9671995bd3386098bd836ff8c4844c266952fe7eb45840b4168ea59165470b37

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb02b5d3441559d85cb94ccd851fd4d4.exe
Size

743KB
MD5

cb02b5d3441559d85cb94ccd851fd4d4
SHA1

57ca947f56ca8a8a7e1e71707be7233f82ac63ea
SHA256

9671995bd3386098bd836ff8c4844c266952fe7eb45840b4168ea59165470b37
SHA512

1f1791b60ebaf40a1f985871eccae3dfe40049a0bcfbeb11cfaba4ee1d441de4112f831001827db020b10cc53eb04cee228fff3686d64f4014cae47d0e957855
SSDEEP

12288:DRn8S++U4u/n/80dW5A0zyo6JwQ5oAlK+GPHvZuIkitQQ52LYRg08yPwDRD0:98MU4ufxdW5A2mJr/kNHvcIkih3Y

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	Hacker.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HgzServer\Hacker.exe	cb02b5d3441559d85cb94ccd851fd4d4.exe
File opened for modification	C:\Program Files (x86)\HgzServer\Hacker.exe	cb02b5d3441559d85cb94ccd851fd4d4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\61642520.BAT	cb02b5d3441559d85cb94ccd851fd4d4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	cb02b5d3441559d85cb94ccd851fd4d4.exe
Token: SeDebugPrivilege	2984	Hacker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	Hacker.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2600	2984	Hacker.exe	29
PID 2984 wrote to memory of 2600	2984	Hacker.exe	29
PID 2984 wrote to memory of 2600	2984	Hacker.exe	29
PID 2984 wrote to memory of 2600	2984	Hacker.exe	29
PID 2328 wrote to memory of 2772	2328	cb02b5d3441559d85cb94ccd851fd4d4.exe	30
PID 2328 wrote to memory of 2772	2328	cb02b5d3441559d85cb94ccd851fd4d4.exe	30
PID 2328 wrote to memory of 2772	2328	cb02b5d3441559d85cb94ccd851fd4d4.exe	30
PID 2328 wrote to memory of 2772	2328	cb02b5d3441559d85cb94ccd851fd4d4.exe	30

C:\Users\Admin\AppData\Local\Temp\cb02b5d3441559d85cb94ccd851fd4d4.exe
"C:\Users\Admin\AppData\Local\Temp\cb02b5d3441559d85cb94ccd851fd4d4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  PID:2772

C:\Program Files (x86)\HgzServer\Hacker.exe
"C:\Program Files (x86)\HgzServer\Hacker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HgzServer\Hacker.exe

Filesize
743KB

MD5
cb02b5d3441559d85cb94ccd851fd4d4

SHA1
57ca947f56ca8a8a7e1e71707be7233f82ac63ea

SHA256
9671995bd3386098bd836ff8c4844c266952fe7eb45840b4168ea59165470b37

SHA512
1f1791b60ebaf40a1f985871eccae3dfe40049a0bcfbeb11cfaba4ee1d441de4112f831001827db020b10cc53eb04cee228fff3686d64f4014cae47d0e957855

Download Submit
C:\Windows\61642520.BAT

Filesize
190B

MD5
4e13fb7c04db78dcd3cbb2b2edb4fe06

SHA1
7dffd94bb8b082c5c92f4672ed9c9be73ebeece1

SHA256
c91545eeb42619829fec16676f2880fabc81af371e02112f5acdbbab00f7343a

SHA512
70e8ae6a6ba8a7fe5c76e6567a640c24665d36bf3729a73a1fe7eaa388042c253989cdf773cca8ee57d31a5bb97d650fa02e5cd2a62d6a2a805ede5da679e16d

Download Submit
memory/2328-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2328-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2328-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2984-5-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2984-6-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2984-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2984-18-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2984-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2984-24-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download