Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-06-2021 08:43
Static task
static1
Behavioral task
behavioral1
Sample
S5.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
S5.exe
-
Size
191KB
-
MD5
691c98b8cefece16707c7b0bd354691c
-
SHA1
c73c7e26cfa54781676583a8cca4f670a60f4db2
-
SHA256
2cbcf10a8ddfd7fd306fa0440eb9dac70b9ca39770222b62af5d372446f194a7
-
SHA512
dcf882286ce5e2edd2b9b3faa179bad920257566d4e907e6039b4db111ead36e7b02ae8ae3213118870d2b7e24d84f0fce158f3e3e9871e958b9a4ac8b067275
Malware Config
Extracted
Family
systembc
C2
62.113.114.79:4001
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
S5.exedescription ioc process File created C:\Windows\Tasks\wow64.job S5.exe File opened for modification C:\Windows\Tasks\wow64.job S5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1728 wrote to memory of 1696 1728 taskeng.exe S5.exe PID 1728 wrote to memory of 1696 1728 taskeng.exe S5.exe PID 1728 wrote to memory of 1696 1728 taskeng.exe S5.exe PID 1728 wrote to memory of 1696 1728 taskeng.exe S5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\S5.exe"C:\Users\Admin\AppData\Local\Temp\S5.exe"1⤵
- Drops file in Windows directory
PID:1776
-
C:\Windows\system32\taskeng.exetaskeng.exe {10D44A0E-0651-48FE-A6DF-4D81F8CD76D7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\S5.exeC:\Users\Admin\AppData\Local\Temp\S5.exe start2⤵PID:1696
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1696-62-0x0000000000000000-mapping.dmp
-
memory/1696-65-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/1776-59-0x00000000001B0000-0x00000000001B5000-memory.dmpFilesize
20KB
-
memory/1776-60-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/1776-61-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB