1c8ed4600279d1f7c32c1e4b16f8bcdf6f4210fdd550ba96b5a8327dde66858c

Analysis

Target

f0011549f242b69cc3b620f1540c0a0f.exe
Size

142KB
MD5

f0011549f242b69cc3b620f1540c0a0f
SHA1

d44971e1b717b46058a1fecc6b8a19f2b536de85
SHA256

1c8ed4600279d1f7c32c1e4b16f8bcdf6f4210fdd550ba96b5a8327dde66858c
SHA512

f76a36f3b919ee111b938dfc246e5283b1c6e10bbb92bd77a7eb0f8aa98fd2b9c5faad73f563b86379c5e5e2997cb156ddea4905022922870acf7eefb0496d30

Score

8^/10

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1304 wrote to memory of 1448	1304	taskeng.exe	fuwkipn.exe
PID 1304 wrote to memory of 1448	1304	taskeng.exe	fuwkipn.exe
PID 1304 wrote to memory of 1448	1304	taskeng.exe	fuwkipn.exe
PID 1304 wrote to memory of 1448	1304	taskeng.exe	fuwkipn.exe

Executes dropped EXE 1 IoCs

Processes:

fuwkipn.exe

pid process

1448 fuwkipn.exe

pid	process
1448	fuwkipn.exe

Drops file in Windows directory 2 IoCs

Processes:

f0011549f242b69cc3b620f1540c0a0f.exe

description	ioc	process
File created	C:\Windows\Tasks\fuwkipn.job	f0011549f242b69cc3b620f1540c0a0f.exe
File opened for modification	C:\Windows\Tasks\fuwkipn.job	f0011549f242b69cc3b620f1540c0a0f.exe

Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
22 api.ipify.org
23 api.ipify.org
49 api.ipify.org
50 api.ipify.org
61 api.ipify.org
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f0011549f242b69cc3b620f1540c0a0f.exe

pid process

1100 f0011549f242b69cc3b620f1540c0a0f.exe

pid	process
1100	f0011549f242b69cc3b620f1540c0a0f.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {3E5D8144-6996-4187-B793-3B038C84F55A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\ProgramData\chvkqge\fuwkipn.exe
C:\ProgramData\chvkqge\fuwkipn.exe start
2⤵
- Executes dropped EXE
PID:1448

C:\ProgramData\chvkqge\fuwkipn.exe

Download Submit
C:\ProgramData\chvkqge\fuwkipn.exe

Download Submit
memory/1100-0-0x00000000037A6000-0x00000000037A7000-memory.dmp

Filesize
4KB

Download
memory/1100-1-0x0000000004C80000-0x0000000004C91000-memory.dmp

Filesize
68KB

Download
memory/1448-3-0x0000000000000000-mapping.dmp

Download
memory/1448-5-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1448-6-0x00000000039A0000-0x00000000039B1000-memory.dmp

Filesize
68KB

Download