c27d23348439e75730e49644b525681e74b09848ea879276274b88676c3fff90

Analysis

max time kernel
155s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 22:00

Target

c27d23348439e75730e49644b525681e74b09848ea879276274b88676c3fff90.exe
Size

563KB
MD5

eaf2f522ed0d5f9ea6a088003954abaa
SHA1

07cf38ca88d08bdf008a4a7c57580a0629e078c1
SHA256

c27d23348439e75730e49644b525681e74b09848ea879276274b88676c3fff90
SHA512

9a37876df42520e5d43628f139bc7d27aa8b35116a92a8d54ba09beaaf6e78ef6da682f8974c7414e3fc90f4cbb6a7d3978c2dae535de7bb99cec93f4237bd4b
SSDEEP

12288:B+SZsGkEp3gos8uXY4cO/gqhd+3C5+qQUjJUU4QdxIYDdtWnI+NKnw/LN:4SrkEp3W8AD/Dhd+y4lqJ8QdCYDoDNKo

Score

8^/10

Executes dropped EXE 2 IoCs

pid	Process
1624	sxeCD57.tmp
808	idhmws.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\idhmws.exe	sxeCD57.tmp
File opened for modification	C:\Windows\SysWOW64\idhmws.exe	sxeCD57.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1624	sxeCD57.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 1624	4044	c27d23348439e75730e49644b525681e74b09848ea879276274b88676c3fff90.exe	80
PID 4044 wrote to memory of 1624	4044	c27d23348439e75730e49644b525681e74b09848ea879276274b88676c3fff90.exe	80
PID 4044 wrote to memory of 1624	4044	c27d23348439e75730e49644b525681e74b09848ea879276274b88676c3fff90.exe	80
PID 1624 wrote to memory of 3184	1624	sxeCD57.tmp	82
PID 1624 wrote to memory of 3184	1624	sxeCD57.tmp	82
PID 1624 wrote to memory of 3184	1624	sxeCD57.tmp	82

C:\Users\Admin\AppData\Local\Temp\c27d23348439e75730e49644b525681e74b09848ea879276274b88676c3fff90.exe
"C:\Users\Admin\AppData\Local\Temp\c27d23348439e75730e49644b525681e74b09848ea879276274b88676c3fff90.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\sxeCD57.tmp
  "C:\Users\Admin\AppData\Local\Temp\sxeCD57.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\sxeCD57.tmp > nul
    3⤵
    PID:3184

C:\Windows\SysWOW64\idhmws.exe
C:\Windows\SysWOW64\idhmws.exe
1⤵
- Executes dropped EXE
PID:808

C:\Users\Admin\AppData\Local\Temp\sxeCD57.tmp

Filesize
65KB

MD5
f92202279cfce75aedc69952a509238b

SHA1
040186324d91ac2046ae5055274fd1248f4e4a98

SHA256
d52b101edf5c36471faf2e064f6eacd59d95cbd3cd02079278f6a8dc35455830

SHA512
85e1010ea4baec6b113e319f12816a9baeabbb777eec7a649b3eb4739f2c0df99b83cb54846286166afd74a999d040070ae978da54e72813bf58f2fa5fe93a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxeCD57.tmp

Filesize
65KB

MD5
f92202279cfce75aedc69952a509238b

SHA1
040186324d91ac2046ae5055274fd1248f4e4a98

SHA256
d52b101edf5c36471faf2e064f6eacd59d95cbd3cd02079278f6a8dc35455830

SHA512
85e1010ea4baec6b113e319f12816a9baeabbb777eec7a649b3eb4739f2c0df99b83cb54846286166afd74a999d040070ae978da54e72813bf58f2fa5fe93a31

Download Submit
C:\Windows\SysWOW64\idhmws.exe

Filesize
65KB

MD5
f92202279cfce75aedc69952a509238b

SHA1
040186324d91ac2046ae5055274fd1248f4e4a98

SHA256
d52b101edf5c36471faf2e064f6eacd59d95cbd3cd02079278f6a8dc35455830

SHA512
85e1010ea4baec6b113e319f12816a9baeabbb777eec7a649b3eb4739f2c0df99b83cb54846286166afd74a999d040070ae978da54e72813bf58f2fa5fe93a31

Download Submit
C:\Windows\SysWOW64\idhmws.exe

Filesize
65KB

MD5
f92202279cfce75aedc69952a509238b

SHA1
040186324d91ac2046ae5055274fd1248f4e4a98

SHA256
d52b101edf5c36471faf2e064f6eacd59d95cbd3cd02079278f6a8dc35455830

SHA512
85e1010ea4baec6b113e319f12816a9baeabbb777eec7a649b3eb4739f2c0df99b83cb54846286166afd74a999d040070ae978da54e72813bf58f2fa5fe93a31

Download Submit