f7c80d533759ad569ec227a326131f2c215927677755d38bf699ad47dd648adb

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02b888e8bd8dd39c45a6442848d2b99f.exe
Size

747KB
MD5

02b888e8bd8dd39c45a6442848d2b99f
SHA1

6e00426722ca774f3d80e101772220f7086415f4
SHA256

f7c80d533759ad569ec227a326131f2c215927677755d38bf699ad47dd648adb
SHA512

1af0be980c2ec684371ca478451d8efb491a1f510b7a8f37f6f1317ed63bfe5b6743704d381983cd977e4afecaad3b23d773dc12651d899f9713b3fb83511c5a
SSDEEP

12288:HGN1DPjHKEMIn4xQD31cknK6swUi/S2Fe55v8Zo5GkLwln2Jgfa+SVtBGxfhkFl8:mDPLKEx31CpNi/i5OZozsn2JkarTBafh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1464	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	Hacker.com.cn.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hacker.com.cn.exe	02b888e8bd8dd39c45a6442848d2b99f.exe
File opened for modification	C:\Windows\SysWOW64\Hacker.com.cn.exe	02b888e8bd8dd39c45a6442848d2b99f.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	Hacker.com.cn.exe
File opened for modification	C:\Windows\SysWOW64\Hacker.com.cn.exe	Hacker.com.cn.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	02b888e8bd8dd39c45a6442848d2b99f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	02b888e8bd8dd39c45a6442848d2b99f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	02b888e8bd8dd39c45a6442848d2b99f.exe
Token: SeDebugPrivilege	2740	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1464	1600	02b888e8bd8dd39c45a6442848d2b99f.exe	30
PID 1600 wrote to memory of 1464	1600	02b888e8bd8dd39c45a6442848d2b99f.exe	30
PID 1600 wrote to memory of 1464	1600	02b888e8bd8dd39c45a6442848d2b99f.exe	30
PID 1600 wrote to memory of 1464	1600	02b888e8bd8dd39c45a6442848d2b99f.exe	30
PID 1600 wrote to memory of 1464	1600	02b888e8bd8dd39c45a6442848d2b99f.exe	30
PID 1600 wrote to memory of 1464	1600	02b888e8bd8dd39c45a6442848d2b99f.exe	30
PID 1600 wrote to memory of 1464	1600	02b888e8bd8dd39c45a6442848d2b99f.exe	30

C:\Users\Admin\AppData\Local\Temp\02b888e8bd8dd39c45a6442848d2b99f.exe
"C:\Users\Admin\AppData\Local\Temp\02b888e8bd8dd39c45a6442848d2b99f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:1464

C:\Windows\SysWOW64\Hacker.com.cn.exe
C:\Windows\SysWOW64\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hacker.com.cn.exe

Filesize
4KB

MD5
320fd908eb78e48ee3bb2442ebc1d240

SHA1
54670faea7455b41aa0c2ef4b9f09ab2b0cf4a3f

SHA256
e04614e9d421847240593ea7464281ce62f5d5091333cc6942f78309ebeddaf2

SHA512
5fc2dd31c53cb021e68bb5dfa33b880660398ca25097adff4aa8e659310b1d9daf146a7259eb21ab86414c50ca09200b7d382e3ce163bc607e1e7d3ed62c6eb4

Download Submit
C:\Windows\SysWOW64\Hacker.com.cn.exe

Filesize
43KB

MD5
9f100a9d8c851813b6d8f41952539669

SHA1
f57961a1f38434c39cbce701fe002d301e5b35e7

SHA256
40b7d9fbf5738013ee87cb6b156ebace9350daf9a1da00031a689c0aaf310438

SHA512
52945ff1c77ce0340f65623b5b10f0414fce6f1251aa93ff9761045ab3818f9dd36adae5f24187ae303e4f6dcb8b56b29ad550fd38b434b5b232453f7faff52b

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
af00a08fec23383005c1a268e2d1d361

SHA1
3bcb750ce409f0947810d8c759ea722ed8d41714

SHA256
bf5b739cdfc88c6d1128db8a063649ac3ca8db5b132aab985a536eaa9b624777

SHA512
31b4421e8e02be9ff996a27f5f051aa66a51f76a4dd4ffc07c2b73cc88b3b3ab661bffccbf8da33ca9fa45fd5e32f8f74a94b4d65f4243b514f5541aefdbfd82

Download Submit
memory/1600-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1600-1-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1600-16-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2740-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2740-6-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2740-8-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download