Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 22:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
062afcf4bc4cae5b76a1bfa4168f5b7e.exe
Resource
win7-20231129-en
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
062afcf4bc4cae5b76a1bfa4168f5b7e.exe
Resource
win10v2004-20231215-en
6 signatures
150 seconds
General
-
Target
062afcf4bc4cae5b76a1bfa4168f5b7e.exe
-
Size
688KB
-
MD5
062afcf4bc4cae5b76a1bfa4168f5b7e
-
SHA1
eef756f2289ca0e8da36895580b2a85501db58c6
-
SHA256
a9724025f65fe8d1c8349c997381cba43b69b01ae9bcbbac776b91aebd14ab4e
-
SHA512
3ae59eb3013603b7afa513e688fb1112867add06bb7b83faa9caf5df1139bb42c3f4485e31036abf40d3f5a3483a0d55c5a644a77d648e4d907d73be67a86e04
-
SSDEEP
12288:S+ldOo5gkI8T73A5vmvyVwyF3Z4mxxp8VBO+fMlLYve5yM4:zgi73Asq5QmXp8VBO+q56
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 64 4.exe 4612 Hacker.com.cn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 062afcf4bc4cae5b76a1bfa4168f5b7e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 4.exe File opened for modification C:\Windows\Hacker.com.cn.exe 4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 64 4.exe Token: SeDebugPrivilege 4612 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4612 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2952 wrote to memory of 64 2952 062afcf4bc4cae5b76a1bfa4168f5b7e.exe 18 PID 2952 wrote to memory of 64 2952 062afcf4bc4cae5b76a1bfa4168f5b7e.exe 18 PID 2952 wrote to memory of 64 2952 062afcf4bc4cae5b76a1bfa4168f5b7e.exe 18 PID 4612 wrote to memory of 4840 4612 Hacker.com.cn.exe 19 PID 4612 wrote to memory of 4840 4612 Hacker.com.cn.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\062afcf4bc4cae5b76a1bfa4168f5b7e.exe"C:\Users\Admin\AppData\Local\Temp\062afcf4bc4cae5b76a1bfa4168f5b7e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:64
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"1⤵PID:4840
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4612