46da2d2262661d1f632e86e478642f8e1eb5b5faa65ae34d9039e9ea9efdebaf

Analysis

max time kernel
155s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44cacd30f4f713101607e1f1f9021f7e.exe
Size

270KB
MD5

44cacd30f4f713101607e1f1f9021f7e
SHA1

69ea3a95361a0e14910e1bdbd5f225aa8b88ab18
SHA256

46da2d2262661d1f632e86e478642f8e1eb5b5faa65ae34d9039e9ea9efdebaf
SHA512

a0e103589d18f53be34c468243492482840e37454e6e03ed085587469edbfd68089e1bf91659acff5287adbe22abc98e4bdb09d2e2664371e3cc0c2941a431b1
SSDEEP

6144:qMhBj6B6kP/KRvA9HmNR92bIjLxPTYra385tnDzeO+SsZPqXhEpJ3:jW6kPIA9mR9jXZkznXL+Cg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3000	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	44cacd30f4f713101607e1f1f9021f7e.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	44cacd30f4f713101607e1f1f9021f7e.exe
File created	C:\Windows\uninstal.bat	44cacd30f4f713101607e1f1f9021f7e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	44cacd30f4f713101607e1f1f9021f7e.exe
Token: SeDebugPrivilege	3000	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3000	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 4024	3000	Hacker.com.cn.exe	93
PID 3000 wrote to memory of 4024	3000	Hacker.com.cn.exe	93
PID 3168 wrote to memory of 2716	3168	44cacd30f4f713101607e1f1f9021f7e.exe	95
PID 3168 wrote to memory of 2716	3168	44cacd30f4f713101607e1f1f9021f7e.exe	95
PID 3168 wrote to memory of 2716	3168	44cacd30f4f713101607e1f1f9021f7e.exe	95

C:\Users\Admin\AppData\Local\Temp\44cacd30f4f713101607e1f1f9021f7e.exe
"C:\Users\Admin\AppData\Local\Temp\44cacd30f4f713101607e1f1f9021f7e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:2716

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
270KB

MD5
44cacd30f4f713101607e1f1f9021f7e

SHA1
69ea3a95361a0e14910e1bdbd5f225aa8b88ab18

SHA256
46da2d2262661d1f632e86e478642f8e1eb5b5faa65ae34d9039e9ea9efdebaf

SHA512
a0e103589d18f53be34c468243492482840e37454e6e03ed085587469edbfd68089e1bf91659acff5287adbe22abc98e4bdb09d2e2664371e3cc0c2941a431b1

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
c530a490a14a1aa59b72e78f10cc988a

SHA1
45e8932fb45b69c4b9d3c899b45bf11bbfb0973d

SHA256
d455b65cb6bbed376c49f74e8af91798284a903831c839aca4bda146553c3f2d

SHA512
b0490f01816b79d327c0a2d258ca19fa51a54112b7a9b8aaa347cdf84661041596e2604e501b0a8fae5c48d6fdbca2b11c5d3d1f69392bbf644f4f49e87173b4

Download Submit
memory/3000-9-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3000-10-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3000-14-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3000-15-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3000-16-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3168-0-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3168-2-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/3168-1-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3168-3-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3168-8-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download