bbfe0fe3007141df44faec7db1a930169a0bdee1f71ed7f5b8e2e1e3c6800c0c

General

Target

cb9b368e317d4ea44000bfb64abca924.exe
Size

532KB
MD5

cb9b368e317d4ea44000bfb64abca924
SHA1

d436511b9fa069d98d947312f1b12252356673b4
SHA256

bbfe0fe3007141df44faec7db1a930169a0bdee1f71ed7f5b8e2e1e3c6800c0c
SHA512

0d159609f35460b58aa846fba6599f5c9b268e83b59cd31ea0f48ce1a2cc2a6cd94df41f290d240de9c7bd9a9cfa1dc17e31848dfc6b421c6cb26434b47dfb43
SSDEEP

12288:pkten5HWfyWEAbuSZhrKvxDHQo30veuBfqUFlh:pAenhWEAbuSbtRGuBiiD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	22qq.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\22qq.exe	cb9b368e317d4ea44000bfb64abca924.exe
File opened for modification	C:\Windows\22qq.exe	cb9b368e317d4ea44000bfb64abca924.exe
File created	C:\Windows\uninstal.bat	cb9b368e317d4ea44000bfb64abca924.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	cb9b368e317d4ea44000bfb64abca924.exe
Token: SeDebugPrivilege	2548	22qq.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2548	22qq.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2676	2180	cb9b368e317d4ea44000bfb64abca924.exe	30
PID 2180 wrote to memory of 2676	2180	cb9b368e317d4ea44000bfb64abca924.exe	30
PID 2180 wrote to memory of 2676	2180	cb9b368e317d4ea44000bfb64abca924.exe	30
PID 2180 wrote to memory of 2676	2180	cb9b368e317d4ea44000bfb64abca924.exe	30
PID 2180 wrote to memory of 2676	2180	cb9b368e317d4ea44000bfb64abca924.exe	30
PID 2180 wrote to memory of 2676	2180	cb9b368e317d4ea44000bfb64abca924.exe	30
PID 2180 wrote to memory of 2676	2180	cb9b368e317d4ea44000bfb64abca924.exe	30
PID 2548 wrote to memory of 3040	2548	22qq.exe	29
PID 2548 wrote to memory of 3040	2548	22qq.exe	29
PID 2548 wrote to memory of 3040	2548	22qq.exe	29
PID 2548 wrote to memory of 3040	2548	22qq.exe	29

C:\Users\Admin\AppData\Local\Temp\cb9b368e317d4ea44000bfb64abca924.exe
"C:\Users\Admin\AppData\Local\Temp\cb9b368e317d4ea44000bfb64abca924.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2676

C:\Windows\22qq.exe
C:\Windows\22qq.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\22qq.exe

Filesize
532KB

MD5
cb9b368e317d4ea44000bfb64abca924

SHA1
d436511b9fa069d98d947312f1b12252356673b4

SHA256
bbfe0fe3007141df44faec7db1a930169a0bdee1f71ed7f5b8e2e1e3c6800c0c

SHA512
0d159609f35460b58aa846fba6599f5c9b268e83b59cd31ea0f48ce1a2cc2a6cd94df41f290d240de9c7bd9a9cfa1dc17e31848dfc6b421c6cb26434b47dfb43

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
f35776e6b99e21f8f39f1bead0f50006

SHA1
a33247c73f13bf48b78ae64a1c1ed40386db24ba

SHA256
5feb647acaf069ed69e6e62dcbc2c676eaee98abe83cec60fb7841cc83d0e1dd

SHA512
051f9b5957d4c716f875b6a768d49000c1033dd1340c7664438440b43ac2fd51f8ce95458c31af455171e3edf7322a009fb911f24811542ffa33e5fe4a0cb44f

Download Submit
memory/2180-10-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2180-15-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2180-7-0x0000000002830000-0x0000000002833000-memory.dmp

Filesize
12KB

Download
memory/2180-6-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2180-5-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2180-4-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2180-3-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2180-2-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2180-13-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2180-9-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2180-14-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2180-16-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2180-12-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2180-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2180-8-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2180-0-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2180-36-0x00000000003A0000-0x00000000003EB000-memory.dmp

Filesize
300KB

Download
memory/2180-1-0x00000000003A0000-0x00000000003EB000-memory.dmp

Filesize
300KB

Download
memory/2180-35-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2548-24-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2548-21-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2548-25-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2548-20-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2548-23-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2548-22-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2548-33-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/2548-38-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2548-39-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2548-41-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2548-48-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing