e6a8753ea5da55b38bc6ba5b81e4727e8ffb429912204c586950e6df002b50e3

General

Target

0aa5880279785eb51d925794901bf1ea.exe
Size

551KB
MD5

0aa5880279785eb51d925794901bf1ea
SHA1

e4b82bbc3a494149f97b6530d17a71c2ac8552ee
SHA256

e6a8753ea5da55b38bc6ba5b81e4727e8ffb429912204c586950e6df002b50e3
SHA512

6da61f0088a7f851e726afb58c3c8f4c2d1463d34f1aeddceae74f3e8acec1cd9abd0471f896ca7e424256dc491ef9684ad38f6b8a12616fee4f30a0183c1218
SSDEEP

12288:xs1Q0RGXqkAvRbQxARoOaqObVHQo30ve2vZd4:x0fPpJoOaHyRGsZK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	360tray

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\360tray	0aa5880279785eb51d925794901bf1ea.exe
File created	C:\Windows\uninstal.bat	0aa5880279785eb51d925794901bf1ea.exe
File created	C:\Windows\360tray	0aa5880279785eb51d925794901bf1ea.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	0aa5880279785eb51d925794901bf1ea.exe
Token: SeDebugPrivilege	2808	360tray

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	360tray

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 3028	2808	360tray	29
PID 2808 wrote to memory of 3028	2808	360tray	29
PID 2808 wrote to memory of 3028	2808	360tray	29
PID 2808 wrote to memory of 3028	2808	360tray	29
PID 2476 wrote to memory of 2888	2476	0aa5880279785eb51d925794901bf1ea.exe	31
PID 2476 wrote to memory of 2888	2476	0aa5880279785eb51d925794901bf1ea.exe	31
PID 2476 wrote to memory of 2888	2476	0aa5880279785eb51d925794901bf1ea.exe	31
PID 2476 wrote to memory of 2888	2476	0aa5880279785eb51d925794901bf1ea.exe	31
PID 2476 wrote to memory of 2888	2476	0aa5880279785eb51d925794901bf1ea.exe	31
PID 2476 wrote to memory of 2888	2476	0aa5880279785eb51d925794901bf1ea.exe	31
PID 2476 wrote to memory of 2888	2476	0aa5880279785eb51d925794901bf1ea.exe	31

C:\Users\Admin\AppData\Local\Temp\0aa5880279785eb51d925794901bf1ea.exe
"C:\Users\Admin\AppData\Local\Temp\0aa5880279785eb51d925794901bf1ea.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2888

C:\Windows\360tray
C:\Windows\360tray
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\360tray

Filesize
551KB

MD5
0aa5880279785eb51d925794901bf1ea

SHA1
e4b82bbc3a494149f97b6530d17a71c2ac8552ee

SHA256
e6a8753ea5da55b38bc6ba5b81e4727e8ffb429912204c586950e6df002b50e3

SHA512
6da61f0088a7f851e726afb58c3c8f4c2d1463d34f1aeddceae74f3e8acec1cd9abd0471f896ca7e424256dc491ef9684ad38f6b8a12616fee4f30a0183c1218

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
204288cdc6589d41771a55c6105231c0

SHA1
302746f7ab9f8c8230866b952f5fb80d2c6da49f

SHA256
faa27d318c4f4a962a2d77b058f3033bf2d2a4007e0c99ac43e53ac5ee042909

SHA512
caafc2e09b55b8a71624459c9043a33abbf09e8d350a86e545a10c137fb1bbc9975521efcaba4c0a59c6fc53e23d8490edae8e1deeaa4be2d41e89b007107258

Download Submit
memory/2476-1-0x0000000001D10000-0x0000000001D5B000-memory.dmp

Filesize
300KB

Download
memory/2476-6-0x00000000027F0000-0x00000000027F3000-memory.dmp

Filesize
12KB

Download
memory/2476-16-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2476-14-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2476-13-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2476-12-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2476-11-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2476-10-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2476-7-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2476-9-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2476-5-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2476-4-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2476-3-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2476-2-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2476-15-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2476-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2476-36-0x0000000001D10000-0x0000000001D5B000-memory.dmp

Filesize
300KB

Download
memory/2476-35-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2476-8-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2808-20-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2808-27-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2808-23-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2808-24-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/2808-34-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2808-21-0x0000000001CA0000-0x0000000001CEB000-memory.dmp

Filesize
300KB

Download
memory/2808-22-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2808-38-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2808-39-0x0000000001CA0000-0x0000000001CEB000-memory.dmp

Filesize
300KB

Download
memory/2808-40-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2808-41-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2808-45-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing