617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 23:14

Target

617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d.exe
Size

36KB
MD5

ba519da814ee8989889fbab4ab506ee3
SHA1

7be209efcf8cfc06a8fe8dc57ad3ddc62ace0342
SHA256

617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d
SHA512

fb4c2a7e76a8af966020b4ac52304c78e367c098ddfbd5b14b361980715dd26e6afefccd61b822268cbd2514ac282414a7aae8f120903865d4d6b6ffd3e9320f
SSDEEP

384:PSGaBtZZCR0gs4ALhpKNifhkSujObfVU3KGqCyn0guSPypYafeA146/B+rcEblo4:Bah8Ht2yfE5JPaW64UUlayHVojY9P5

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3504	yqskqc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yqskqc.exe	617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d.exe
File opened for modification	C:\Windows\SysWOW64\yqskqc.exe	617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3504 set thread context of 2872	3504	yqskqc.exe	81

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4892	2872	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4964	617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 2872	3504	yqskqc.exe	81
PID 3504 wrote to memory of 2872	3504	yqskqc.exe	81
PID 3504 wrote to memory of 2872	3504	yqskqc.exe	81
PID 3504 wrote to memory of 2872	3504	yqskqc.exe	81
PID 3504 wrote to memory of 2872	3504	yqskqc.exe	81
PID 4964 wrote to memory of 4456	4964	617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d.exe	85
PID 4964 wrote to memory of 4456	4964	617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d.exe	85
PID 4964 wrote to memory of 4456	4964	617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d.exe	85

C:\Users\Admin\AppData\Local\Temp\617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d.exe
"C:\Users\Admin\AppData\Local\Temp\617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\617803~1.EXE > nul
  2⤵
  PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2872 -ip 2872
1⤵
PID:4868

C:\Windows\SysWOW64\yqskqc.exe

Filesize
36KB

MD5
ba519da814ee8989889fbab4ab506ee3

SHA1
7be209efcf8cfc06a8fe8dc57ad3ddc62ace0342

SHA256
617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d

SHA512
fb4c2a7e76a8af966020b4ac52304c78e367c098ddfbd5b14b361980715dd26e6afefccd61b822268cbd2514ac282414a7aae8f120903865d4d6b6ffd3e9320f

Download Submit
C:\Windows\SysWOW64\yqskqc.exe

Filesize
36KB

MD5
ba519da814ee8989889fbab4ab506ee3

SHA1
7be209efcf8cfc06a8fe8dc57ad3ddc62ace0342

SHA256
617803cf96cebf193abc0835ab6aa40d5b8c05074979276b0ee9fec78516132d

SHA512
fb4c2a7e76a8af966020b4ac52304c78e367c098ddfbd5b14b361980715dd26e6afefccd61b822268cbd2514ac282414a7aae8f120903865d4d6b6ffd3e9320f

Download Submit
memory/2872-136-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3504-137-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4964-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4964-139-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download