Analysis
-
max time kernel
136s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-02-2022 09:55
Static task
static1
Behavioral task
behavioral1
Sample
s.exe
Resource
win7-en-20211208
General
-
Target
s.exe
-
Size
261KB
-
MD5
b536287b4579805e670c79ba866c7d46
-
SHA1
31266436fe5ce008a27d96e729470a75dde1c440
-
SHA256
1479da55bc8333e46c9923be0e8a57f6597fe4482e263f37581fadb8492eb7c7
-
SHA512
f4ef6338a30b4b7a4b1b812cc5763c8528cba357d5969a0d07b49df6b3d92644144fdd7ec38ef23a35e84f6c3e0eecf2b5e43b08dc6a5eaaeb7c8390f27ee508
Malware Config
Extracted
systembc
194.33.45.6:4001
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
prullk.exepid process 1572 prullk.exe -
Drops file in Windows directory 3 IoCs
Processes:
s.exeprullk.exedescription ioc process File created C:\Windows\Tasks\prullk.job s.exe File opened for modification C:\Windows\Tasks\prullk.job s.exe File created C:\Windows\Tasks\vtacvipojupcvjppjvp.job prullk.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
s.exepid process 1512 s.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 816 wrote to memory of 1572 816 taskeng.exe prullk.exe PID 816 wrote to memory of 1572 816 taskeng.exe prullk.exe PID 816 wrote to memory of 1572 816 taskeng.exe prullk.exe PID 816 wrote to memory of 1572 816 taskeng.exe prullk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\s.exe"C:\Users\Admin\AppData\Local\Temp\s.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1512
-
C:\Windows\system32\taskeng.exetaskeng.exe {26110206-83F0-4D24-91B7-CAAC9B43F4C1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\ProgramData\vfovk\prullk.exeC:\ProgramData\vfovk\prullk.exe start2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1572
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vfovk\prullk.exeMD5
b536287b4579805e670c79ba866c7d46
SHA131266436fe5ce008a27d96e729470a75dde1c440
SHA2561479da55bc8333e46c9923be0e8a57f6597fe4482e263f37581fadb8492eb7c7
SHA512f4ef6338a30b4b7a4b1b812cc5763c8528cba357d5969a0d07b49df6b3d92644144fdd7ec38ef23a35e84f6c3e0eecf2b5e43b08dc6a5eaaeb7c8390f27ee508
-
C:\ProgramData\vfovk\prullk.exeMD5
b536287b4579805e670c79ba866c7d46
SHA131266436fe5ce008a27d96e729470a75dde1c440
SHA2561479da55bc8333e46c9923be0e8a57f6597fe4482e263f37581fadb8492eb7c7
SHA512f4ef6338a30b4b7a4b1b812cc5763c8528cba357d5969a0d07b49df6b3d92644144fdd7ec38ef23a35e84f6c3e0eecf2b5e43b08dc6a5eaaeb7c8390f27ee508
-
memory/1512-53-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB
-
memory/1512-54-0x00000000001B0000-0x00000000001B8000-memory.dmpFilesize
32KB
-
memory/1512-55-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/1512-56-0x0000000000400000-0x0000000002C25000-memory.dmpFilesize
40.1MB
-
memory/1572-60-0x0000000000400000-0x0000000002C25000-memory.dmpFilesize
40.1MB