2c266a9a9c74705680c09276003465f35878052e5d0f6d9c79383a31aed6822e

General

Target

SecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exe
Size

143KB
MD5

df55c9b32a24d8d847ca3580488cab96
SHA1

44962f29fcb30d3efbb3477f144f065ab60e9b08
SHA256

2c266a9a9c74705680c09276003465f35878052e5d0f6d9c79383a31aed6822e
SHA512

349895726d6757df2431d6224e154d3ec660711cb30a131717d24a192c797ce3041c46de8880ceeed1452e4e5e5e43a8127e9966810ff535f37e0d94dc632fab

Score

8^/10

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 276 wrote to memory of 648	276	taskeng.exe	bwtawb.exe
PID 276 wrote to memory of 648	276	taskeng.exe	bwtawb.exe
PID 276 wrote to memory of 648	276	taskeng.exe	bwtawb.exe
PID 276 wrote to memory of 648	276	taskeng.exe	bwtawb.exe
PID 276 wrote to memory of 1648	276	taskeng.exe	ocraaw.exe
PID 276 wrote to memory of 1648	276	taskeng.exe	ocraaw.exe
PID 276 wrote to memory of 1648	276	taskeng.exe	ocraaw.exe
PID 276 wrote to memory of 1648	276	taskeng.exe	ocraaw.exe
PID 276 wrote to memory of 1680	276	taskeng.exe	ukwsk.exe
PID 276 wrote to memory of 1680	276	taskeng.exe	ukwsk.exe
PID 276 wrote to memory of 1680	276	taskeng.exe	ukwsk.exe
PID 276 wrote to memory of 1680	276	taskeng.exe	ukwsk.exe

Executes dropped EXE 3 IoCs

Processes:

bwtawb.exeocraaw.exeukwsk.exe

pid process

648 bwtawb.exe
1648 ocraaw.exe
1680 ukwsk.exe

Drops file in Windows directory 5 IoCs

Processes:

bwtawb.exeocraaw.exeSecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exe

description	ioc	process
File created	C:\Windows\Tasks\gvjdumoacsunpikcevx.job	bwtawb.exe
File created	C:\Windows\Tasks\ukwsk.job	ocraaw.exe
File opened for modification	C:\Windows\Tasks\ukwsk.job	ocraaw.exe
File created	C:\Windows\Tasks\bwtawb.job	SecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exe
File opened for modification	C:\Windows\Tasks\bwtawb.job	SecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exeocraaw.exe

pid process

1508 SecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exe
1648 ocraaw.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org

pid	process
1508	SecuriteInfo.com.Generic.mg.df55c9b32a24d8d8.14207.exe
1648	ocraaw.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {8A0478A4-41EF-4AB5-9A38-B4BF2AB7311E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\ProgramData\ndlmop\ukwsk.exe
C:\ProgramData\ndlmop\ukwsk.exe start
2⤵
- Executes dropped EXE
PID:1680

C:\ProgramData\etrft\bwtawb.exe

Download Submit
C:\ProgramData\etrft\bwtawb.exe

Download Submit
C:\ProgramData\ndlmop\ukwsk.exe

Download Submit
C:\ProgramData\ndlmop\ukwsk.exe

Download Submit
C:\Windows\TEMP\ocraaw.exe

Download Submit
C:\Windows\Tasks\bwtawb.job

Download Submit
C:\Windows\Temp\ocraaw.exe

Download Submit
memory/648-6-0x0000000003850000-0x0000000003861000-memory.dmp

Filesize
68KB

Download
memory/648-5-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/648-3-0x0000000000000000-mapping.dmp

Download
memory/1508-0-0x0000000003426000-0x0000000003427000-memory.dmp

Filesize
4KB

Download
memory/1508-1-0x0000000004C20000-0x0000000004C31000-memory.dmp

Filesize
68KB

Download
memory/1648-8-0x0000000000000000-mapping.dmp

Download
memory/1648-10-0x0000000003496000-0x0000000003497000-memory.dmp

Filesize
4KB

Download
memory/1648-11-0x00000000038D0000-0x00000000038E1000-memory.dmp

Filesize
68KB

Download
memory/1680-14-0x0000000000000000-mapping.dmp

Download
memory/1680-16-0x0000000003446000-0x0000000003447000-memory.dmp

Filesize
4KB

Download
memory/1680-17-0x00000000039D0000-0x00000000039E1000-memory.dmp

Filesize
68KB

Download