b3e048c573d798a7bb0e231965aacdf949ff0e92caa7b3a7af3f602096ce5180

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 14:30

Target

c39a7d32fb3218b464c98f8182c109e2.exe
Size

546KB
MD5

c39a7d32fb3218b464c98f8182c109e2
SHA1

4a7b6ec5274afd2130e83669845ab4644be5d589
SHA256

b3e048c573d798a7bb0e231965aacdf949ff0e92caa7b3a7af3f602096ce5180
SHA512

82cfbff00c329ca86fb6ecb80df9b6e89694c327dc277fa0b638ef44a71645faee7f9144961b61698cc1ba304a4e15bca9bd0531de22bd16edb79e68da2c3733
SSDEEP

12288:EFn39nONzAnJkySMWVpDDRdzY9+Q4li8rwnzZIc/mvY:Ex39gzCJksWVpDDvqkVUzZIumv

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2264	Hacker.com.cn.ini

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.ini	c39a7d32fb3218b464c98f8182c109e2.exe
File opened for modification	C:\Windows\Hacker.com.cn.ini	c39a7d32fb3218b464c98f8182c109e2.exe
File created	C:\Windows\uninstal.bat	c39a7d32fb3218b464c98f8182c109e2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	c39a7d32fb3218b464c98f8182c109e2.exe
Token: SeDebugPrivilege	2264	Hacker.com.cn.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2264	Hacker.com.cn.ini

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 556	2264	Hacker.com.cn.ini	94
PID 2264 wrote to memory of 556	2264	Hacker.com.cn.ini	94
PID 4728 wrote to memory of 3024	4728	c39a7d32fb3218b464c98f8182c109e2.exe	96
PID 4728 wrote to memory of 3024	4728	c39a7d32fb3218b464c98f8182c109e2.exe	96
PID 4728 wrote to memory of 3024	4728	c39a7d32fb3218b464c98f8182c109e2.exe	96

C:\Users\Admin\AppData\Local\Temp\c39a7d32fb3218b464c98f8182c109e2.exe
"C:\Users\Admin\AppData\Local\Temp\c39a7d32fb3218b464c98f8182c109e2.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:3024

C:\Windows\Hacker.com.cn.ini
C:\Windows\Hacker.com.cn.ini
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:556

C:\Windows\Hacker.com.cn.ini

Filesize
546KB

MD5
c39a7d32fb3218b464c98f8182c109e2

SHA1
4a7b6ec5274afd2130e83669845ab4644be5d589

SHA256
b3e048c573d798a7bb0e231965aacdf949ff0e92caa7b3a7af3f602096ce5180

SHA512
82cfbff00c329ca86fb6ecb80df9b6e89694c327dc277fa0b638ef44a71645faee7f9144961b61698cc1ba304a4e15bca9bd0531de22bd16edb79e68da2c3733

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
09b4ba31389591f6ad364220461c891f

SHA1
cc6128df0a34c7d91fdb416562dd9e84526434a9

SHA256
45c0d36a9709573c158a7ba0af255bcad01fe8809d5eaf0b39db8ce170e9d0b5

SHA512
69964158fbb397bc84c0b79a2e5325331e0406e1e6d40f23a1a99f726b29785323722cd0c3889bbf2a0d0accfa78446b7a8407e0238f480039a2595709793af7

Download Submit
memory/2264-7-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2264-12-0x0000000000400000-0x00000000005A3200-memory.dmp

Filesize
1.6MB

Download
memory/2264-13-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/2264-14-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/4728-0-0x0000000000400000-0x00000000005A3200-memory.dmp

Filesize
1.6MB

Download
memory/4728-1-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/4728-2-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4728-10-0x0000000000400000-0x00000000005A3200-memory.dmp

Filesize
1.6MB

Download