328453b7263ce52e34e5b609cb4280fc4fdecc8d291422d3f6718657b885f735

Analysis

max time kernel
91s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 00:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8dc7559c90bdf73a2bc222945440cf7d.exe
Size

289KB
MD5

8dc7559c90bdf73a2bc222945440cf7d
SHA1

32ac54c4937716942d595cd39cbeb38a7e5bf75c
SHA256

328453b7263ce52e34e5b609cb4280fc4fdecc8d291422d3f6718657b885f735
SHA512

6e34841c68dd0767a7feb34a60f54fe8ff433bc096804548462385bbfeda6aa06e6956e9e149497d584e7286bb331141e21de381acc3885608e4b2aa41ec3313
SSDEEP

6144:ibeYS8Nw+7+iyhMppgz3sryGU5801j1LRMOcSx42dMqBXdt:BYS8G7iyepK5ldMsxVuM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2088	Hacker.com.cn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 1428	2088	Hacker.com.cn.exe	92

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	8dc7559c90bdf73a2bc222945440cf7d.exe
File created	C:\Windows\Hacker.com.cn.exe	8dc7559c90bdf73a2bc222945440cf7d.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	8dc7559c90bdf73a2bc222945440cf7d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
444	1428	WerFault.exe	92

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	8dc7559c90bdf73a2bc222945440cf7d.exe
Token: SeDebugPrivilege	2088	Hacker.com.cn.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1428	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1428	2088	Hacker.com.cn.exe	92
PID 2088 wrote to memory of 1428	2088	Hacker.com.cn.exe	92
PID 2088 wrote to memory of 1428	2088	Hacker.com.cn.exe	92
PID 2088 wrote to memory of 1428	2088	Hacker.com.cn.exe	92
PID 2088 wrote to memory of 1428	2088	Hacker.com.cn.exe	92
PID 2184 wrote to memory of 4748	2184	8dc7559c90bdf73a2bc222945440cf7d.exe	96
PID 2184 wrote to memory of 4748	2184	8dc7559c90bdf73a2bc222945440cf7d.exe	96
PID 2184 wrote to memory of 4748	2184	8dc7559c90bdf73a2bc222945440cf7d.exe	96

C:\Users\Admin\AppData\Local\Temp\8dc7559c90bdf73a2bc222945440cf7d.exe
"C:\Users\Admin\AppData\Local\Temp\8dc7559c90bdf73a2bc222945440cf7d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4748

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:1428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 12
    3⤵
    - Program crash
    PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1428 -ip 1428
1⤵
PID:4296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hacker.com.cn.exe

Filesize
289KB

MD5
8dc7559c90bdf73a2bc222945440cf7d

SHA1
32ac54c4937716942d595cd39cbeb38a7e5bf75c

SHA256
328453b7263ce52e34e5b609cb4280fc4fdecc8d291422d3f6718657b885f735

SHA512
6e34841c68dd0767a7feb34a60f54fe8ff433bc096804548462385bbfeda6aa06e6956e9e149497d584e7286bb331141e21de381acc3885608e4b2aa41ec3313

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
18KB

MD5
685cb9a1ade15305224bd68b42419b4d

SHA1
4d725751ca1fe4207063b3be5b9476ad907172de

SHA256
2f60e826bc466ed233186f9e68d7cb33c211b71a043f0b228e1d65d05dc19537

SHA512
d6dbf5490d5089063077ab790172f1b1460d8158f90305eff3d502d60592b71c9d2363e775e22d4d8d5233bde1e3a508df49fd841bf4764ce39c0a005988c379

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
abec8ede09f348501617da2560ce1105

SHA1
bc79d90851200e0e39698e241ad27e3dc2015f76

SHA256
2c73ec4af3888a957526e43389cf32d3a771a0c65daef15be6fa198348ac1c94

SHA512
b26a843b44ea355a80ab62ddcab0761abda68c37afeb7d5ebedea448c3c76e185259e6ca28687651eb21548916dc1a03ce938bd1994082c7428b9fbf41439a33

Download Submit
memory/1428-11-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2088-12-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2088-8-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2088-9-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2088-10-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/2088-17-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2184-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2184-3-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2184-15-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2184-2-0x0000000002280000-0x0000000002282000-memory.dmp

Filesize
8KB

Download
memory/2184-1-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download