a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5

Analysis

max time kernel
330s
max time network
388s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 09:37

Target

a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe
Size

78KB
MD5

791753ac3f9985e814bb491b3cd98bb6
SHA1

0b832a280139237c3078be20da2acd2c69f74d0a
SHA256

a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5
SHA512

036073c90a33a69ff1bea5e5f05cb46be58251c67632ffad994e61f401f260fd77b91c7edc41ec4f4bfa8586a944a6d0080f2374d18baa5685842f913bb024b9
SSDEEP

1536:6HTMQxGoynRLLFXjgRftSsmln/TPMjV5:6zMnjLFyftfmN8V5

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4004	svcykgye.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svcykgye.exe	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe
File opened for modification	C:\Windows\SysWOW64\svcykgye.exe	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4004 set thread context of 4332	4004	svcykgye.exe	81

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	4332	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1312	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 4332	4004	svcykgye.exe	81
PID 4004 wrote to memory of 4332	4004	svcykgye.exe	81
PID 4004 wrote to memory of 4332	4004	svcykgye.exe	81
PID 4004 wrote to memory of 4332	4004	svcykgye.exe	81
PID 4004 wrote to memory of 4332	4004	svcykgye.exe	81
PID 1312 wrote to memory of 4644	1312	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe	84
PID 1312 wrote to memory of 4644	1312	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe	84
PID 1312 wrote to memory of 4644	1312	a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe	84

C:\Users\Admin\AppData\Local\Temp\a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe
"C:\Users\Admin\AppData\Local\Temp\a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A392C5~1.EXE > nul
  2⤵
  PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4332 -ip 4332
1⤵
PID:2948

C:\Windows\SysWOW64\svcykgye.exe

Filesize
78KB

MD5
791753ac3f9985e814bb491b3cd98bb6

SHA1
0b832a280139237c3078be20da2acd2c69f74d0a

SHA256
a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5

SHA512
036073c90a33a69ff1bea5e5f05cb46be58251c67632ffad994e61f401f260fd77b91c7edc41ec4f4bfa8586a944a6d0080f2374d18baa5685842f913bb024b9

Download Submit
C:\Windows\SysWOW64\svcykgye.exe

Filesize
78KB

MD5
791753ac3f9985e814bb491b3cd98bb6

SHA1
0b832a280139237c3078be20da2acd2c69f74d0a

SHA256
a392c5c2d2da28e4c8c7de69bb112b2648643161d8b11a1c9109baa96f2997e5

SHA512
036073c90a33a69ff1bea5e5f05cb46be58251c67632ffad994e61f401f260fd77b91c7edc41ec4f4bfa8586a944a6d0080f2374d18baa5685842f913bb024b9

Download Submit
memory/4332-134-0x0000000000000000-mapping.dmp

Download
memory/4332-135-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4644-136-0x0000000000000000-mapping.dmp

Download