a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5

Analysis

max time kernel
46s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 09:37

Target

a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe
Size

78KB
MD5

791753ac3f9985e814bb491b3cd98bb6
SHA1

0b832a280139237c3078be20da2acd2c69f74d0a
SHA256

a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5
SHA512

036073c90a33a69ff1bea5e5f05cb46be58251c67632ffad994e61f401f260fd77b91c7edc41ec4f4bfa8586a944a6d0080f2374d18baa5685842f913bb024b9
SSDEEP

1536:6HTMQxGoynRLLFXjgRftSsmln/TPMjV5:6zMnjLFyftfmN8V5

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
824	svcaycwq.exe

Deletes itself 1 IoCs

pid	Process
700	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svcaycwq.exe	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe
File opened for modification	C:\Windows\SysWOW64\svcaycwq.exe	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 824 set thread context of 1204	824	svcaycwq.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1380	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1204	824	svcaycwq.exe	28
PID 824 wrote to memory of 1204	824	svcaycwq.exe	28
PID 824 wrote to memory of 1204	824	svcaycwq.exe	28
PID 824 wrote to memory of 1204	824	svcaycwq.exe	28
PID 824 wrote to memory of 1204	824	svcaycwq.exe	28
PID 824 wrote to memory of 1204	824	svcaycwq.exe	28
PID 1380 wrote to memory of 700	1380	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe	29
PID 1380 wrote to memory of 700	1380	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe	29
PID 1380 wrote to memory of 700	1380	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe	29
PID 1380 wrote to memory of 700	1380	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe	29

C:\Users\Admin\AppData\Local\Temp\a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe
"C:\Users\Admin\AppData\Local\Temp\a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A392C5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:700

C:\Windows\SysWOW64\svcaycwq.exe

Filesize
78KB

MD5
791753ac3f9985e814bb491b3cd98bb6

SHA1
0b832a280139237c3078be20da2acd2c69f74d0a

SHA256
a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5

SHA512
036073c90a33a69ff1bea5e5f05cb46be58251c67632ffad994e61f401f260fd77b91c7edc41ec4f4bfa8586a944a6d0080f2374d18baa5685842f913bb024b9

Download Submit
C:\Windows\SysWOW64\svcaycwq.exe

Filesize
78KB

MD5
791753ac3f9985e814bb491b3cd98bb6

SHA1
0b832a280139237c3078be20da2acd2c69f74d0a

SHA256
a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5

SHA512
036073c90a33a69ff1bea5e5f05cb46be58251c67632ffad994e61f401f260fd77b91c7edc41ec4f4bfa8586a944a6d0080f2374d18baa5685842f913bb024b9

Download Submit
memory/700-62-0x0000000000000000-mapping.dmp

Download
memory/1204-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1204-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1204-61-0x0000000000405DDF-mapping.dmp

Download
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download