837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2

Analysis

max time kernel
136s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 19:37

Target

837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe
Size

88KB
MD5

6c6d6a3119a0bc8e026d990728108300
SHA1

a9ef57d8e45f794984123d10284db89151d5c4bb
SHA256

837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2
SHA512

25ba68d9d043b0e9f39016479edd9dc0963ae8acf3af9f0c161c0e4ee130b7e7347afffc44048139dcb9acb197bd3d71b3c282fb16abda99ff3de5164719795d
SSDEEP

768:7t6PXeuPjtkjB4oHhPYmvJJUjLO9FnToIf1QR+0oMYheQNj3MGVSHGaMQio9:7tAPjtyB48PYmvw6FnToIfCBQNLD8Ge

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1988	fkijqn.exe

Deletes itself 1 IoCs

pid	Process
856	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fkijqn.exe	837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe
File opened for modification	C:\Windows\SysWOW64\fkijqn.exe	837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1460	837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 856	1460	837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe	29
PID 1460 wrote to memory of 856	1460	837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe	29
PID 1460 wrote to memory of 856	1460	837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe	29
PID 1460 wrote to memory of 856	1460	837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe	29

C:\Users\Admin\AppData\Local\Temp\837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe
"C:\Users\Admin\AppData\Local\Temp\837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\837BA0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:856

C:\Windows\SysWOW64\fkijqn.exe
C:\Windows\SysWOW64\fkijqn.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\SysWOW64\fkijqn.exe

Filesize
88KB

MD5
6c6d6a3119a0bc8e026d990728108300

SHA1
a9ef57d8e45f794984123d10284db89151d5c4bb

SHA256
837ba04a1d77db0672edf94c21eb26e95d68941dbc3d244d1c5389c6a6da6ef2

SHA512
25ba68d9d043b0e9f39016479edd9dc0963ae8acf3af9f0c161c0e4ee130b7e7347afffc44048139dcb9acb197bd3d71b3c282fb16abda99ff3de5164719795d

Download Submit
memory/1460-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1460-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1988-59-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download