Analysis
-
max time kernel
4294181s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 15:57
Static task
static1
Behavioral task
behavioral1
Sample
a7cbdc69144242409bce8285135b61f8.exe
Resource
win7-20220311-en
General
-
Target
a7cbdc69144242409bce8285135b61f8.exe
-
Size
223KB
-
MD5
a7cbdc69144242409bce8285135b61f8
-
SHA1
73594de56be8beaf92392af56c8bcc2fa44a6eac
-
SHA256
f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
-
SHA512
8f80815e16cdf899946bef69f7068cd8f8c1877e803bffc31a09195e18720a6149205f0dde7428894a81d09c41969d3e7e58d41b670354ec8095ea8e05c86bf3
Malware Config
Extracted
systembc
31.44.185.6:4001
31.44.185.11:4001
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
rdwexs.exerurddh.exevahpnl.exepid process 892 rdwexs.exe 1416 rurddh.exe 1852 vahpnl.exe -
Drops file in Windows directory 5 IoCs
Processes:
rdwexs.exerurddh.exea7cbdc69144242409bce8285135b61f8.exedescription ioc process File created C:\Windows\Tasks\ljlagbrplilwkenstgp.job rdwexs.exe File created C:\Windows\Tasks\vahpnl.job rurddh.exe File opened for modification C:\Windows\Tasks\vahpnl.job rurddh.exe File created C:\Windows\Tasks\rdwexs.job a7cbdc69144242409bce8285135b61f8.exe File opened for modification C:\Windows\Tasks\rdwexs.job a7cbdc69144242409bce8285135b61f8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a7cbdc69144242409bce8285135b61f8.exerurddh.exepid process 1280 a7cbdc69144242409bce8285135b61f8.exe 1416 rurddh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
taskeng.exedescription pid process target process PID 672 wrote to memory of 892 672 taskeng.exe rdwexs.exe PID 672 wrote to memory of 892 672 taskeng.exe rdwexs.exe PID 672 wrote to memory of 892 672 taskeng.exe rdwexs.exe PID 672 wrote to memory of 892 672 taskeng.exe rdwexs.exe PID 672 wrote to memory of 1416 672 taskeng.exe rurddh.exe PID 672 wrote to memory of 1416 672 taskeng.exe rurddh.exe PID 672 wrote to memory of 1416 672 taskeng.exe rurddh.exe PID 672 wrote to memory of 1416 672 taskeng.exe rurddh.exe PID 672 wrote to memory of 1852 672 taskeng.exe vahpnl.exe PID 672 wrote to memory of 1852 672 taskeng.exe vahpnl.exe PID 672 wrote to memory of 1852 672 taskeng.exe vahpnl.exe PID 672 wrote to memory of 1852 672 taskeng.exe vahpnl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7cbdc69144242409bce8285135b61f8.exe"C:\Users\Admin\AppData\Local\Temp\a7cbdc69144242409bce8285135b61f8.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1280
-
C:\Windows\system32\taskeng.exetaskeng.exe {E2C299B4-E4F7-498C-A899-6EB0345F580A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\ProgramData\garkuht\rdwexs.exeC:\ProgramData\garkuht\rdwexs.exe start2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:892
-
-
C:\Windows\TEMP\rurddh.exeC:\Windows\TEMP\rurddh.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
-
C:\ProgramData\bpmmh\vahpnl.exeC:\ProgramData\bpmmh\vahpnl.exe start2⤵
- Executes dropped EXE
PID:1852
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
503506554b1cfa84d2301e262beeb1f2
SHA17e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9
SHA2561e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
SHA512bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01
-
MD5
503506554b1cfa84d2301e262beeb1f2
SHA17e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9
SHA2561e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
SHA512bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01
-
MD5
a7cbdc69144242409bce8285135b61f8
SHA173594de56be8beaf92392af56c8bcc2fa44a6eac
SHA256f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
SHA5128f80815e16cdf899946bef69f7068cd8f8c1877e803bffc31a09195e18720a6149205f0dde7428894a81d09c41969d3e7e58d41b670354ec8095ea8e05c86bf3
-
MD5
a7cbdc69144242409bce8285135b61f8
SHA173594de56be8beaf92392af56c8bcc2fa44a6eac
SHA256f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
SHA5128f80815e16cdf899946bef69f7068cd8f8c1877e803bffc31a09195e18720a6149205f0dde7428894a81d09c41969d3e7e58d41b670354ec8095ea8e05c86bf3
-
MD5
503506554b1cfa84d2301e262beeb1f2
SHA17e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9
SHA2561e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
SHA512bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01
-
MD5
ee7f1d7f4b62b816ae92e3041ce395c4
SHA184f305a3bd2b8e05966e4f525025e0d5e2e180df
SHA2567c9d7e9acd67ec734b77cc7f252ba1652b15f21baf56311b0763adb36828aa72
SHA512a036e1e58f5798fa6e0184eb0d57cf7163d539921699f632ee6951990a1715b3850baa21885cfcb5d658a624a774c25065845c73a7cc9759013fea905c8ca187
-
MD5
503506554b1cfa84d2301e262beeb1f2
SHA17e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9
SHA2561e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
SHA512bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01