67ede6407855ec22985a843b52f5d5ad8169aafc396606f742029bf05d10233f

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

641cd01e7405ae9fea7ab07cd90d7e92.exe
Size

593KB
MD5

641cd01e7405ae9fea7ab07cd90d7e92
SHA1

3eb0d97da4b62692ceca9ea7045ed3cc8356ecdf
SHA256

67ede6407855ec22985a843b52f5d5ad8169aafc396606f742029bf05d10233f
SHA512

b4d77a5d7c86b6c59cb704e2258d6acd7711b60f6b06d64b78ba4fd8cbe4e3c4a6c60ea92130490f5ee1b25cc5f587bce0e93ba12be6782653e1e784d07ea33b
SSDEEP

12288:xH6kPIA9mR9jXZkTMxRACxFF3Z4mxxtRvz2JG0/BY:xHNB9mRRpk4xWCHQmXtgJG0/G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3332	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	641cd01e7405ae9fea7ab07cd90d7e92.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	641cd01e7405ae9fea7ab07cd90d7e92.exe
File created	C:\Windows\uninstal.bat	641cd01e7405ae9fea7ab07cd90d7e92.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	384	641cd01e7405ae9fea7ab07cd90d7e92.exe
Token: SeDebugPrivilege	3332	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3332	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4304	3332	Hacker.com.cn.exe	91
PID 3332 wrote to memory of 4304	3332	Hacker.com.cn.exe	91
PID 384 wrote to memory of 3664	384	641cd01e7405ae9fea7ab07cd90d7e92.exe	95
PID 384 wrote to memory of 3664	384	641cd01e7405ae9fea7ab07cd90d7e92.exe	95
PID 384 wrote to memory of 3664	384	641cd01e7405ae9fea7ab07cd90d7e92.exe	95

C:\Users\Admin\AppData\Local\Temp\641cd01e7405ae9fea7ab07cd90d7e92.exe
"C:\Users\Admin\AppData\Local\Temp\641cd01e7405ae9fea7ab07cd90d7e92.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:3664

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
329KB

MD5
1d0a9b94de8639bdc72ce55b7a53644e

SHA1
5552540ef5f5e0b1762e5bcec4faa678e8363ebb

SHA256
1e00c2c5c3956a61c1ed7725adbd8d144d95c5366c4586861647e3d7ec691b07

SHA512
7c25c6986da3bc6f4de64bd263b48be363a632c624c9174cd70832fa2ecf1a3f0a024de12413fb40ae9ffb1155b1b35225c9a8a793135c001fbe3fb732e4c3b1

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
338KB

MD5
89b9f783f24e45f7d27859c06b43a420

SHA1
2e75d5afa52fdabb340890a21f650a544375713d

SHA256
6b98b2ffaa9778886cf9faec1debaac4ae913ed5da41854dda8016372a7d4107

SHA512
b5e0c2a0c17ce48d5d36b9297a3ad90ca026488ea74a38d3c663f50669eef8d195e5257680eec615d097c7152a9c7869e1d6decc620f984f3460323ad17a3cf6

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
09cc8a879facab99fcec5aab71cac9b5

SHA1
1296068e439a723274cc816a81f5af47c1987401

SHA256
6640aa359a1049ceda71efb7db48842866f1a9199128f37e17e16fc840ccffba

SHA512
e99ff744bef58f2d0b0403e335c7d917cf7eedda6c8b5e39483b67410a84247c6440f9e3621c8bf31e958b1e457310032c674b58382667fc59545695f4b94058

Download Submit
memory/384-14-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/384-2-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/384-6-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/384-7-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/384-5-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/384-8-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/384-9-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/384-10-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/384-11-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/384-0-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/384-3-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/384-4-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/384-1-0x00000000008A0000-0x00000000008F4000-memory.dmp

Filesize
336KB

Download
memory/384-24-0x00000000008A0000-0x00000000008F4000-memory.dmp

Filesize
336KB

Download
memory/384-23-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/3332-20-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/3332-19-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/3332-18-0x0000000000B60000-0x0000000000BB4000-memory.dmp

Filesize
336KB

Download
memory/3332-17-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/3332-26-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/3332-27-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download