f09582cddab7d6d61dcf7c6543a9b3cb897a4437620b9e7640ac75548fe5d574

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 22:06

Target

1df97cc593e6f73de66d81498067d1b0.exe
Size

746KB
MD5

1df97cc593e6f73de66d81498067d1b0
SHA1

3fdaffd380ea1e2569174ba645894d99612fdb26
SHA256

f09582cddab7d6d61dcf7c6543a9b3cb897a4437620b9e7640ac75548fe5d574
SHA512

2809e984aee437270a0d22aab37c1f394b837654329d789ffcbc7ec59b132edb0f7454aa98341449a0c74b191e576966b773d4c9d2babf31173458ef3903103d
SSDEEP

12288:EuISZEJSdqarx4D/xG8/DL/kwBR1SyNrn09uE74o82VoIyWw:EuISSJSXd4DQQLswBR1FNrn09J4o82HG

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1820	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2392	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Hacker.com.cn.exe	1df97cc593e6f73de66d81498067d1b0.exe
File created	C:\Windows\uninstal.bat	1df97cc593e6f73de66d81498067d1b0.exe
File created	C:\Windows\Hacker.com.cn.exe	1df97cc593e6f73de66d81498067d1b0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	1df97cc593e6f73de66d81498067d1b0.exe
Token: SeDebugPrivilege	2392	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2392	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1820	2348	1df97cc593e6f73de66d81498067d1b0.exe	29
PID 2348 wrote to memory of 1820	2348	1df97cc593e6f73de66d81498067d1b0.exe	29
PID 2348 wrote to memory of 1820	2348	1df97cc593e6f73de66d81498067d1b0.exe	29
PID 2348 wrote to memory of 1820	2348	1df97cc593e6f73de66d81498067d1b0.exe	29
PID 2348 wrote to memory of 1820	2348	1df97cc593e6f73de66d81498067d1b0.exe	29
PID 2348 wrote to memory of 1820	2348	1df97cc593e6f73de66d81498067d1b0.exe	29
PID 2348 wrote to memory of 1820	2348	1df97cc593e6f73de66d81498067d1b0.exe	29

C:\Users\Admin\AppData\Local\Temp\1df97cc593e6f73de66d81498067d1b0.exe
"C:\Users\Admin\AppData\Local\Temp\1df97cc593e6f73de66d81498067d1b0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:1820

C:\Windows\Hacker.com.cn.exe

Filesize
746KB

MD5
1df97cc593e6f73de66d81498067d1b0

SHA1
3fdaffd380ea1e2569174ba645894d99612fdb26

SHA256
f09582cddab7d6d61dcf7c6543a9b3cb897a4437620b9e7640ac75548fe5d574

SHA512
2809e984aee437270a0d22aab37c1f394b837654329d789ffcbc7ec59b132edb0f7454aa98341449a0c74b191e576966b773d4c9d2babf31173458ef3903103d

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
653f2909c35a8f52f367324646440f43

SHA1
44c029225b94bf1d37d68b2a08cbfa30b3002fec

SHA256
c896717476fc4d4d28c19eb11ce29b036807e6a284aad527dfaeea04418075dd

SHA512
2b2451ca1af65c5734f05cae8e89328a52303a3cbfdf131165d3484e82eadb9894bcf131005f87d1fb07ff1d7b644f27b3b32da70a00a8d28d8abe08ca8b8aad

Download Submit
memory/2348-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2348-12-0x0000000000400000-0x00000000004C2024-memory.dmp

Filesize
776KB

Download
memory/2392-4-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2392-14-0x0000000000400000-0x00000000004C2024-memory.dmp

Filesize
776KB

Download
memory/2392-15-0x0000000000400000-0x00000000004C2024-memory.dmp

Filesize
776KB

Download
memory/2392-16-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2392-20-0x0000000000400000-0x00000000004C2024-memory.dmp

Filesize
776KB

Download