1785763263ce7db051dd49855a756da20ed9d9d25f62215fd383460aaf98e665

General

Target

0b20b738554bb4278c3cd051bbee9343.exe
Size

669KB
MD5

0b20b738554bb4278c3cd051bbee9343
SHA1

bf4282db33611719203e18bdd31d54821d57b967
SHA256

1785763263ce7db051dd49855a756da20ed9d9d25f62215fd383460aaf98e665
SHA512

6a03b5b3998d138044186665ca2f0e393ed53f21244745b3e891192660e47256a4240205a2980a53a5fa738ed65237ce4626ffc437c2c536584c172f417b0683
SSDEEP

12288:lcMQfeS+Eln95O5m8fPrdHFRRwlkVxENYWo1F3Z4mxxxEO6YPXTF8ews7:lpw/+q95O5m2tzGlMEqWcQmXxh6YPXTP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	Hacker.com.cn.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Hacker.com.cn.exe	0b20b738554bb4278c3cd051bbee9343.exe
File created	C:\Windows\YRTCOV.DAT	0b20b738554bb4278c3cd051bbee9343.exe
File created	C:\Windows\HYYZUC.DAT	0b20b738554bb4278c3cd051bbee9343.exe
File created	C:\Windows\Hacker.com.cn.exe	0b20b738554bb4278c3cd051bbee9343.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	0b20b738554bb4278c3cd051bbee9343.exe
Token: SeDebugPrivilege	2744	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2744	Hacker.com.cn.exe
2744	Hacker.com.cn.exe
2744	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2868	2744	Hacker.com.cn.exe	28
PID 2744 wrote to memory of 2868	2744	Hacker.com.cn.exe	28
PID 2744 wrote to memory of 2868	2744	Hacker.com.cn.exe	28
PID 2744 wrote to memory of 2868	2744	Hacker.com.cn.exe	28

C:\Users\Admin\AppData\Local\Temp\0b20b738554bb4278c3cd051bbee9343.exe
"C:\Users\Admin\AppData\Local\Temp\0b20b738554bb4278c3cd051bbee9343.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:2868

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HYYZUC.DAT

Filesize
45KB

MD5
57357e03cca82990ea5513f18d378539

SHA1
223a7b1bd090efe7f6de3f95f69cdf18e7d6ef3d

SHA256
005f009e1da40e2978cfdd7a4fb4b7a8e9a67ee2e12415c672e270352d0db3d2

SHA512
76b02a5f2100f1bdfbc045449f7f218bc5afae35410ba156b048c53f28b4ef023ffeffc83e21ad66cfeba44c7500fc16039d9ba7e76ab2c7f40037e6567bd810

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
58KB

MD5
bb978c9814489a96be20c27da759ba6e

SHA1
a9b7aff36c2ef27b8c0e2af68d35fd50a621fe65

SHA256
7716f4ccd41e014409b4cb2cc836070791918d71a09ebe982f42590561b25512

SHA512
abae4c79054764b8dda2bbe024f20b7ab42e2e37feec2cc499a15b4e6892127cc47c2a7ad5b80c8188989f231614d2bb068f7bb7c37969bcd967abcb8b9cf75e

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
22KB

MD5
74e535f9ec108d6158ec00d07baef028

SHA1
02e13fff9b5390cf0c49fa915c59aa77170cde1a

SHA256
20aa09e4757f5af9885b83cfdd832364ef3ee19ff6f2efa0d6256932bad9b077

SHA512
9528d0f656ce6ab123986d2a578a17f89f7ca2177551c556019f70f22d837e35f9d4381890faf02c6a597c2b5702356eb9ba46ce6411cc9ae1aac84f96f1189b

Download Submit
C:\Windows\YRTCOV.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
memory/2744-31-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2744-25-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2744-43-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/2744-42-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2744-26-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/2744-27-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2744-28-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2744-36-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/2744-30-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2744-32-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2744-33-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2744-35-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2744-37-0x0000000003F70000-0x0000000003F83000-memory.dmp

Filesize
76KB

Download
memory/2744-39-0x00000000040D0000-0x00000000040E2000-memory.dmp

Filesize
72KB

Download
memory/2856-8-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2856-18-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2856-3-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2856-17-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/2856-1-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/2856-4-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2856-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2856-5-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2856-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2856-6-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2856-7-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2856-2-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2856-0-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2856-9-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2856-10-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2856-11-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2856-12-0x0000000003280000-0x0000000003283000-memory.dmp

Filesize
12KB

Download
memory/2856-13-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/2856-41-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/2856-40-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2856-15-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2856-16-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing