General
Target

7b7328a020bf16f8a3915f1a0b4e7ecb.exe

Filesize

13KB

Completed

05-05-2022 14:44

Task

behavioral1

Score
10/10
MD5

7b7328a020bf16f8a3915f1a0b4e7ecb

SHA1

dd3636d4d11c4a1b9618622cbf758c18dd89cffa

SHA256

e2cc138b0051fc6d2dce76941e2190d964c51754dac13705f63dad2941ccbba7

SHA256

cae2e70cc0e380f3d3cf50689ec36db97559bd9726c97c9b7016b05297f060c456e0e24a9e518eda258f9bdf999a760077946ff7755040ad5cb007768630f053

Malware Config
Signatures 3

Filter: none

  • suricata: ET MALWARE Win32/SystemBC CnC Checkin

    Description

    suricata: ET MALWARE Win32/SystemBC CnC Checkin

    Tags

  • Drops file in Windows directory
    7b7328a020bf16f8a3915f1a0b4e7ecb.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\Tasks\wow64.job7b7328a020bf16f8a3915f1a0b4e7ecb.exe
    File opened for modificationC:\Windows\Tasks\wow64.job7b7328a020bf16f8a3915f1a0b4e7ecb.exe
  • Suspicious use of WriteProcessMemory
    taskeng.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 868 wrote to memory of 904868taskeng.exe7b7328a020bf16f8a3915f1a0b4e7ecb.exe
    PID 868 wrote to memory of 904868taskeng.exe7b7328a020bf16f8a3915f1a0b4e7ecb.exe
    PID 868 wrote to memory of 904868taskeng.exe7b7328a020bf16f8a3915f1a0b4e7ecb.exe
    PID 868 wrote to memory of 904868taskeng.exe7b7328a020bf16f8a3915f1a0b4e7ecb.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\7b7328a020bf16f8a3915f1a0b4e7ecb.exe
    "C:\Users\Admin\AppData\Local\Temp\7b7328a020bf16f8a3915f1a0b4e7ecb.exe"
    Drops file in Windows directory
    PID:316
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {458E4F8D-D453-44B5-9EF4-00E9074F635E} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:868
    • C:\Users\Admin\AppData\Local\Temp\7b7328a020bf16f8a3915f1a0b4e7ecb.exe
      C:\Users\Admin\AppData\Local\Temp\7b7328a020bf16f8a3915f1a0b4e7ecb.exe start
      PID:904
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/316-54-0x0000000076431000-0x0000000076433000-memory.dmp

                          • memory/904-55-0x0000000000000000-mapping.dmp