7de01e055a2b0805f3bac45c182ff470647f0baa28bc8b6aaec56d8fd86c6fcc

Analysis

max time kernel
126s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d9386e1113ee406c230207a33181c4c.exe
Size

769KB
MD5

3d9386e1113ee406c230207a33181c4c
SHA1

7b8bab978218bb989830c61cb76e7e62369d2ec3
SHA256

7de01e055a2b0805f3bac45c182ff470647f0baa28bc8b6aaec56d8fd86c6fcc
SHA512

f4daccf7037c585850f8498a0fc4d3c6da69291bdbf227604730e333dbde959ea4efc7c62b5a398ed6e4369ba92da3115ac4c1aa99ad30ab5fef335bdfe1a0e7
SSDEEP

24576:wlaXed4nzH+xTqS8gdlz6viIkdEf99zs:wlaXed47PcdDe99

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	Hacker.com.cn.ini

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.ini	3d9386e1113ee406c230207a33181c4c.exe
File opened for modification	C:\Windows\Hacker.com.cn.ini	3d9386e1113ee406c230207a33181c4c.exe
File created	C:\Windows\uninstal.bat	3d9386e1113ee406c230207a33181c4c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	3d9386e1113ee406c230207a33181c4c.exe
Token: SeDebugPrivilege	2820	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2820	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 3052	2820	Hacker.com.cn.ini	29
PID 2820 wrote to memory of 3052	2820	Hacker.com.cn.ini	29
PID 2820 wrote to memory of 3052	2820	Hacker.com.cn.ini	29
PID 2820 wrote to memory of 3052	2820	Hacker.com.cn.ini	29
PID 1032 wrote to memory of 2808	1032	3d9386e1113ee406c230207a33181c4c.exe	30
PID 1032 wrote to memory of 2808	1032	3d9386e1113ee406c230207a33181c4c.exe	30
PID 1032 wrote to memory of 2808	1032	3d9386e1113ee406c230207a33181c4c.exe	30
PID 1032 wrote to memory of 2808	1032	3d9386e1113ee406c230207a33181c4c.exe	30
PID 1032 wrote to memory of 2808	1032	3d9386e1113ee406c230207a33181c4c.exe	30
PID 1032 wrote to memory of 2808	1032	3d9386e1113ee406c230207a33181c4c.exe	30
PID 1032 wrote to memory of 2808	1032	3d9386e1113ee406c230207a33181c4c.exe	30

C:\Users\Admin\AppData\Local\Temp\3d9386e1113ee406c230207a33181c4c.exe
"C:\Users\Admin\AppData\Local\Temp\3d9386e1113ee406c230207a33181c4c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2808

C:\Windows\Hacker.com.cn.ini
C:\Windows\Hacker.com.cn.ini
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.ini

Filesize
192KB

MD5
eb2847ac95057aa7a9aefb98a208bc3a

SHA1
334d6335de90ea992694a68ec56045d843a2caf9

SHA256
b1a9ba673da71450ab34f0932c3f8a74a4febac7942347ba0e5a6e5595cc7935

SHA512
f0658e01e1036f2d84bc6513304467bcf771277cc35e54796d3a3b97af52f13ec4c213c04729bca3f0054779f345d058bf7aed792d888673a93db8bb2d923e96

Download Submit
C:\Windows\Hacker.com.cn.ini

Filesize
769KB

MD5
3d9386e1113ee406c230207a33181c4c

SHA1
7b8bab978218bb989830c61cb76e7e62369d2ec3

SHA256
7de01e055a2b0805f3bac45c182ff470647f0baa28bc8b6aaec56d8fd86c6fcc

SHA512
f4daccf7037c585850f8498a0fc4d3c6da69291bdbf227604730e333dbde959ea4efc7c62b5a398ed6e4369ba92da3115ac4c1aa99ad30ab5fef335bdfe1a0e7

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
c286a37bc46f2d9c417e5f38934d5108

SHA1
24a9e23c3fbef01b94e762b6efcad96939c61e8b

SHA256
1c7731fdd6f576c6d03634fe6644ec0cb184dcfe6f430b2c035b58e70470328c

SHA512
19e714184b333dfe0188e630b8a6226e49ebfe6198c043d6524a1c78ac1e910a66120fb9c10130aca781f66db5b7d67c4ff5d601d83ab152b0540cf3a220c320

Download Submit
memory/1032-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1032-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1032-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1032-16-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2820-6-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2820-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2820-18-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2820-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download