46bb3976fe4fb95e150c9ba59f182ff9bd3ad732a03dcc244cacc2d32bd8cd2b

General

Target

39baaa7802936dd3b231a168c7f2a9cb.exe
Size

693KB
MD5

39baaa7802936dd3b231a168c7f2a9cb
SHA1

42d3f66b293e32b3f024bbc7089c43d6a5609b2e
SHA256

46bb3976fe4fb95e150c9ba59f182ff9bd3ad732a03dcc244cacc2d32bd8cd2b
SHA512

842decc8c26ef2021298b0f62e5531280353beb59cc1b42adac57a0e7c46654aa97a9bdf370742f42bdd29dac7e103b7085f2db392881e7943b946b5a0c0b471
SSDEEP

12288:fxeS3tVM8wI00yCluursqGF3Z4mxxSU7/U0gNTsQ1UVcS4:fxemMhI00yeUqGQmXSUdQmSS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	guo.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\guo.exe	39baaa7802936dd3b231a168c7f2a9cb.exe
File opened for modification	C:\Windows\guo.exe	39baaa7802936dd3b231a168c7f2a9cb.exe
File created	C:\Windows\guocok88.BAT	39baaa7802936dd3b231a168c7f2a9cb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	39baaa7802936dd3b231a168c7f2a9cb.exe
Token: SeDebugPrivilege	2844	guo.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2844	guo.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2748	624	39baaa7802936dd3b231a168c7f2a9cb.exe	31
PID 624 wrote to memory of 2748	624	39baaa7802936dd3b231a168c7f2a9cb.exe	31
PID 624 wrote to memory of 2748	624	39baaa7802936dd3b231a168c7f2a9cb.exe	31
PID 624 wrote to memory of 2748	624	39baaa7802936dd3b231a168c7f2a9cb.exe	31
PID 2844 wrote to memory of 2940	2844	guo.exe	30
PID 2844 wrote to memory of 2940	2844	guo.exe	30
PID 2844 wrote to memory of 2940	2844	guo.exe	30
PID 2844 wrote to memory of 2940	2844	guo.exe	30

C:\Users\Admin\AppData\Local\Temp\39baaa7802936dd3b231a168c7f2a9cb.exe
"C:\Users\Admin\AppData\Local\Temp\39baaa7802936dd3b231a168c7f2a9cb.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\guocok88.BAT
  2⤵
  - Deletes itself
  PID:2748

C:\Windows\guo.exe
C:\Windows\guo.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\guo.exe

Filesize
693KB

MD5
39baaa7802936dd3b231a168c7f2a9cb

SHA1
42d3f66b293e32b3f024bbc7089c43d6a5609b2e

SHA256
46bb3976fe4fb95e150c9ba59f182ff9bd3ad732a03dcc244cacc2d32bd8cd2b

SHA512
842decc8c26ef2021298b0f62e5531280353beb59cc1b42adac57a0e7c46654aa97a9bdf370742f42bdd29dac7e103b7085f2db392881e7943b946b5a0c0b471

Download Submit
C:\Windows\guocok88.BAT

Filesize
190B

MD5
76ff39ca8af6a80145af4b8805053cec

SHA1
c0e26a45c67f77b15d0399b615b3d2f68c76b51f

SHA256
d04141ec32c20b6f21aaa412fa07b84dc454145eacb81fcbc8a5c83a78171df2

SHA512
67dd8f2bb197e381159a5f2456f1b8f9503de55665a21080ec765b6a4e0b4a30f986ee048f8570e9f256d1125a82900ad161de2bfbb21493392d6f3e29e31d84

Download Submit
memory/624-17-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/624-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/624-12-0x0000000003270000-0x0000000003274000-memory.dmp

Filesize
16KB

Download
memory/624-11-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/624-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/624-10-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/624-9-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/624-8-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/624-6-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/624-5-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/624-7-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/624-3-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/624-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/624-2-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/624-16-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/624-18-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/624-13-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/624-0-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/624-4-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/624-1-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/624-37-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/624-34-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2844-26-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2844-35-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2844-24-0x0000000003150000-0x0000000003250000-memory.dmp

Filesize
1024KB

Download
memory/2844-36-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2844-42-0x0000000001D40000-0x0000000001D94000-memory.dmp

Filesize
336KB

Download
memory/2844-41-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2844-40-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2844-39-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2844-38-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2844-23-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2844-44-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2844-45-0x0000000003150000-0x0000000003250000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing