bd59e6552efe0d0b66aa7c2ab5efec9551501ae7762b5ab7085f054a70342c2f

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

275ac7d941783760edd9cf48c39191eb.exe
Size

269KB
MD5

275ac7d941783760edd9cf48c39191eb
SHA1

85c56fd948223139025c9f0c196c27e8754dac49
SHA256

bd59e6552efe0d0b66aa7c2ab5efec9551501ae7762b5ab7085f054a70342c2f
SHA512

492a8f06e0c76d8330be369f7b456c116e5826af30376c5de486b738def37565c0e0f491ee26151831d3a0f4d7b6a5ecea382232b534df53456eff8c48aba472
SSDEEP

6144:nY/1Pdb0iTaO0Q6/cG7Q+BRTSfKCPLIRzdnyJkxfK+sfrXZHgo3v:y3bfV0J0+BlM3PLy8JkxfKljF3v

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2152	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	275ac7d941783760edd9cf48c39191eb.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	275ac7d941783760edd9cf48c39191eb.exe
File created	C:\Windows\uninstal.bat	275ac7d941783760edd9cf48c39191eb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	275ac7d941783760edd9cf48c39191eb.exe
Token: SeDebugPrivilege	2152	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2152	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 3008	2152	Hacker.com.cn.exe	29
PID 2152 wrote to memory of 3008	2152	Hacker.com.cn.exe	29
PID 2152 wrote to memory of 3008	2152	Hacker.com.cn.exe	29
PID 2152 wrote to memory of 3008	2152	Hacker.com.cn.exe	29
PID 2436 wrote to memory of 2692	2436	275ac7d941783760edd9cf48c39191eb.exe	30
PID 2436 wrote to memory of 2692	2436	275ac7d941783760edd9cf48c39191eb.exe	30
PID 2436 wrote to memory of 2692	2436	275ac7d941783760edd9cf48c39191eb.exe	30
PID 2436 wrote to memory of 2692	2436	275ac7d941783760edd9cf48c39191eb.exe	30
PID 2436 wrote to memory of 2692	2436	275ac7d941783760edd9cf48c39191eb.exe	30
PID 2436 wrote to memory of 2692	2436	275ac7d941783760edd9cf48c39191eb.exe	30
PID 2436 wrote to memory of 2692	2436	275ac7d941783760edd9cf48c39191eb.exe	30

C:\Users\Admin\AppData\Local\Temp\275ac7d941783760edd9cf48c39191eb.exe
"C:\Users\Admin\AppData\Local\Temp\275ac7d941783760edd9cf48c39191eb.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2692

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
269KB

MD5
275ac7d941783760edd9cf48c39191eb

SHA1
85c56fd948223139025c9f0c196c27e8754dac49

SHA256
bd59e6552efe0d0b66aa7c2ab5efec9551501ae7762b5ab7085f054a70342c2f

SHA512
492a8f06e0c76d8330be369f7b456c116e5826af30376c5de486b738def37565c0e0f491ee26151831d3a0f4d7b6a5ecea382232b534df53456eff8c48aba472

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
19fa20d2b6b74eddc8b0d801653008c5

SHA1
bc47bb5dca1ad35a30c56967205dcd6632182da3

SHA256
38af7e03819ba162d5ea524b19b82651fb657188110ebeb1d90b8ca3849123ad

SHA512
9f4c5dc33fbc3f727b3c6d04b5bc0936acd49b235c54c25804dc8a844037a02fc7bcae4d20df499dc541042cd9006846999cbe0b7ad95c273155da540bd96ebc

Download Submit
memory/2152-4-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2152-15-0x0000000000400000-0x000000000050803E-memory.dmp

Filesize
1.0MB

Download
memory/2152-16-0x0000000000400000-0x000000000050803E-memory.dmp

Filesize
1.0MB

Download
memory/2152-17-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2152-21-0x0000000000400000-0x000000000050803E-memory.dmp

Filesize
1.0MB

Download
memory/2152-22-0x0000000000400000-0x000000000050803E-memory.dmp

Filesize
1.0MB

Download
memory/2152-26-0x0000000000400000-0x000000000050803E-memory.dmp

Filesize
1.0MB

Download
memory/2436-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2436-13-0x0000000000400000-0x000000000050803E-memory.dmp

Filesize
1.0MB

Download