b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7

Analysis

max time kernel
135s
max time network
184s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
Size

973KB
MD5

810aa38b415151df6957b45b1d83eb4a
SHA1

00693ea70847791d64a42baf639644cdd4aff421
SHA256

b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7
SHA512

59fcd3e9fd89bf1eaf29736a74151a995aa79406ccf910966635a8ef1611b2bf65e7035cfc4b872f382084d200e02143b79e67c70299a21dff6cd4d75b240fac
SSDEEP

24576:xStU4gf2EW5A2DJr/kS4vGIk6v3HYvol3FM6:xh43Dp/wPHYvol3K6

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
860	Hacker.com.cn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mchInjDrv\ImagePath = "\\??\\C:\\Windows\\TEMP\\mc27927.tmp"	Hacker.com.cn.exe

Deletes itself 1 IoCs

pid	Process
1208	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File created	C:\Windows\uninstal.bat	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File created	C:\Windows\YBQXAN.DAT	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File created	C:\Windows\AVMVTJ.DAT	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File created	C:\Windows\JYENSA.DAT	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
860	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
Token: SeDebugPrivilege	860	Hacker.com.cn.exe
Token: SeAssignPrimaryTokenPrivilege	860	Hacker.com.cn.exe
Token: SeIncreaseQuotaPrivilege	860	Hacker.com.cn.exe
Token: SeSecurityPrivilege	860	Hacker.com.cn.exe
Token: SeTakeOwnershipPrivilege	860	Hacker.com.cn.exe
Token: SeLoadDriverPrivilege	860	Hacker.com.cn.exe
Token: SeSystemtimePrivilege	860	Hacker.com.cn.exe
Token: SeShutdownPrivilege	860	Hacker.com.cn.exe
Token: SeSystemEnvironmentPrivilege	860	Hacker.com.cn.exe
Token: SeUndockPrivilege	860	Hacker.com.cn.exe
Token: SeManageVolumePrivilege	860	Hacker.com.cn.exe
Token: SeDebugPrivilege	860	Hacker.com.cn.exe
Token: SeIncreaseQuotaPrivilege	1208	cmd.exe
Token: SeSecurityPrivilege	1208	cmd.exe
Token: SeTakeOwnershipPrivilege	1208	cmd.exe
Token: SeLoadDriverPrivilege	1208	cmd.exe
Token: SeSystemProfilePrivilege	1208	cmd.exe
Token: SeSystemtimePrivilege	1208	cmd.exe
Token: SeProfSingleProcessPrivilege	1208	cmd.exe
Token: SeIncBasePriorityPrivilege	1208	cmd.exe
Token: SeCreatePagefilePrivilege	1208	cmd.exe
Token: SeShutdownPrivilege	1208	cmd.exe
Token: SeDebugPrivilege	1208	cmd.exe
Token: SeSystemEnvironmentPrivilege	1208	cmd.exe
Token: SeRemoteShutdownPrivilege	1208	cmd.exe
Token: SeUndockPrivilege	1208	cmd.exe
Token: SeManageVolumePrivilege	1208	cmd.exe
Token: 33	1208	cmd.exe
Token: 34	1208	cmd.exe
Token: 35	1208	cmd.exe
Token: SeDebugPrivilege	1208	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
860	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe
860	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1140	860	Hacker.com.cn.exe	29
PID 860 wrote to memory of 1140	860	Hacker.com.cn.exe	29
PID 860 wrote to memory of 1140	860	Hacker.com.cn.exe	29
PID 860 wrote to memory of 1140	860	Hacker.com.cn.exe	29
PID 968 wrote to memory of 1208	968	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	30
PID 968 wrote to memory of 1208	968	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	30
PID 968 wrote to memory of 1208	968	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	30
PID 968 wrote to memory of 1208	968	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	30
PID 968 wrote to memory of 1208	968	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	30
PID 968 wrote to memory of 1208	968	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	30
PID 968 wrote to memory of 1208	968	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	30
PID 860 wrote to memory of 260	860	Hacker.com.cn.exe	27
PID 860 wrote to memory of 260	860	Hacker.com.cn.exe	27
PID 860 wrote to memory of 332	860	Hacker.com.cn.exe	26
PID 860 wrote to memory of 332	860	Hacker.com.cn.exe	26
PID 860 wrote to memory of 368	860	Hacker.com.cn.exe	25
PID 860 wrote to memory of 368	860	Hacker.com.cn.exe	25
PID 860 wrote to memory of 384	860	Hacker.com.cn.exe	4
PID 860 wrote to memory of 384	860	Hacker.com.cn.exe	4
PID 860 wrote to memory of 384	860	Hacker.com.cn.exe	4
PID 860 wrote to memory of 420	860	Hacker.com.cn.exe	3
PID 860 wrote to memory of 420	860	Hacker.com.cn.exe	3
PID 860 wrote to memory of 420	860	Hacker.com.cn.exe	3
PID 860 wrote to memory of 468	860	Hacker.com.cn.exe	2
PID 860 wrote to memory of 468	860	Hacker.com.cn.exe	2
PID 860 wrote to memory of 484	860	Hacker.com.cn.exe	1
PID 860 wrote to memory of 484	860	Hacker.com.cn.exe	1
PID 860 wrote to memory of 492	860	Hacker.com.cn.exe	24
PID 860 wrote to memory of 492	860	Hacker.com.cn.exe	24
PID 860 wrote to memory of 608	860	Hacker.com.cn.exe	23
PID 860 wrote to memory of 608	860	Hacker.com.cn.exe	23
PID 860 wrote to memory of 684	860	Hacker.com.cn.exe	22
PID 860 wrote to memory of 684	860	Hacker.com.cn.exe	22
PID 860 wrote to memory of 752	860	Hacker.com.cn.exe	21
PID 860 wrote to memory of 752	860	Hacker.com.cn.exe	21
PID 860 wrote to memory of 816	860	Hacker.com.cn.exe	5
PID 860 wrote to memory of 816	860	Hacker.com.cn.exe	5
PID 860 wrote to memory of 844	860	Hacker.com.cn.exe	20
PID 860 wrote to memory of 844	860	Hacker.com.cn.exe	20
PID 860 wrote to memory of 892	860	Hacker.com.cn.exe	19
PID 860 wrote to memory of 892	860	Hacker.com.cn.exe	19
PID 860 wrote to memory of 296	860	Hacker.com.cn.exe	18
PID 860 wrote to memory of 296	860	Hacker.com.cn.exe	18
PID 860 wrote to memory of 112	860	Hacker.com.cn.exe	17
PID 860 wrote to memory of 112	860	Hacker.com.cn.exe	17
PID 860 wrote to memory of 1088	860	Hacker.com.cn.exe	16
PID 860 wrote to memory of 1088	860	Hacker.com.cn.exe	16
PID 860 wrote to memory of 1128	860	Hacker.com.cn.exe	15
PID 860 wrote to memory of 1128	860	Hacker.com.cn.exe	15
PID 860 wrote to memory of 1128	860	Hacker.com.cn.exe	15
PID 860 wrote to memory of 1188	860	Hacker.com.cn.exe	14
PID 860 wrote to memory of 1188	860	Hacker.com.cn.exe	14
PID 860 wrote to memory of 1188	860	Hacker.com.cn.exe	14
PID 860 wrote to memory of 1216	860	Hacker.com.cn.exe	12
PID 860 wrote to memory of 1216	860	Hacker.com.cn.exe	12
PID 860 wrote to memory of 1216	860	Hacker.com.cn.exe	12
PID 860 wrote to memory of 1820	860	Hacker.com.cn.exe	10
PID 860 wrote to memory of 1820	860	Hacker.com.cn.exe	10
PID 860 wrote to memory of 1036	860	Hacker.com.cn.exe	9
PID 860 wrote to memory of 1036	860	Hacker.com.cn.exe	9
PID 860 wrote to memory of 1992	860	Hacker.com.cn.exe	8
PID 860 wrote to memory of 1992	860	Hacker.com.cn.exe	8
PID 860 wrote to memory of 1960	860	Hacker.com.cn.exe	7
PID 860 wrote to memory of 1960	860	Hacker.com.cn.exe	7

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1188
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1036
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1820
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1128
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1088
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:892
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:608
- C:\Windows\Hacker.com.cn.exe
  C:\Windows\Hacker.com.cn.exe
  2⤵
  - Executes dropped EXE
  - Sets service image path in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    PID:1140

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "816473285-1320602459-13629735751492792338-1269228612-794440937-1358572783746251807"
  2⤵
  PID:1760

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1960

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1992

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
  "C:\Users\Admin\AppData\Local\Temp\b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1208

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AVMVTJ.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
973KB

MD5
810aa38b415151df6957b45b1d83eb4a

SHA1
00693ea70847791d64a42baf639644cdd4aff421

SHA256
b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7

SHA512
59fcd3e9fd89bf1eaf29736a74151a995aa79406ccf910966635a8ef1611b2bf65e7035cfc4b872f382084d200e02143b79e67c70299a21dff6cd4d75b240fac

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
973KB

MD5
810aa38b415151df6957b45b1d83eb4a

SHA1
00693ea70847791d64a42baf639644cdd4aff421

SHA256
b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7

SHA512
59fcd3e9fd89bf1eaf29736a74151a995aa79406ccf910966635a8ef1611b2bf65e7035cfc4b872f382084d200e02143b79e67c70299a21dff6cd4d75b240fac

Download Submit
C:\Windows\JYENSA.DAT

Filesize
122KB

MD5
69c410f159553e56ab5a3d94784e26c9

SHA1
4106505d1666d99c923d94072e8ca80142027b66

SHA256
d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f

SHA512
8a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994

Download Submit
C:\Windows\YBQXAN.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
71d239e0e8b5e8533fd202357fe01781

SHA1
bc3835ca5457d2ee893dc36dac1bf6a87dad2ba7

SHA256
29c4fec7b7e31022646f528a1f0488a57311244b94822b6a4e8832b910bd4e50

SHA512
9de2f2018f01a6d39d0f8d680ada50aea63aebbe90adf09e647e65f495e4e780a693e99aaadb5c4161d43378d1392a9316e932d41eaa95218b48c5d47b6a8627

Download Submit
memory/860-60-0x0000000000270000-0x0000000000283000-memory.dmp

Filesize
76KB

Download
memory/860-62-0x0000000001DC0000-0x0000000001DE4000-memory.dmp

Filesize
144KB

Download
memory/860-66-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/968-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1208-63-0x0000000000170000-0x0000000000194000-memory.dmp

Filesize
144KB

Download