6

SHA512
1649833f511349aba1dbbd15697f6f707cf7b3c37603b7284af6e47f9a1e27cca04469690ce47447d4e48780d3821a73049102e810495e664f811cf3b2dc8e0c

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
799KB

MD5
aa245e648f6a64e3081a7eb4ebbf0ef5

SHA1
d57a72db02af376e354b42d5186cb77b24d8c5e1

SHA256
affdf9cfa189fa9a0b24edaeaa45c5d8dc0445c0da12e3b8d361b50e5cd1d1c6

SHA512
1649833f511349aba1dbbd15697f6f707cf7b3c37603b7284af6e47f9a1e27cca04469690ce47447d4e48780d3821a73049102e810495e664f811cf3b2dc8e0c

Download Submit
C:\Windows\uninstal.bat

Filesize
134B

MD5
d844dfb0f997e4d32cdb6dafa4d7717a

SHA1
eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec

SHA256
0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a

SHA512
fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
799KB

MD5
aa245e648f6a64e3081a7eb4ebbf0ef5

SHA1
d57a72db02af376e354b42d5186cb77b24d8c5e1

SHA256
affdf9cfa189fa9a0b24edaeaa45c5d8dc0445c0da12e3b8d361b50e5cd1d1c6

SHA512
1649833f511349aba1dbbd15697f6f707cf7b3c37603b7284af6e47f9a1e27cca04469690ce47447d4e48780d3821a73049102e810495e664f811cf3b2dc8e0c

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
799KB

MD5
aa245e648f6a64e3081a7eb4ebbf0ef5

SHA1
d57a72db02af376e354b42d5186cb77b24d8c5e1

SHA256
affdf9cfa189fa9a0b24edaeaa45c5d8dc0445c0da12e3b8d361b50e5cd1d1c6

SHA512
1649833f511349aba1dbbd15697f6f707cf7b3c37603b7284af6e47f9a1e27cca04469690ce47447d4e48780d3821a73049102e810495e664f811cf3b2dc8e0c

Download Submit
memory/1600-57-0x0000000003110000-0x0000000003114000-memory.dmp

Filesize
16KB

Download
memory/1600-63-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/1600-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1600-56-0x00000000002C0000-0x0000000000314000-memory.dmp

Filesize
336KB

Download
memory/1600-55-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing