fae203be8e9553e67df92d264fd0622feba1fc75dfc150833b8c616e5880f447

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 07:28

Target

64d20b27bcf5f65b055e578297052b51.exe
Size

742KB
MD5

64d20b27bcf5f65b055e578297052b51
SHA1

3364590bbfaa76ddd1458597eafe98d82ff4b9a8
SHA256

fae203be8e9553e67df92d264fd0622feba1fc75dfc150833b8c616e5880f447
SHA512

fdda4f055a758189c48d23a42f4975b3b548952601b20931055ba7776bbc348e8d957aab09906ce9d7f4b09fa75a84d48fbb793a5557abfaf93b7a3fcfbf6837
SSDEEP

12288:ARyTY+2U4uan/8RdW5A0zyxuJwQ5oAlK+Gx/vZuIkAbQQ52LYRg08y5rDRy:k6iU4ucwdW5A2RJr/k3/vcIkA33P

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3012	hxhack.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\pRogram Files\system\hxhack.exe	64d20b27bcf5f65b055e578297052b51.exe
File opened for modification	C:\pRogram Files\system\hxhack.exe	64d20b27bcf5f65b055e578297052b51.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.BAT	64d20b27bcf5f65b055e578297052b51.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	64d20b27bcf5f65b055e578297052b51.exe
Token: SeDebugPrivilege	3012	hxhack.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3012	hxhack.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2848	2988	64d20b27bcf5f65b055e578297052b51.exe	30
PID 2988 wrote to memory of 2848	2988	64d20b27bcf5f65b055e578297052b51.exe	30
PID 2988 wrote to memory of 2848	2988	64d20b27bcf5f65b055e578297052b51.exe	30
PID 2988 wrote to memory of 2848	2988	64d20b27bcf5f65b055e578297052b51.exe	30
PID 2988 wrote to memory of 2848	2988	64d20b27bcf5f65b055e578297052b51.exe	30
PID 2988 wrote to memory of 2848	2988	64d20b27bcf5f65b055e578297052b51.exe	30
PID 2988 wrote to memory of 2848	2988	64d20b27bcf5f65b055e578297052b51.exe	30

C:\Users\Admin\AppData\Local\Temp\64d20b27bcf5f65b055e578297052b51.exe
"C:\Users\Admin\AppData\Local\Temp\64d20b27bcf5f65b055e578297052b51.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.BAT
  2⤵
  - Deletes itself
  PID:2848

C:\Program Files\system\hxhack.exe

Filesize
742KB

MD5
64d20b27bcf5f65b055e578297052b51

SHA1
3364590bbfaa76ddd1458597eafe98d82ff4b9a8

SHA256
fae203be8e9553e67df92d264fd0622feba1fc75dfc150833b8c616e5880f447

SHA512
fdda4f055a758189c48d23a42f4975b3b548952601b20931055ba7776bbc348e8d957aab09906ce9d7f4b09fa75a84d48fbb793a5557abfaf93b7a3fcfbf6837

Download Submit
C:\Windows\uninstal.BAT

Filesize
190B

MD5
117d6469b5a160e84fe1112e218da768

SHA1
03e52135ff92a64d588b7fc95c289fa9b583ba19

SHA256
18dfe0cce1c062bfb8b914406210b935f52829306320a3ce8325378e5a69443b

SHA512
d09f82840b54fb286d749174c0f6c675056aa14366dc7c170963bbea68de70d9ad1456215669b828a77ecf9889ef0d3539e712dbab07e3d7e33cad04122fbd6a

Download Submit
memory/2988-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2988-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2988-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3012-5-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3012-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3012-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3012-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download