3ff941c75faf0a33ff1a19e5f955ad06e8c9a5d08b38cdb051cfacf252c9d0d4

Analysis

max time kernel
143s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a384cf67f9ef927a5acc30a8b460f3ae.exe
Size

814KB
MD5

a384cf67f9ef927a5acc30a8b460f3ae
SHA1

3563afb42bc7ce287708e5048247f01dc58f5bb8
SHA256

3ff941c75faf0a33ff1a19e5f955ad06e8c9a5d08b38cdb051cfacf252c9d0d4
SHA512

39207c43ff39475e644bcc32f80967026a1306597b18a2c00a7ca6bf8ed90b1d5d68a269c1d67409da5cd1e8254c0627a75ce47cfa858acb3f22a2acc60eee48
SSDEEP

12288:kxzOgf6jCWazEF3Z4mxxl4IxSo62jDrkAS5j2E/HgD+jGEpRmmP2ArQns4j:UzFyukQmXlsohkZqMHgDSXneArqp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2576	temp.exe
2880	Hack48.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	a384cf67f9ef927a5acc30a8b460f3ae.exe
2768	a384cf67f9ef927a5acc30a8b460f3ae.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	temp.exe
File created	C:\Windows\Hack48.com.cn.exe	temp.exe
File opened for modification	C:\Windows\Hack48.com.cn.exe	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	temp.exe
Token: SeDebugPrivilege	2880	Hack48.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2880	Hack48.com.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2576	2768	a384cf67f9ef927a5acc30a8b460f3ae.exe	28
PID 2768 wrote to memory of 2576	2768	a384cf67f9ef927a5acc30a8b460f3ae.exe	28
PID 2768 wrote to memory of 2576	2768	a384cf67f9ef927a5acc30a8b460f3ae.exe	28
PID 2768 wrote to memory of 2576	2768	a384cf67f9ef927a5acc30a8b460f3ae.exe	28
PID 2880 wrote to memory of 2184	2880	Hack48.com.cn.exe	30
PID 2880 wrote to memory of 2184	2880	Hack48.com.cn.exe	30
PID 2880 wrote to memory of 2184	2880	Hack48.com.cn.exe	30
PID 2880 wrote to memory of 2184	2880	Hack48.com.cn.exe	30
PID 2576 wrote to memory of 2524	2576	temp.exe	31
PID 2576 wrote to memory of 2524	2576	temp.exe	31
PID 2576 wrote to memory of 2524	2576	temp.exe	31
PID 2576 wrote to memory of 2524	2576	temp.exe	31
PID 2576 wrote to memory of 2524	2576	temp.exe	31
PID 2576 wrote to memory of 2524	2576	temp.exe	31
PID 2576 wrote to memory of 2524	2576	temp.exe	31

C:\Users\Admin\AppData\Local\Temp\a384cf67f9ef927a5acc30a8b460f3ae.exe
"C:\Users\Admin\AppData\Local\Temp\a384cf67f9ef927a5acc30a8b460f3ae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2524

C:\Windows\Hack48.com.cn.exe
C:\Windows\Hack48.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
134B

MD5
d844dfb0f997e4d32cdb6dafa4d7717a

SHA1
eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec

SHA256
0f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a

SHA512
fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
296KB

MD5
6c35781644ddf434656576ad99a1a80c

SHA1
fdf6c6f37afb25da622747101eba2015ef3dbd2d

SHA256
6c55c88207be917359d9255ef65051d057fb07f5f816593e992f592c70434a28

SHA512
67ce06f844310f83734f272930a11475def98795419f96e3007b54688726802f6d344d9332cd5d5e97fbc38486c651d05a3edb6e194e5add85b23e7e05b6f65e

Download Submit
memory/2576-49-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2576-50-0x0000000000400000-0x00000000004D701C-memory.dmp

Filesize
860KB

Download
memory/2576-51-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2576-67-0x0000000000400000-0x00000000004D701C-memory.dmp

Filesize
860KB

Download
memory/2768-22-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2768-21-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2768-17-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2768-15-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/2768-14-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2768-13-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2768-12-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2768-11-0x0000000003120000-0x0000000003122000-memory.dmp

Filesize
8KB

Download
memory/2768-10-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2768-9-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2768-8-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2768-7-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2768-6-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2768-5-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2768-4-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2768-3-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2768-2-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2768-18-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2768-19-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2768-23-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/2768-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2768-24-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2768-25-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/2768-16-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/2768-20-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/2768-26-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2768-29-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2768-27-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2768-32-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2768-38-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2768-37-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2768-36-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2768-35-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2768-34-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2768-33-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2768-31-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/2768-30-0x0000000003110000-0x0000000003115000-memory.dmp

Filesize
20KB

Download
memory/2768-47-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2768-48-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2768-0-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2880-56-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/2880-58-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2880-69-0x0000000000400000-0x00000000004D701C-memory.dmp

Filesize
860KB

Download
memory/2880-70-0x0000000000400000-0x00000000004D701C-memory.dmp

Filesize
860KB

Download
memory/2880-71-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/2880-72-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2880-76-0x0000000000400000-0x00000000004D701C-memory.dmp

Filesize
860KB

Download