Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 12:52
Static task
static1
Behavioral task
behavioral1
Sample
f0011549f242b69cc3b620f1540c0a0f.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f0011549f242b69cc3b620f1540c0a0f.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
f0011549f242b69cc3b620f1540c0a0f.exe
-
Size
142KB
-
MD5
f0011549f242b69cc3b620f1540c0a0f
-
SHA1
d44971e1b717b46058a1fecc6b8a19f2b536de85
-
SHA256
1c8ed4600279d1f7c32c1e4b16f8bcdf6f4210fdd550ba96b5a8327dde66858c
-
SHA512
f76a36f3b919ee111b938dfc246e5283b1c6e10bbb92bd77a7eb0f8aa98fd2b9c5faad73f563b86379c5e5e2997cb156ddea4905022922870acf7eefb0496d30
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1304 wrote to memory of 1448 1304 taskeng.exe fuwkipn.exe PID 1304 wrote to memory of 1448 1304 taskeng.exe fuwkipn.exe PID 1304 wrote to memory of 1448 1304 taskeng.exe fuwkipn.exe PID 1304 wrote to memory of 1448 1304 taskeng.exe fuwkipn.exe -
Executes dropped EXE 1 IoCs
Processes:
fuwkipn.exepid process 1448 fuwkipn.exe -
Drops file in Windows directory 2 IoCs
Processes:
f0011549f242b69cc3b620f1540c0a0f.exedescription ioc process File created C:\Windows\Tasks\fuwkipn.job f0011549f242b69cc3b620f1540c0a0f.exe File opened for modification C:\Windows\Tasks\fuwkipn.job f0011549f242b69cc3b620f1540c0a0f.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 22 api.ipify.org 23 api.ipify.org 49 api.ipify.org 50 api.ipify.org 61 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f0011549f242b69cc3b620f1540c0a0f.exepid process 1100 f0011549f242b69cc3b620f1540c0a0f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0011549f242b69cc3b620f1540c0a0f.exe"C:\Users\Admin\AppData\Local\Temp\f0011549f242b69cc3b620f1540c0a0f.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {3E5D8144-6996-4187-B793-3B038C84F55A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\chvkqge\fuwkipn.exeC:\ProgramData\chvkqge\fuwkipn.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\chvkqge\fuwkipn.exe
-
C:\ProgramData\chvkqge\fuwkipn.exe
-
memory/1100-0-0x00000000037A6000-0x00000000037A7000-memory.dmpFilesize
4KB
-
memory/1100-1-0x0000000004C80000-0x0000000004C91000-memory.dmpFilesize
68KB
-
memory/1448-3-0x0000000000000000-mapping.dmp
-
memory/1448-5-0x0000000000276000-0x0000000000277000-memory.dmpFilesize
4KB
-
memory/1448-6-0x00000000039A0000-0x00000000039B1000-memory.dmpFilesize
68KB