Analysis
-
max time kernel
62s -
max time network
157s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-07-2021 16:05
Static task
static1
Behavioral task
behavioral1
Sample
26e9fcf63f321363b555a2bbe423c5ee.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
26e9fcf63f321363b555a2bbe423c5ee.exe
-
Size
780KB
-
MD5
26e9fcf63f321363b555a2bbe423c5ee
-
SHA1
5e7d7acb5e4c3ff3586740dfb556fe5ba53e947e
-
SHA256
249e53beb5992ce00d694688998e54743fcc74ad4f2942be7f66596b8c0a8867
-
SHA512
4ebd7445c1e8be832d69b2b1b669b74d7524bd219b9d325ca009feb298a542f377906598978ec07a9bfed1ec8ef268224f9f86bfa8ca13e934f73be307d87641
Malware Config
Extracted
Family
systembc
C2
185.215.113.32:4000
78.47.64.46:4000
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
26e9fcf63f321363b555a2bbe423c5ee.exedescription ioc process File created C:\Windows\Tasks\wow64.job 26e9fcf63f321363b555a2bbe423c5ee.exe File opened for modification C:\Windows\Tasks\wow64.job 26e9fcf63f321363b555a2bbe423c5ee.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1708 wrote to memory of 1696 1708 taskeng.exe 26e9fcf63f321363b555a2bbe423c5ee.exe PID 1708 wrote to memory of 1696 1708 taskeng.exe 26e9fcf63f321363b555a2bbe423c5ee.exe PID 1708 wrote to memory of 1696 1708 taskeng.exe 26e9fcf63f321363b555a2bbe423c5ee.exe PID 1708 wrote to memory of 1696 1708 taskeng.exe 26e9fcf63f321363b555a2bbe423c5ee.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26e9fcf63f321363b555a2bbe423c5ee.exe"C:\Users\Admin\AppData\Local\Temp\26e9fcf63f321363b555a2bbe423c5ee.exe"1⤵
- Drops file in Windows directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {9C7F63D8-9EA4-4229-846D-C744401A7127} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\26e9fcf63f321363b555a2bbe423c5ee.exeC:\Users\Admin\AppData\Local\Temp\26e9fcf63f321363b555a2bbe423c5ee.exe start2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1696-64-0x0000000000000000-mapping.dmp
-
memory/1696-66-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1696-68-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/2028-60-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/2028-62-0x00000000003F0000-0x00000000003F5000-memory.dmpFilesize
20KB
-
memory/2028-61-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2028-63-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB