c5bc1c6af0d7ef6f65692aec19d9ef0f393a1ca80ce9a45671ce451e41dee85a

General

Target

e72863de70ee56a86c394313e9ac4558.exe
Size

150KB
MD5

e72863de70ee56a86c394313e9ac4558
SHA1

c9c57dd5bcfd469b4872a2851b93e7c6716b33bd
SHA256

c5bc1c6af0d7ef6f65692aec19d9ef0f393a1ca80ce9a45671ce451e41dee85a
SHA512

c70e1270c6380a378cee5f4aa6bf83c0cd9a9d439b9da7259fe3e338fd0486ecc95bd3071b3bb9dd920c4c19cf0ad7315850d5156cd0132870991d3bd16616fd

Score

8^/10

Drops file in Windows directory 5 IoCs

Processes:

e72863de70ee56a86c394313e9ac4558.exeggjlmc.exeejqcolw.exe

description	ioc	process
File created	C:\Windows\Tasks\ggjlmc.job	e72863de70ee56a86c394313e9ac4558.exe
File opened for modification	C:\Windows\Tasks\ggjlmc.job	e72863de70ee56a86c394313e9ac4558.exe
File created	C:\Windows\Tasks\ovlqctxsosuqsokmijf.job	ggjlmc.exe
File created	C:\Windows\Tasks\jqxm.job	ejqcolw.exe
File opened for modification	C:\Windows\Tasks\jqxm.job	ejqcolw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e72863de70ee56a86c394313e9ac4558.exeejqcolw.exe

pid process

1480 e72863de70ee56a86c394313e9ac4558.exe
752 ejqcolw.exe

pid	process
1480	e72863de70ee56a86c394313e9ac4558.exe
752	ejqcolw.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 452 wrote to memory of 1008	452	taskeng.exe	ggjlmc.exe
PID 452 wrote to memory of 1008	452	taskeng.exe	ggjlmc.exe
PID 452 wrote to memory of 1008	452	taskeng.exe	ggjlmc.exe
PID 452 wrote to memory of 1008	452	taskeng.exe	ggjlmc.exe
PID 452 wrote to memory of 752	452	taskeng.exe	ejqcolw.exe
PID 452 wrote to memory of 752	452	taskeng.exe	ejqcolw.exe
PID 452 wrote to memory of 752	452	taskeng.exe	ejqcolw.exe
PID 452 wrote to memory of 752	452	taskeng.exe	ejqcolw.exe
PID 452 wrote to memory of 896	452	taskeng.exe	jqxm.exe
PID 452 wrote to memory of 896	452	taskeng.exe	jqxm.exe
PID 452 wrote to memory of 896	452	taskeng.exe	jqxm.exe
PID 452 wrote to memory of 896	452	taskeng.exe	jqxm.exe

Executes dropped EXE 3 IoCs

Processes:

ggjlmc.exeejqcolw.exejqxm.exe

pid process

1008 ggjlmc.exe
752 ejqcolw.exe
896 jqxm.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {68CE3B5A-98A6-4ABA-A901-D67E04A82DC3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\ProgramData\puwgw\jqxm.exe
C:\ProgramData\puwgw\jqxm.exe start
2⤵
- Executes dropped EXE
PID:896

C:\ProgramData\bbwroi\ggjlmc.exe

Download Submit
C:\ProgramData\bbwroi\ggjlmc.exe

Download Submit
C:\ProgramData\puwgw\jqxm.exe

Download Submit
C:\ProgramData\puwgw\jqxm.exe

Download Submit
C:\Windows\TEMP\ejqcolw.exe

Download Submit
C:\Windows\Tasks\ggjlmc.job

Download Submit
C:\Windows\Temp\ejqcolw.exe

Download Submit
memory/752-8-0x0000000000000000-mapping.dmp

Download
memory/752-10-0x00000000034C6000-0x00000000034C7000-memory.dmp

Filesize
4KB

Download
memory/752-11-0x0000000003A10000-0x0000000003A21000-memory.dmp

Filesize
68KB

Download
memory/896-14-0x0000000000000000-mapping.dmp

Download
memory/896-16-0x00000000037A6000-0x00000000037A7000-memory.dmp

Filesize
4KB

Download
memory/896-17-0x0000000003880000-0x0000000003891000-memory.dmp

Filesize
68KB

Download
memory/1008-6-0x0000000003870000-0x0000000003881000-memory.dmp

Filesize
68KB

Download
memory/1008-5-0x0000000003476000-0x0000000003477000-memory.dmp

Filesize
4KB

Download
memory/1008-3-0x0000000000000000-mapping.dmp

Download
memory/1480-0-0x0000000003436000-0x0000000003437000-memory.dmp

Filesize
4KB

Download
memory/1480-1-0x0000000004D50000-0x0000000004D61000-memory.dmp

Filesize
68KB

Download