b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7

Analysis

max time kernel
159s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
Size

973KB
MD5

810aa38b415151df6957b45b1d83eb4a
SHA1

00693ea70847791d64a42baf639644cdd4aff421
SHA256

b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7
SHA512

59fcd3e9fd89bf1eaf29736a74151a995aa79406ccf910966635a8ef1611b2bf65e7035cfc4b872f382084d200e02143b79e67c70299a21dff6cd4d75b240fac
SSDEEP

24576:xStU4gf2EW5A2DJr/kS4vGIk6v3HYvol3FM6:xh43Dp/wPHYvol3K6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3228	Hacker.com.cn.exe

Loads dropped DLL 6 IoCs

pid	Process
3228	Hacker.com.cn.exe
3228	Hacker.com.cn.exe
3228	Hacker.com.cn.exe
3228	Hacker.com.cn.exe
3228	Hacker.com.cn.exe
3228	Hacker.com.cn.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Hacker.com.cn.exe	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File created	C:\Windows\uninstal.bat	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File created	C:\Windows\CCYEOD.DAT	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File created	C:\Windows\QERRQQ.DAT	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File created	C:\Windows\QGUWTP.DAT	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
File created	C:\Windows\Hacker.com.cn.exe	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3228	Hacker.com.cn.exe
3228	Hacker.com.cn.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
Token: SeDebugPrivilege	3228	Hacker.com.cn.exe
Token: SeAssignPrimaryTokenPrivilege	3228	Hacker.com.cn.exe
Token: SeIncreaseQuotaPrivilege	3228	Hacker.com.cn.exe
Token: SeSecurityPrivilege	3228	Hacker.com.cn.exe
Token: SeTakeOwnershipPrivilege	3228	Hacker.com.cn.exe
Token: SeLoadDriverPrivilege	3228	Hacker.com.cn.exe
Token: SeSystemtimePrivilege	3228	Hacker.com.cn.exe
Token: SeShutdownPrivilege	3228	Hacker.com.cn.exe
Token: SeSystemEnvironmentPrivilege	3228	Hacker.com.cn.exe
Token: SeUndockPrivilege	3228	Hacker.com.cn.exe
Token: SeManageVolumePrivilege	3228	Hacker.com.cn.exe
Token: SeDebugPrivilege	3228	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3228	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3228	Hacker.com.cn.exe
3228	Hacker.com.cn.exe
3228	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 308	3228	Hacker.com.cn.exe	85
PID 3228 wrote to memory of 308	3228	Hacker.com.cn.exe	85
PID 5004 wrote to memory of 2872	5004	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	86
PID 5004 wrote to memory of 2872	5004	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	86
PID 5004 wrote to memory of 2872	5004	b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe	86

C:\Users\Admin\AppData\Local\Temp\b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe
"C:\Users\Admin\AppData\Local\Temp\b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:2872

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CCYEOD.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\CCYEOD.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\CCYEOD.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
973KB

MD5
810aa38b415151df6957b45b1d83eb4a

SHA1
00693ea70847791d64a42baf639644cdd4aff421

SHA256
b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7

SHA512
59fcd3e9fd89bf1eaf29736a74151a995aa79406ccf910966635a8ef1611b2bf65e7035cfc4b872f382084d200e02143b79e67c70299a21dff6cd4d75b240fac

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
973KB

MD5
810aa38b415151df6957b45b1d83eb4a

SHA1
00693ea70847791d64a42baf639644cdd4aff421

SHA256
b6ca8a4b8f04f1658ec9e0ea0406cc5c9073cfd6cd52eb3302d8e1f36e7c65f7

SHA512
59fcd3e9fd89bf1eaf29736a74151a995aa79406ccf910966635a8ef1611b2bf65e7035cfc4b872f382084d200e02143b79e67c70299a21dff6cd4d75b240fac

Download Submit
C:\Windows\QERRQQ.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\QERRQQ.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\QERRQQ.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\QGUWTP.DAT

Filesize
122KB

MD5
69c410f159553e56ab5a3d94784e26c9

SHA1
4106505d1666d99c923d94072e8ca80142027b66

SHA256
d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f

SHA512
8a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994

Download Submit
C:\Windows\QGUWTP.DAT

Filesize
122KB

MD5
69c410f159553e56ab5a3d94784e26c9

SHA1
4106505d1666d99c923d94072e8ca80142027b66

SHA256
d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f

SHA512
8a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994

Download Submit
C:\Windows\QGUWTP.DAT

Filesize
122KB

MD5
69c410f159553e56ab5a3d94784e26c9

SHA1
4106505d1666d99c923d94072e8ca80142027b66

SHA256
d431390b789478afba0e9b315b5159933cae6dfb5393f229b49d11286c981d0f

SHA512
8a572c34e010b7566cc8b2c38a8f2d5bfa9defbb10c5affba3847b88641a031fe936a156da3985e034be3b601fce66a6bc612f085c70656a782239f58b4ab994

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
71d239e0e8b5e8533fd202357fe01781

SHA1
bc3835ca5457d2ee893dc36dac1bf6a87dad2ba7

SHA256
29c4fec7b7e31022646f528a1f0488a57311244b94822b6a4e8832b910bd4e50

SHA512
9de2f2018f01a6d39d0f8d680ada50aea63aebbe90adf09e647e65f495e4e780a693e99aaadb5c4161d43378d1392a9316e932d41eaa95218b48c5d47b6a8627

Download Submit
memory/2872-146-0x0000000000000000-mapping.dmp

Download
memory/3228-141-0x0000000001710000-0x0000000001723000-memory.dmp

Filesize
76KB

Download
memory/3228-137-0x00000000016F0000-0x0000000001702000-memory.dmp

Filesize
72KB

Download
memory/3228-145-0x0000000001730000-0x0000000001754000-memory.dmp

Filesize
144KB

Download