c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867

Analysis

max time kernel
34s
max time network
39s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe
Size

18KB
MD5

ae59c0e29b92cb6ab4d83e13f801fdb2
SHA1

6133d89dd348a69e7a7ebb14d399b9cb37cbe9b7
SHA256

c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867
SHA512

a97f3d0acef229f95e214e344d5346916d4a00a7e47319a4e72c9938b31daa61fec6eb2881c6aceaa6a56f920ebd8d5e169d79e2332263b155060f99e9eca902
SSDEEP

384:Gc5J6z2MgeOWdntbSEoujkBWd9/11Q/MioH7wDY14CNBn9LkYBYFl9JOG:n5J6iMgnWptb+6uW1ooH7wDY14CNBn9W

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
960	WinHvqf32.exe

Deletes itself 1 IoCs

pid	Process
992	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe
836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHvqf32.exe	WinHvqf32.exe
File created	C:\Windows\SysWOW64\WinHvqf32.exe	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe
File opened for modification	C:\Windows\SysWOW64\WinHvqf32.exe	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe
Token: SeIncBasePriorityPrivilege	960	WinHvqf32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 960	836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe	27
PID 836 wrote to memory of 960	836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe	27
PID 836 wrote to memory of 960	836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe	27
PID 836 wrote to memory of 960	836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe	27
PID 836 wrote to memory of 992	836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe	28
PID 836 wrote to memory of 992	836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe	28
PID 836 wrote to memory of 992	836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe	28
PID 836 wrote to memory of 992	836	c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe	28
PID 960 wrote to memory of 944	960	WinHvqf32.exe	29
PID 960 wrote to memory of 944	960	WinHvqf32.exe	29
PID 960 wrote to memory of 944	960	WinHvqf32.exe	29
PID 960 wrote to memory of 944	960	WinHvqf32.exe	29

C:\Users\Admin\AppData\Local\Temp\c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe
"C:\Users\Admin\AppData\Local\Temp\c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\WinHvqf32.exe
  "C:\Windows\system32\WinHvqf32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\WINHVQ~1.EXE > nul
    3⤵
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C98096~1.EXE > nul
  2⤵
  - Deletes itself
  PID:992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WinHvqf32.exe

Filesize
18KB

MD5
ae59c0e29b92cb6ab4d83e13f801fdb2

SHA1
6133d89dd348a69e7a7ebb14d399b9cb37cbe9b7

SHA256
c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867

SHA512
a97f3d0acef229f95e214e344d5346916d4a00a7e47319a4e72c9938b31daa61fec6eb2881c6aceaa6a56f920ebd8d5e169d79e2332263b155060f99e9eca902

Download Submit
C:\Windows\SysWOW64\WinHvqf32.exe

Filesize
18KB

MD5
ae59c0e29b92cb6ab4d83e13f801fdb2

SHA1
6133d89dd348a69e7a7ebb14d399b9cb37cbe9b7

SHA256
c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867

SHA512
a97f3d0acef229f95e214e344d5346916d4a00a7e47319a4e72c9938b31daa61fec6eb2881c6aceaa6a56f920ebd8d5e169d79e2332263b155060f99e9eca902

Download Submit
\Windows\SysWOW64\WinHvqf32.exe

Filesize
18KB

MD5
ae59c0e29b92cb6ab4d83e13f801fdb2

SHA1
6133d89dd348a69e7a7ebb14d399b9cb37cbe9b7

SHA256
c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867

SHA512
a97f3d0acef229f95e214e344d5346916d4a00a7e47319a4e72c9938b31daa61fec6eb2881c6aceaa6a56f920ebd8d5e169d79e2332263b155060f99e9eca902

Download Submit
\Windows\SysWOW64\WinHvqf32.exe

Filesize
18KB

MD5
ae59c0e29b92cb6ab4d83e13f801fdb2

SHA1
6133d89dd348a69e7a7ebb14d399b9cb37cbe9b7

SHA256
c98096b89a98f0392aa0d94b38ad588bdc49dcc74028eac38d41d8caf62e2867

SHA512
a97f3d0acef229f95e214e344d5346916d4a00a7e47319a4e72c9938b31daa61fec6eb2881c6aceaa6a56f920ebd8d5e169d79e2332263b155060f99e9eca902

Download Submit
memory/836-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download