8879a10fa8b3137d02af27622fc7e64cc96820269b8e0dd398c1d1c61a6a6c7f | Triage

Analysis

max time kernel
118s
max time network
135s
platform
windows7_x64
resource
win7-en-20211014
submitted
07-11-2021 14:39

Sharing

Report Analysis Logs

General

Target

socks.exe
Size

13KB
MD5

e4c8d559e5fc325eb083367b319da929
SHA1

cb14ececa050eeea5057b03568c6e100c9b8fc1b
SHA256

8879a10fa8b3137d02af27622fc7e64cc96820269b8e0dd398c1d1c61a6a6c7f
SHA512

80ea3a78b1add5e2f65f03a61a81d870a04a0345e8b6c8d2bcda12dd91e3c390455ebe2fd157b8ca6da65bafd3e7bcc1e5c30c42a0015ae366487c24d6c3204a

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

Processes:

socks.exe

description ioc process

File created C:\Windows\Tasks\wow64.job socks.exe
File opened for modification C:\Windows\Tasks\wow64.job socks.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1120 wrote to memory of 572	1120	taskeng.exe	socks.exe
PID 1120 wrote to memory of 572	1120	taskeng.exe	socks.exe
PID 1120 wrote to memory of 572	1120	taskeng.exe	socks.exe
PID 1120 wrote to memory of 572	1120	taskeng.exe	socks.exe

C:\Users\Admin\AppData\Local\Temp\socks.exe
"C:\Users\Admin\AppData\Local\Temp\socks.exe"
1⤵
- Drops file in Windows directory
PID:900

C:\Windows\system32\taskeng.exe
taskeng.exe {5B7A8F46-3631-48EC-849B-61A45C3E39D7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\socks.exe
  C:\Users\Admin\AppData\Local\Temp\socks.exe start
  2⤵
  PID:572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/572-56-0x0000000000000000-mapping.dmp

Download
memory/900-55-0x0000000076431000-0x0000000076433000-memory.dmp

Filesize
8KB

Download