Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/01/2024, 17:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6fe26eb1e188081ecd9f8c642ad28cf8.exe
Resource
win7-20231215-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
6fe26eb1e188081ecd9f8c642ad28cf8.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
6fe26eb1e188081ecd9f8c642ad28cf8.exe
-
Size
20KB
-
MD5
6fe26eb1e188081ecd9f8c642ad28cf8
-
SHA1
d63a39407308a1d035523fa9e4e70727a5afb554
-
SHA256
35666ec0155cae7a83b390a67a5cb9d07bab83946bfcc3bca1f2319d54dcb1ea
-
SHA512
e232cc39357e33a14c4d9dff084256892785b5ff6fab53bf8446c21f389aabdf37d040b296ba952fed27f08a0bda3046ea32101f24cfeafa55664c158563af43
-
SSDEEP
96:Kwrfmr5W0QhI9rXkyo4DZWMhBiybgHHlrY160pbFr8XvNgSUtr7sExRAFFunf13r:5rOAI9rXJoBM/MxSmNgvfV8Yjn
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2308 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2828 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 28 PID 2132 wrote to memory of 2828 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 28 PID 2132 wrote to memory of 2828 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 28 PID 2132 wrote to memory of 2828 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 28 PID 2132 wrote to memory of 2828 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 28 PID 2132 wrote to memory of 2828 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 28 PID 2132 wrote to memory of 2828 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 28 PID 2132 wrote to memory of 2780 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 29 PID 2132 wrote to memory of 2780 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 29 PID 2132 wrote to memory of 2780 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 29 PID 2132 wrote to memory of 2780 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 29 PID 2132 wrote to memory of 2780 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 29 PID 2132 wrote to memory of 2780 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 29 PID 2132 wrote to memory of 2780 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 29 PID 2132 wrote to memory of 2964 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 31 PID 2132 wrote to memory of 2964 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 31 PID 2132 wrote to memory of 2964 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 31 PID 2132 wrote to memory of 2964 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 31 PID 2132 wrote to memory of 2964 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 31 PID 2132 wrote to memory of 2964 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 31 PID 2132 wrote to memory of 2964 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 31 PID 2132 wrote to memory of 2840 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 32 PID 2132 wrote to memory of 2840 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 32 PID 2132 wrote to memory of 2840 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 32 PID 2132 wrote to memory of 2840 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 32 PID 2132 wrote to memory of 2840 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 32 PID 2132 wrote to memory of 2840 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 32 PID 2132 wrote to memory of 2840 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 32 PID 2132 wrote to memory of 2816 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 33 PID 2132 wrote to memory of 2816 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 33 PID 2132 wrote to memory of 2816 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 33 PID 2132 wrote to memory of 2816 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 33 PID 2132 wrote to memory of 2816 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 33 PID 2132 wrote to memory of 2816 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 33 PID 2132 wrote to memory of 2816 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 33 PID 2132 wrote to memory of 2864 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 40 PID 2132 wrote to memory of 2864 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 40 PID 2132 wrote to memory of 2864 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 40 PID 2132 wrote to memory of 2864 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 40 PID 2132 wrote to memory of 2864 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 40 PID 2132 wrote to memory of 2864 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 40 PID 2132 wrote to memory of 2864 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 40 PID 2132 wrote to memory of 2668 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 41 PID 2132 wrote to memory of 2668 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 41 PID 2132 wrote to memory of 2668 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 41 PID 2132 wrote to memory of 2668 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 41 PID 2132 wrote to memory of 2668 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 41 PID 2132 wrote to memory of 2668 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 41 PID 2132 wrote to memory of 2668 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 41 PID 2132 wrote to memory of 2884 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 43 PID 2132 wrote to memory of 2884 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 43 PID 2132 wrote to memory of 2884 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 43 PID 2132 wrote to memory of 2884 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 43 PID 2132 wrote to memory of 2884 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 43 PID 2132 wrote to memory of 2884 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 43 PID 2132 wrote to memory of 2884 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 43 PID 2132 wrote to memory of 2820 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 44 PID 2132 wrote to memory of 2820 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 44 PID 2132 wrote to memory of 2820 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 44 PID 2132 wrote to memory of 2820 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 44 PID 2132 wrote to memory of 2820 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 44 PID 2132 wrote to memory of 2820 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 44 PID 2132 wrote to memory of 2820 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 44 PID 2132 wrote to memory of 2928 2132 6fe26eb1e188081ecd9f8c642ad28cf8.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fe26eb1e188081ecd9f8c642ad28cf8.exe"C:\Users\Admin\AppData\Local\Temp\6fe26eb1e188081ecd9f8c642ad28cf8.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HaoZip /f2⤵PID:2828
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PPLive /f2⤵PID:2780
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\赛猫购购 /f2⤵PID:2964
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CoralExplorer /f2⤵PID:2840
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX /f2⤵PID:2816
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HaoZip /f2⤵PID:2864
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PPLive /f2⤵PID:2668
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\赛猫购购 /f2⤵PID:2884
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CoralExplorer /f2⤵PID:2820
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX /f2⤵PID:2928
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\_uae8.bat2⤵
- Deletes itself
PID:2308
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD5211cc5f6bdafe64e55066df72bb29488
SHA1c9ce7f5d8e8c46b7a8e1e47a68631077ec5a7707
SHA256495dd76fb2d2265cf6c64f91503994cd512b91f9377d6a0c9b7d4b3507b6cc34
SHA512557a8696b8f9b84fe98f4995120ad8525db3ef090d94ea42d4a51510e5f5e82520779b7f46d6b9aebb7ddaa70dfd7e42867bbdc7e0ff8aa7508f86c548fac6b9