36185813fc63e504821d0aa8538b9c0756d077bca71d52b1ad47a4d252913deb

Analysis

max time kernel
150s
max time network
160s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 14:23

Target

50cc1e6326b9675bac32bab3d1eaf98f.exe
Size

65KB
MD5

50cc1e6326b9675bac32bab3d1eaf98f
SHA1

7352d3897e6d9c7991cb5b18f252f8d233e328b2
SHA256

36185813fc63e504821d0aa8538b9c0756d077bca71d52b1ad47a4d252913deb
SHA512

6e5cfb649dab73ad75c4fd8cc998ec3e01226083e6f7fd0e1cb1d93e6a43cb6c32f54f9684dd0bd9adfa4080a285087c0e5783ba2362454c5791218bda1f31c9
SSDEEP

768:1fR895vQgDYJa2Vz16ipD/Kf/W5jRxv8m5zpD/fd3jEFaq0WOH0uO3jPpxwb+kjE:1fR8PvYs+zXp171QFL8H05LrMd7ford

Score

7^/10

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	kkaaya.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kkaaya.exe	50cc1e6326b9675bac32bab3d1eaf98f.exe
File opened for modification	C:\Windows\SysWOW64\kkaaya.exe	50cc1e6326b9675bac32bab3d1eaf98f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	50cc1e6326b9675bac32bab3d1eaf98f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3036	2172	50cc1e6326b9675bac32bab3d1eaf98f.exe	19
PID 2172 wrote to memory of 3036	2172	50cc1e6326b9675bac32bab3d1eaf98f.exe	19
PID 2172 wrote to memory of 3036	2172	50cc1e6326b9675bac32bab3d1eaf98f.exe	19
PID 2172 wrote to memory of 3036	2172	50cc1e6326b9675bac32bab3d1eaf98f.exe	19

C:\Users\Admin\AppData\Local\Temp\50cc1e6326b9675bac32bab3d1eaf98f.exe
"C:\Users\Admin\AppData\Local\Temp\50cc1e6326b9675bac32bab3d1eaf98f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\50CC1E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3036

C:\Windows\SysWOW64\kkaaya.exe
C:\Windows\SysWOW64\kkaaya.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWOW64\kkaaya.exe

Filesize
65KB

MD5
50cc1e6326b9675bac32bab3d1eaf98f

SHA1
7352d3897e6d9c7991cb5b18f252f8d233e328b2

SHA256
36185813fc63e504821d0aa8538b9c0756d077bca71d52b1ad47a4d252913deb

SHA512
6e5cfb649dab73ad75c4fd8cc998ec3e01226083e6f7fd0e1cb1d93e6a43cb6c32f54f9684dd0bd9adfa4080a285087c0e5783ba2362454c5791218bda1f31c9

Download Submit