70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52

Analysis

max time kernel
41s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 06:46

Target

70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe
Size

166KB
MD5

7c5eae216e918e2324366e00b4c1f3be
SHA1

bd07827021543999e180e82e08298aed0300e286
SHA256

70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52
SHA512

5d5410ea7326a38d3528433881f0980dba03ee7b7726153c50664b657de078c4b4245a8d4b6e3b429e5cb50e093864e705bce9a5c94da70e87e90a609884ad8e
SSDEEP

3072:aQbkhaft9yH56ZbfMAuk7HhpYO5u/WLtpHS:lbSa/yHglnpYPWx5

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1332	gemuas.exe

Deletes itself 1 IoCs

pid	Process
1812	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gemuas.exe	70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe
File opened for modification	C:\Windows\SysWOW64\gemuas.exe	70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1332 set thread context of 1764	1332	gemuas.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1760	70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 1764	1332	gemuas.exe	28
PID 1332 wrote to memory of 1764	1332	gemuas.exe	28
PID 1332 wrote to memory of 1764	1332	gemuas.exe	28
PID 1332 wrote to memory of 1764	1332	gemuas.exe	28
PID 1332 wrote to memory of 1764	1332	gemuas.exe	28
PID 1332 wrote to memory of 1764	1332	gemuas.exe	28
PID 1760 wrote to memory of 1812	1760	70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe	29
PID 1760 wrote to memory of 1812	1760	70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe	29
PID 1760 wrote to memory of 1812	1760	70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe	29
PID 1760 wrote to memory of 1812	1760	70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe	29

C:\Users\Admin\AppData\Local\Temp\70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe
"C:\Users\Admin\AppData\Local\Temp\70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\70EE18~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1812

C:\Windows\SysWOW64\gemuas.exe

Filesize
166KB

MD5
7c5eae216e918e2324366e00b4c1f3be

SHA1
bd07827021543999e180e82e08298aed0300e286

SHA256
70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52

SHA512
5d5410ea7326a38d3528433881f0980dba03ee7b7726153c50664b657de078c4b4245a8d4b6e3b429e5cb50e093864e705bce9a5c94da70e87e90a609884ad8e

Download Submit
C:\Windows\SysWOW64\gemuas.exe

Filesize
166KB

MD5
7c5eae216e918e2324366e00b4c1f3be

SHA1
bd07827021543999e180e82e08298aed0300e286

SHA256
70ee18fc9f0d5a7db66ba2814d22839e223017726858988b4e4418d535abcb52

SHA512
5d5410ea7326a38d3528433881f0980dba03ee7b7726153c50664b657de078c4b4245a8d4b6e3b429e5cb50e093864e705bce9a5c94da70e87e90a609884ad8e

Download Submit
memory/1760-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1764-58-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1764-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download