55ac28e0ee392e64e273b11e4b6ea2455cfe57395f2da35540b95f7c4d9e4046

Analysis

max time kernel
106s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2023 04:21

Target

tmp.exe
Size

2.2MB
MD5

6c4aa8255e878893238d9d7c46594409
SHA1

3e7c7e3e6465de376c25faeb1193b09525385ead
SHA256

55ac28e0ee392e64e273b11e4b6ea2455cfe57395f2da35540b95f7c4d9e4046
SHA512

26e0b2174d00f7efa4e026eb027dd98327dd472547972ae5f02129aa87dd25b8c1d70bf17dc0cd5afc9986d662b748c33eef319b71799f906d984450e3dffc74
SSDEEP

24576:kdVpasknxaPeDJXXVr6fqkWj9FYnvHmerRW6RGieK8PEMoXsQnBXrP3I2IvrrP3v:Mx0J1HiHg6RUFEMusQn5r422rTm27

Score

5^/10

Drops file in System32 directory 3 IoCs

Processes:

tmp.exe

Executes dropped EXE 1 IoCs

Processes:

instdrv.exe

pid process

2324 instdrv.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1868 taskkill.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
2324	instdrv.exe

pid	process
1868	taskkill.exe

pid	process
664

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powercfg.exetaskkill.exeinstdrv.exe

description	pid	process
Token: SeShutdownPrivilege	3444	powercfg.exe
Token: SeCreatePagefilePrivilege	3444	powercfg.exe
Token: SeShutdownPrivilege	3444	powercfg.exe
Token: SeCreatePagefilePrivilege	3444	powercfg.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	2324	instdrv.exe
Token: SeIncBasePriorityPrivilege	2324	instdrv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exeinstdrv.exe

pid process

2372 tmp.exe
2324 instdrv.exe

pid	process
2372	tmp.exe
2324	instdrv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.execmd.exe

description	pid	process	target process
PID 2372 wrote to memory of 1868	2372	tmp.exe	taskkill.exe
PID 2372 wrote to memory of 1868	2372	tmp.exe	taskkill.exe
PID 2372 wrote to memory of 1868	2372	tmp.exe	taskkill.exe
PID 2372 wrote to memory of 4928	2372	tmp.exe	cmd.exe
PID 2372 wrote to memory of 4928	2372	tmp.exe	cmd.exe
PID 2372 wrote to memory of 4928	2372	tmp.exe	cmd.exe
PID 4928 wrote to memory of 3444	4928	cmd.exe	powercfg.exe
PID 4928 wrote to memory of 3444	4928	cmd.exe	powercfg.exe
PID 4928 wrote to memory of 3444	4928	cmd.exe	powercfg.exe
PID 4928 wrote to memory of 2324	4928	cmd.exe	instdrv.exe
PID 4928 wrote to memory of 2324	4928	cmd.exe	instdrv.exe
PID 4928 wrote to memory of 2324	4928	cmd.exe	instdrv.exe

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\instdrv.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\powercfg.exe
powercfg /h off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SysWOW64\instdrv.bat

Filesize
100B

MD5
04d8a1f0ca7dce8a7936c6f5ae7baed2

SHA1
9ae4a5e2c3161cc53e87f7c279f4e0ba2b5f241d

SHA256
a9fd3ab66db15f7b05d8ef0bc408fe28927cdf3a11f8e22ec956c0a80b4fd14e

SHA512
c1eca76250138e77278421b7603f3be6678861fa7b519fcd133951e4ac85cc84aedfd97cea98cc320301497ab22d6faa613719be7aff07896fcc704afe39bbc8

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit