b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65

Analysis

max time kernel
165s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 09:38

Target

b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65.exe
Size

48KB
MD5

8ede442ad4c3b82deb74a4713a141e50
SHA1

47e43c69b238b175f39c01f119c4b4b1f11d69a5
SHA256

b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65
SHA512

c3fb68c5a5dc593e7ec33cd8f8776eddac094779c64a7cc697b1b1accbde57d10ad23061a71cdf1cf3dc2a1c5e0d3d11022496bef0ca984f8a2f0040df713a13
SSDEEP

768:T8mYzyN7c9SKiGsU8fKKVuJvSZlNyHg95fppiovz/HC8kEW3DmMb8D:GGN7c9SKiGN8fzrlNyHm5P/Hoc

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
4236	woyooo.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\woyooo.exe	b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65.exe
File opened for modification	C:\Windows\SysWOW64\woyooo.exe	b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4236 set thread context of 1112	4236	woyooo.exe	81

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4936	1112	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2700	b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 1112	4236	woyooo.exe	81
PID 4236 wrote to memory of 1112	4236	woyooo.exe	81
PID 4236 wrote to memory of 1112	4236	woyooo.exe	81
PID 4236 wrote to memory of 1112	4236	woyooo.exe	81
PID 4236 wrote to memory of 1112	4236	woyooo.exe	81
PID 2700 wrote to memory of 4968	2700	b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65.exe	85
PID 2700 wrote to memory of 4968	2700	b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65.exe	85
PID 2700 wrote to memory of 4968	2700	b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65.exe	85

C:\Users\Admin\AppData\Local\Temp\b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65.exe
"C:\Users\Admin\AppData\Local\Temp\b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B70D5E~1.EXE > nul
  2⤵
  PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1112 -ip 1112
1⤵
PID:4960

C:\Windows\SysWOW64\woyooo.exe

Filesize
48KB

MD5
8ede442ad4c3b82deb74a4713a141e50

SHA1
47e43c69b238b175f39c01f119c4b4b1f11d69a5

SHA256
b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65

SHA512
c3fb68c5a5dc593e7ec33cd8f8776eddac094779c64a7cc697b1b1accbde57d10ad23061a71cdf1cf3dc2a1c5e0d3d11022496bef0ca984f8a2f0040df713a13

Download Submit
C:\Windows\SysWOW64\woyooo.exe

Filesize
48KB

MD5
8ede442ad4c3b82deb74a4713a141e50

SHA1
47e43c69b238b175f39c01f119c4b4b1f11d69a5

SHA256
b70d5e3628500c846da1b26374ca5735dddac2c8334283d11ebf6879ed84cd65

SHA512
c3fb68c5a5dc593e7ec33cd8f8776eddac094779c64a7cc697b1b1accbde57d10ad23061a71cdf1cf3dc2a1c5e0d3d11022496bef0ca984f8a2f0040df713a13

Download Submit
memory/1112-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download