70cfd9c937d95a62f8cd555873a02eb4c86005382c05b554b3719c2939bacad5

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 00:46

Target

475e179c47be2b99f5a7e648fa93c37f.exe
Size

64KB
MD5

475e179c47be2b99f5a7e648fa93c37f
SHA1

b3c174b36797a997fbde7c510aab2e75ba08c180
SHA256

70cfd9c937d95a62f8cd555873a02eb4c86005382c05b554b3719c2939bacad5
SHA512

89ddb8f6d85118a0c2db7826f59594dd72b4c2ce98290994dd42e73e69accbd7fceb1997a07864e95c11fb3c337edc8edbe2dcaa12de8842c9ed705800e636a0
SSDEEP

768:gIsnfK9Oqn5HZJiXyS2+MscZsGCeIwrvtQ1j9l8/nxNY66xnH:MfK/55JvxD6Gen1jYxG66xH

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3016	GetTran.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zydxc.dat	475e179c47be2b99f5a7e648fa93c37f.exe
File opened for modification	C:\Windows\SysWOW64\zydxc2.dat	475e179c47be2b99f5a7e648fa93c37f.exe
File created	C:\Windows\SysWOW64\zydxc.dat	475e179c47be2b99f5a7e648fa93c37f.exe
File created	C:\Windows\SysWOW64\zydxc2.dat	475e179c47be2b99f5a7e648fa93c37f.exe
File created	C:\windows\SysWOW64\WindowsCad32.exe	475e179c47be2b99f5a7e648fa93c37f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\Windows\GetTran.exe	475e179c47be2b99f5a7e648fa93c37f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4556	475e179c47be2b99f5a7e648fa93c37f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3016	4556	475e179c47be2b99f5a7e648fa93c37f.exe	18
PID 4556 wrote to memory of 3016	4556	475e179c47be2b99f5a7e648fa93c37f.exe	18
PID 4556 wrote to memory of 3016	4556	475e179c47be2b99f5a7e648fa93c37f.exe	18
PID 4556 wrote to memory of 4864	4556	475e179c47be2b99f5a7e648fa93c37f.exe	92
PID 4556 wrote to memory of 4864	4556	475e179c47be2b99f5a7e648fa93c37f.exe	92
PID 4556 wrote to memory of 4864	4556	475e179c47be2b99f5a7e648fa93c37f.exe	92

C:\Users\Admin\AppData\Local\Temp\475e179c47be2b99f5a7e648fa93c37f.exe
"C:\Users\Admin\AppData\Local\Temp\475e179c47be2b99f5a7e648fa93c37f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- \??\c:\Windows\GetTran.exe
  c:\Windows\GetTran.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\475E17~1.EXE > nul
  2⤵
  PID:4864

C:\Windows\GetTran.exe

Filesize
44KB

MD5
5381167509544853bd2c6302d532b292

SHA1
5e4335e60f04f37e0a74bee0447822d95e6bbf57

SHA256
06fb19cf6bf528e15f4b59fc9be36215037a12205ce8fa128873d5555f6fb017

SHA512
132576e3231e589902736cf31d0699af9b2900031822c649431779e32bb2da78eba508db5936a77439df7216eb4c981d19d8ad327c2105c90283b6550839d4c5

Download Submit
C:\Windows\SysWOW64\zydxc2.dat

Filesize
19B

MD5
bfa92f1fdab95ce14fda01cef503034d

SHA1
3e47b39c978dc1167d490f976e5e06dc8db04279

SHA256
8cb610a280dbdcbc2cc7b24e3488354750dc95c8f1dd292a084c660f28efec96

SHA512
302e0565b91d884fc75a2c16e6712b155333cd7bd11b76be70585ee0cb1d8833d0583cd97137ea37ae6396a913b739887a8bbbfa0c5c94da84cd42eb3c3efad8

Download Submit