1aef94e54c1af9a8d0c4fa4cbdc602c025a2b10a097e87184ceb89e124d26e6a | Triage

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7v20210410
submitted
13-07-2021 19:12

Sharing

Report Analysis Logs

General

Target

socks.exe
Size

13KB
MD5

fca6b8e7be21756ad15b863efe86d4f4
SHA1

787885416d0f6a09f7691e9703fa6f9cceba45b3
SHA256

1aef94e54c1af9a8d0c4fa4cbdc602c025a2b10a097e87184ceb89e124d26e6a
SHA512

105b18a82c07bb4d162e507a34a16edda164dedf44b97dba90100927bae4ad48bd6762c220285bc7a25c01620fccbba7cc0eb2992d26aa210bb7bd3320e1152a

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

Processes:

socks.exe

description ioc process

File created C:\Windows\Tasks\wow64.job socks.exe
File opened for modification C:\Windows\Tasks\wow64.job socks.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 344 wrote to memory of 1072	344	taskeng.exe	socks.exe
PID 344 wrote to memory of 1072	344	taskeng.exe	socks.exe
PID 344 wrote to memory of 1072	344	taskeng.exe	socks.exe
PID 344 wrote to memory of 1072	344	taskeng.exe	socks.exe

C:\Users\Admin\AppData\Local\Temp\socks.exe
"C:\Users\Admin\AppData\Local\Temp\socks.exe"
1⤵
- Drops file in Windows directory
PID:2000

C:\Windows\system32\taskeng.exe
taskeng.exe {4A6A8616-EAA6-4C61-94A2-D26A1691510F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Local\Temp\socks.exe
C:\Users\Admin\AppData\Local\Temp\socks.exe start
2⤵
PID:1072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-61-0x0000000000000000-mapping.dmp

Download
memory/2000-60-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download