Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-07-2021 13:58
Static task
static1
Behavioral task
behavioral1
Sample
socks-null.exe
Resource
win7v20210410
General
-
Target
socks-null.exe
-
Size
29KB
-
MD5
d474d6c26cfcb09d74b1d499ef410786
-
SHA1
4dbf718297e3dc14d0ed4e615b2b6d7f7884bb58
-
SHA256
12fb1d0ec7c8d790cbb49d2e4ece2a59c4d46a31d4c740c94e994d342f2445ac
-
SHA512
d357e3e29a4e81475a6537b352ea0fe5ad6f76457b610bcae5204dcd263cb7f02691cbc6b56ab8218569ec0061e0a80b0b5836a16cb5d2a5d05fca0935bcc2e5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wgwfn.exepid process 628 wgwfn.exe -
Drops file in Windows directory 2 IoCs
Processes:
socks-null.exedescription ioc process File created C:\Windows\Tasks\wgwfn.job socks-null.exe File opened for modification C:\Windows\Tasks\wgwfn.job socks-null.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
socks-null.exepid process 772 socks-null.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1196 wrote to memory of 628 1196 taskeng.exe wgwfn.exe PID 1196 wrote to memory of 628 1196 taskeng.exe wgwfn.exe PID 1196 wrote to memory of 628 1196 taskeng.exe wgwfn.exe PID 1196 wrote to memory of 628 1196 taskeng.exe wgwfn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\socks-null.exe"C:\Users\Admin\AppData\Local\Temp\socks-null.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {D8AA51F9-F41D-439D-826B-B5957D6A19BD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\fapxa\wgwfn.exeC:\ProgramData\fapxa\wgwfn.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\fapxa\wgwfn.exeMD5
d474d6c26cfcb09d74b1d499ef410786
SHA14dbf718297e3dc14d0ed4e615b2b6d7f7884bb58
SHA25612fb1d0ec7c8d790cbb49d2e4ece2a59c4d46a31d4c740c94e994d342f2445ac
SHA512d357e3e29a4e81475a6537b352ea0fe5ad6f76457b610bcae5204dcd263cb7f02691cbc6b56ab8218569ec0061e0a80b0b5836a16cb5d2a5d05fca0935bcc2e5
-
C:\ProgramData\fapxa\wgwfn.exeMD5
d474d6c26cfcb09d74b1d499ef410786
SHA14dbf718297e3dc14d0ed4e615b2b6d7f7884bb58
SHA25612fb1d0ec7c8d790cbb49d2e4ece2a59c4d46a31d4c740c94e994d342f2445ac
SHA512d357e3e29a4e81475a6537b352ea0fe5ad6f76457b610bcae5204dcd263cb7f02691cbc6b56ab8218569ec0061e0a80b0b5836a16cb5d2a5d05fca0935bcc2e5
-
memory/628-62-0x0000000000000000-mapping.dmp
-
memory/772-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB