ed21bca7bb4a7281774698201f5b076830b4adafbe2c2ac02eda215bfa62a671

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 15:04

Target

412d0efe168a8077d274b44382db2934.exe
Size

295KB
MD5

412d0efe168a8077d274b44382db2934
SHA1

d8736a9e3580c505fa1f7bdf6c98731a7917fab8
SHA256

ed21bca7bb4a7281774698201f5b076830b4adafbe2c2ac02eda215bfa62a671
SHA512

3914d98f3cf2c339ad156c685d6c431324e2d974b5a24b0b6ea0110beaea6bfe15dfcc11fec4209166c50aeca6784d6b00206f6e6772bc9b9b98778ee81641d8
SSDEEP

6144:g2tETjaBZgCtOROVtQlYyWKaV4Pd0I1jfBynfQeMRc:dBvIwt5yWKPjGfM

Score

7^/10

upx

Deletes itself 1 IoCs

pid	Process
2336	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	Hacker.com.cn.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2172-6-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/3048-15-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2172-17-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2172-18-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2172-24-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Hacker.com.cn.exe	412d0efe168a8077d274b44382db2934.exe
File created	C:\Windows\uninstal.bat	412d0efe168a8077d274b44382db2934.exe
File created	C:\Windows\Hacker.com.cn.exe	412d0efe168a8077d274b44382db2934.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	412d0efe168a8077d274b44382db2934.exe
Token: SeDebugPrivilege	2172	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2856	2172	Hacker.com.cn.exe	29
PID 2172 wrote to memory of 2856	2172	Hacker.com.cn.exe	29
PID 2172 wrote to memory of 2856	2172	Hacker.com.cn.exe	29
PID 2172 wrote to memory of 2856	2172	Hacker.com.cn.exe	29
PID 3048 wrote to memory of 2336	3048	412d0efe168a8077d274b44382db2934.exe	31
PID 3048 wrote to memory of 2336	3048	412d0efe168a8077d274b44382db2934.exe	31
PID 3048 wrote to memory of 2336	3048	412d0efe168a8077d274b44382db2934.exe	31
PID 3048 wrote to memory of 2336	3048	412d0efe168a8077d274b44382db2934.exe	31
PID 3048 wrote to memory of 2336	3048	412d0efe168a8077d274b44382db2934.exe	31
PID 3048 wrote to memory of 2336	3048	412d0efe168a8077d274b44382db2934.exe	31
PID 3048 wrote to memory of 2336	3048	412d0efe168a8077d274b44382db2934.exe	31

C:\Users\Admin\AppData\Local\Temp\412d0efe168a8077d274b44382db2934.exe
"C:\Users\Admin\AppData\Local\Temp\412d0efe168a8077d274b44382db2934.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2336

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2856

memory/2172-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2172-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2172-17-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2172-18-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2172-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2172-24-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3048-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3048-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3048-15-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download