b495be906058f9210b117c4d9f02bcb5e014115935d9ed935c921257e3888eaf

Analysis

max time kernel
206s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b495be906058f9210b117c4d9f02bcb5e014115935d9ed935c921257e3888eaf.exe
Size

788KB
MD5

237a1493d3a2bebd7e4f437f618b22fe
SHA1

cb427e55875fd871731626a217d5ba0760e905d8
SHA256

b495be906058f9210b117c4d9f02bcb5e014115935d9ed935c921257e3888eaf
SHA512

45f3d707e1c02de6ec98e5d6a0e23b6925c744dca233943157e5cc186994b04bd6be7f4db1c704c419dfa4470bcef4e9099a03331cfb94930a5f7729e85013c6
SSDEEP

12288:MZRyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5Hpnrzy:MTStU4gf2EW5A2DJr/kS4vGIk6v3Hf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2708	1.exe
3564	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	1.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	1.exe
File created	C:\Windows\uninstal.bat	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	1.exe
Token: SeDebugPrivilege	3564	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3564	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1248	b495be906058f9210b117c4d9f02bcb5e014115935d9ed935c921257e3888eaf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2708	1248	b495be906058f9210b117c4d9f02bcb5e014115935d9ed935c921257e3888eaf.exe	83
PID 1248 wrote to memory of 2708	1248	b495be906058f9210b117c4d9f02bcb5e014115935d9ed935c921257e3888eaf.exe	83
PID 1248 wrote to memory of 2708	1248	b495be906058f9210b117c4d9f02bcb5e014115935d9ed935c921257e3888eaf.exe	83
PID 3564 wrote to memory of 4972	3564	Hacker.com.cn.exe	85
PID 3564 wrote to memory of 4972	3564	Hacker.com.cn.exe	85
PID 2708 wrote to memory of 2212	2708	1.exe	86
PID 2708 wrote to memory of 2212	2708	1.exe	86
PID 2708 wrote to memory of 2212	2708	1.exe	86

C:\Users\Admin\AppData\Local\Temp\b495be906058f9210b117c4d9f02bcb5e014115935d9ed935c921257e3888eaf.exe
"C:\Users\Admin\AppData\Local\Temp\b495be906058f9210b117c4d9f02bcb5e014115935d9ed935c921257e3888eaf.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248
- \??\c:\1.exe
  c:\1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:2212

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.exe

Filesize
743KB

MD5
0278952f43352fa000ecb2f441ff52b1

SHA1
ffe0b935fd44e7d5fb9c460368021af8d4591074

SHA256
eb60aa5a06a9b64690095682627878c30bdc9ec67dbb4f5ded5543b9dea02839

SHA512
0eff8eaf98789c201029bbdcd47dd5c1a14c66a1e38cbcfcaf56c0544f3d2122556cfe6b5c511f5f92c3589d274cdb74b09c36a0a49403e0abf953081a623e78

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
0278952f43352fa000ecb2f441ff52b1

SHA1
ffe0b935fd44e7d5fb9c460368021af8d4591074

SHA256
eb60aa5a06a9b64690095682627878c30bdc9ec67dbb4f5ded5543b9dea02839

SHA512
0eff8eaf98789c201029bbdcd47dd5c1a14c66a1e38cbcfcaf56c0544f3d2122556cfe6b5c511f5f92c3589d274cdb74b09c36a0a49403e0abf953081a623e78

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
743KB

MD5
0278952f43352fa000ecb2f441ff52b1

SHA1
ffe0b935fd44e7d5fb9c460368021af8d4591074

SHA256
eb60aa5a06a9b64690095682627878c30bdc9ec67dbb4f5ded5543b9dea02839

SHA512
0eff8eaf98789c201029bbdcd47dd5c1a14c66a1e38cbcfcaf56c0544f3d2122556cfe6b5c511f5f92c3589d274cdb74b09c36a0a49403e0abf953081a623e78

Download Submit
C:\Windows\uninstal.bat

Filesize
66B

MD5
e618287057ffd95f4e53444ff15e6bb6

SHA1
9f668cdbd506af1d234c1d43c72540d0b97ccd3d

SHA256
36b6cad0410849bf6f3a623d60c705d150b901443eff7abdf7b7d87d95b62eb2

SHA512
ebd15dc68189182f4d5f5ac49e2c86cb80cfcfa96d06f4c1f840b59ed72f847edf8f0c6286cb141c9ca5f21a34379f58ba89baf63bc41974431313441236219b

Download Submit
\??\c:\1.exe

Filesize
743KB

MD5
0278952f43352fa000ecb2f441ff52b1

SHA1
ffe0b935fd44e7d5fb9c460368021af8d4591074

SHA256
eb60aa5a06a9b64690095682627878c30bdc9ec67dbb4f5ded5543b9dea02839

SHA512
0eff8eaf98789c201029bbdcd47dd5c1a14c66a1e38cbcfcaf56c0544f3d2122556cfe6b5c511f5f92c3589d274cdb74b09c36a0a49403e0abf953081a623e78

Download Submit
memory/2212-139-0x0000000000000000-mapping.dmp

Download
memory/2708-134-0x0000000000000000-mapping.dmp

Download