897e30d087d67c5326b0387ca6bb63b9bb0bbfc8f097a3cc3f46b313c6cf141f

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:34

Target

05bccc497c0d9c341645618f20534ded.exe
Size

18KB
MD5

05bccc497c0d9c341645618f20534ded
SHA1

c4dbf00f14ecf8d45e2db476cebbb0b41f68c775
SHA256

897e30d087d67c5326b0387ca6bb63b9bb0bbfc8f097a3cc3f46b313c6cf141f
SHA512

66d557deafc371d53cff363ceca480e10ba02364fd9a73ce5660af13855aa100fd3b243341fdcb226624924af1f74716db53214e8a8cf4b2e628cde5f02e4b0d
SSDEEP

384:aW6qutTnrQXqrkEDoj94Te1kGs+sYdkC8pTSiYyJD:aOynal+S6Te1kG2C8NZYWD

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	05bccc497c0d9c341645618f20534ded.exe
1988	05bccc497c0d9c341645618f20534ded.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ywg32.dll	05bccc497c0d9c341645618f20534ded.exe
File opened for modification	C:\Windows\SysWOW64\ywtlgfl.cfg	05bccc497c0d9c341645618f20534ded.exe
File opened for modification	C:\Windows\SysWOW64\ywtlgfl.dll	05bccc497c0d9c341645618f20534ded.exe
File created	C:\Windows\SysWOW64\ywtlgfl.dll	05bccc497c0d9c341645618f20534ded.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1988	05bccc497c0d9c341645618f20534ded.exe
468	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1988	05bccc497c0d9c341645618f20534ded.exe
Token: SeDebugPrivilege	1988	05bccc497c0d9c341645618f20534ded.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1404	1988	05bccc497c0d9c341645618f20534ded.exe	15
PID 1988 wrote to memory of 2272	1988	05bccc497c0d9c341645618f20534ded.exe	28
PID 1988 wrote to memory of 2272	1988	05bccc497c0d9c341645618f20534ded.exe	28
PID 1988 wrote to memory of 2272	1988	05bccc497c0d9c341645618f20534ded.exe	28
PID 1988 wrote to memory of 2272	1988	05bccc497c0d9c341645618f20534ded.exe	28

\Windows\SysWOW64\ywg32.dll

Filesize
4KB

MD5
3a62d7f22de7a0788f3669ef4c74677c

SHA1
069b78725c8090e2ec60cc97902da2a1cc5c244a

SHA256
7d0a3ac94d75d4b53bf440ccda5e26502a01b46d30254b2c761fca399456739a

SHA512
552c32d9651db16c0c534299745342dc4c6b3edceddf704a6952c288aa25ac8dece1250965b9143d6b2d0de57b54baf7d1d19468200185b4b5c4dd9467e9a85c

Download Submit
memory/1404-13-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1988-3-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1988-12-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1988-14-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download