7a245e07279488497a16ef86a6129b1bd8c72c18b37a2504bee743c528aab8da

General

Target

55a4729b40ed4f2aaccb3d59ddf80d95.exe
Size

151KB
MD5

55a4729b40ed4f2aaccb3d59ddf80d95
SHA1

c5cc028d488b4a348091528f3089d04dac432eaf
SHA256

7a245e07279488497a16ef86a6129b1bd8c72c18b37a2504bee743c528aab8da
SHA512

5e1afba9ccac1be8941e8e1204a1ccf5bf75f8d95b8574c13a11f0a628af7ec795be9bd2f1930b071f17016cc5af35e90e7f491c1c8e2505c4a3cb76670109cd

Score

8^/10

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 544 wrote to memory of 1012	544	taskeng.exe	cukol.exe
PID 544 wrote to memory of 1012	544	taskeng.exe	cukol.exe
PID 544 wrote to memory of 1012	544	taskeng.exe	cukol.exe
PID 544 wrote to memory of 1012	544	taskeng.exe	cukol.exe
PID 544 wrote to memory of 1752	544	taskeng.exe	anrvgk.exe
PID 544 wrote to memory of 1752	544	taskeng.exe	anrvgk.exe
PID 544 wrote to memory of 1752	544	taskeng.exe	anrvgk.exe
PID 544 wrote to memory of 1752	544	taskeng.exe	anrvgk.exe
PID 544 wrote to memory of 1652	544	taskeng.exe	ptaakf.exe
PID 544 wrote to memory of 1652	544	taskeng.exe	ptaakf.exe
PID 544 wrote to memory of 1652	544	taskeng.exe	ptaakf.exe
PID 544 wrote to memory of 1652	544	taskeng.exe	ptaakf.exe

Executes dropped EXE 3 IoCs

Processes:

cukol.exeanrvgk.exeptaakf.exe

pid process

1012 cukol.exe
1752 anrvgk.exe
1652 ptaakf.exe

Drops file in Windows directory 5 IoCs

Processes:

55a4729b40ed4f2aaccb3d59ddf80d95.execukol.exeanrvgk.exe

description	ioc	process
File created	C:\Windows\Tasks\cukol.job	55a4729b40ed4f2aaccb3d59ddf80d95.exe
File opened for modification	C:\Windows\Tasks\cukol.job	55a4729b40ed4f2aaccb3d59ddf80d95.exe
File created	C:\Windows\Tasks\amekkbbqqhhxwonfeut.job	cukol.exe
File created	C:\Windows\Tasks\ptaakf.job	anrvgk.exe
File opened for modification	C:\Windows\Tasks\ptaakf.job	anrvgk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

55a4729b40ed4f2aaccb3d59ddf80d95.exeanrvgk.exe

pid process

1440 55a4729b40ed4f2aaccb3d59ddf80d95.exe
1752 anrvgk.exe

pid	process
1440	55a4729b40ed4f2aaccb3d59ddf80d95.exe
1752	anrvgk.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {C8F84AA7-04CE-4736-ADA9-B6971C7467E0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\ProgramData\dqitt\ptaakf.exe
C:\ProgramData\dqitt\ptaakf.exe start
2⤵
- Executes dropped EXE
PID:1652

C:\ProgramData\dqitt\ptaakf.exe

Download Submit
C:\ProgramData\dqitt\ptaakf.exe

Download Submit
C:\ProgramData\kdovd\cukol.exe

Download Submit
C:\ProgramData\kdovd\cukol.exe

Download Submit
C:\Windows\TEMP\anrvgk.exe

Download Submit
C:\Windows\Tasks\cukol.job

Download Submit
C:\Windows\Temp\anrvgk.exe

Download Submit
memory/1012-6-0x0000000003940000-0x0000000003951000-memory.dmp

Filesize
68KB

Download
memory/1012-5-0x0000000003436000-0x0000000003437000-memory.dmp

Filesize
4KB

Download
memory/1012-3-0x0000000000000000-mapping.dmp

Download
memory/1440-0-0x00000000033C6000-0x00000000033C7000-memory.dmp

Filesize
4KB

Download
memory/1440-1-0x0000000004CA0000-0x0000000004CB1000-memory.dmp

Filesize
68KB

Download
memory/1652-14-0x0000000000000000-mapping.dmp

Download
memory/1652-16-0x0000000003456000-0x0000000003457000-memory.dmp

Filesize
4KB

Download
memory/1652-17-0x0000000003850000-0x0000000003861000-memory.dmp

Filesize
68KB

Download
memory/1752-8-0x0000000000000000-mapping.dmp

Download
memory/1752-10-0x0000000003786000-0x0000000003787000-memory.dmp

Filesize
4KB

Download
memory/1752-11-0x0000000003860000-0x0000000003871000-memory.dmp

Filesize
68KB

Download