b6129e3a5c30c44c577a5e3f64e2cd08d5faaaa776ec1866912b90dff5aa0493

General

Target

62bc145fa8fe6d16eb238eaf689c4c0d.exe
Size

151KB
MD5

62bc145fa8fe6d16eb238eaf689c4c0d
SHA1

1dc89387bbd77ca4331828699a72aafce85b3623
SHA256

b6129e3a5c30c44c577a5e3f64e2cd08d5faaaa776ec1866912b90dff5aa0493
SHA512

896ef2818c7747ad77baf853fe19b813e0b3409baadfea635cc95ee8535be48917a07741314597d362f9f96ffeadfa9ba30f4e1d1dd586e9a74a9f9ade3f5035

Score

8^/10

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1292 wrote to memory of 1388	1292	taskeng.exe	covmali.exe
PID 1292 wrote to memory of 1388	1292	taskeng.exe	covmali.exe
PID 1292 wrote to memory of 1388	1292	taskeng.exe	covmali.exe
PID 1292 wrote to memory of 1388	1292	taskeng.exe	covmali.exe
PID 1292 wrote to memory of 676	1292	taskeng.exe	siimxsw.exe
PID 1292 wrote to memory of 676	1292	taskeng.exe	siimxsw.exe
PID 1292 wrote to memory of 676	1292	taskeng.exe	siimxsw.exe
PID 1292 wrote to memory of 676	1292	taskeng.exe	siimxsw.exe
PID 1292 wrote to memory of 1596	1292	taskeng.exe	bqumgwt.exe
PID 1292 wrote to memory of 1596	1292	taskeng.exe	bqumgwt.exe
PID 1292 wrote to memory of 1596	1292	taskeng.exe	bqumgwt.exe
PID 1292 wrote to memory of 1596	1292	taskeng.exe	bqumgwt.exe

Executes dropped EXE 3 IoCs

Processes:

covmali.exesiimxsw.exebqumgwt.exe

pid process

1388 covmali.exe
676 siimxsw.exe
1596 bqumgwt.exe

Drops file in Windows directory 5 IoCs

Processes:

62bc145fa8fe6d16eb238eaf689c4c0d.execovmali.exesiimxsw.exe

description	ioc	process
File created	C:\Windows\Tasks\covmali.job	62bc145fa8fe6d16eb238eaf689c4c0d.exe
File opened for modification	C:\Windows\Tasks\covmali.job	62bc145fa8fe6d16eb238eaf689c4c0d.exe
File created	C:\Windows\Tasks\rqrepeisfjucmxkjuhg.job	covmali.exe
File created	C:\Windows\Tasks\bqumgwt.job	siimxsw.exe
File opened for modification	C:\Windows\Tasks\bqumgwt.job	siimxsw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

62bc145fa8fe6d16eb238eaf689c4c0d.exesiimxsw.exe

pid process

1088 62bc145fa8fe6d16eb238eaf689c4c0d.exe
676 siimxsw.exe

pid	process
1088	62bc145fa8fe6d16eb238eaf689c4c0d.exe
676	siimxsw.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {04F639F4-7446-415E-AB09-9BCD00EDA10C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\ProgramData\jvew\bqumgwt.exe
C:\ProgramData\jvew\bqumgwt.exe start
2⤵
- Executes dropped EXE
PID:1596

C:\ProgramData\jvew\bqumgwt.exe

Download Submit
C:\ProgramData\jvew\bqumgwt.exe

Download Submit
C:\ProgramData\mvfnv\covmali.exe

Download Submit
C:\ProgramData\mvfnv\covmali.exe

Download Submit
C:\Windows\TEMP\siimxsw.exe

Download Submit
C:\Windows\Tasks\covmali.job

Download Submit
C:\Windows\Temp\siimxsw.exe

Download Submit
memory/676-8-0x0000000000000000-mapping.dmp

Download
memory/676-10-0x00000000037A6000-0x00000000037A7000-memory.dmp

Filesize
4KB

Download
memory/676-11-0x0000000003A80000-0x0000000003A91000-memory.dmp

Filesize
68KB

Download
memory/1088-0-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1088-1-0x0000000004B90000-0x0000000004BA1000-memory.dmp

Filesize
68KB

Download
memory/1388-6-0x0000000003940000-0x0000000003951000-memory.dmp

Filesize
68KB

Download
memory/1388-5-0x0000000003456000-0x0000000003457000-memory.dmp

Filesize
4KB

Download
memory/1388-3-0x0000000000000000-mapping.dmp

Download
memory/1596-14-0x0000000000000000-mapping.dmp

Download
memory/1596-16-0x00000000034D6000-0x00000000034D7000-memory.dmp

Filesize
4KB

Download
memory/1596-17-0x00000000037D0000-0x00000000037E1000-memory.dmp

Filesize
68KB

Download