fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8

Analysis

max time kernel
277s
max time network
302s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-11-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe
Size

4.8MB
MD5

cd4ac234ee1c9fca552d11ff31b9c5cc
SHA1

e3448c185bdf0e0a0859f2b28d1b5f28c38a0064
SHA256

fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8
SHA512

d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f
SSDEEP

49152:tAM3CiGxBRJHy51FmJgBaShRgd5MYh43VvATtg0IEqYjla27VdS5g+A:aMLGxBk1FmJgX2l4lv3EdZv+A

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svcupdater.exe

pid process

1468 svcupdater.exe
Loads dropped DLL 2 IoCs

Processes:

taskeng.exe

pid process

2020 taskeng.exe
2020 taskeng.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2008 schtasks.exe
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 3 Go-http-client/1.1
HTTP User-Agent header 6 Go-http-client/1.1
HTTP User-Agent header 8 Go-http-client/1.1

pid	process
1468	svcupdater.exe

pid	process
2020	taskeng.exe
2020	taskeng.exe

pid	process
2008	schtasks.exe

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1
HTTP User-Agent header	6	Go-http-client/1.1
HTTP User-Agent header	8	Go-http-client/1.1

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.execmd.exetaskeng.exe

description	pid	process	target process
PID 1324 wrote to memory of 1056	1324	fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe	cmd.exe
PID 1324 wrote to memory of 1056	1324	fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe	cmd.exe
PID 1324 wrote to memory of 1056	1324	fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe	cmd.exe
PID 1056 wrote to memory of 2008	1056	cmd.exe	schtasks.exe
PID 1056 wrote to memory of 2008	1056	cmd.exe	schtasks.exe
PID 1056 wrote to memory of 2008	1056	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1468	2020	taskeng.exe	svcupdater.exe
PID 2020 wrote to memory of 1468	2020	taskeng.exe	svcupdater.exe
PID 2020 wrote to memory of 1468	2020	taskeng.exe	svcupdater.exe

C:\Users\Admin\AppData\Local\Temp\fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe
"C:\Users\Admin\AppData\Local\Temp\fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\cmd.exe
cmd.exe "/C schtasks /create /tn \ipNnOYSRDI /tr \"C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\schtasks.exe
schtasks /create /tn \ipNnOYSRDI /tr \"C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
3⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\taskeng.exe
taskeng.exe {C2C1E2BA-8519-409F-B120-7F0F1F92BA25} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
2⤵
- Executes dropped EXE
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
Filesize
4.8MB

MD5
cd4ac234ee1c9fca552d11ff31b9c5cc

SHA1
e3448c185bdf0e0a0859f2b28d1b5f28c38a0064

SHA256
fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8

SHA512
d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f

Download Submit
C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
Filesize
4.8MB

MD5
cd4ac234ee1c9fca552d11ff31b9c5cc

SHA1
e3448c185bdf0e0a0859f2b28d1b5f28c38a0064

SHA256
fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8

SHA512
d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f

Download Submit
\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
Filesize
4.8MB

MD5
cd4ac234ee1c9fca552d11ff31b9c5cc

SHA1
e3448c185bdf0e0a0859f2b28d1b5f28c38a0064

SHA256
fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8

SHA512
d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f

Download Submit
\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
Filesize
4.8MB

MD5
cd4ac234ee1c9fca552d11ff31b9c5cc

SHA1
e3448c185bdf0e0a0859f2b28d1b5f28c38a0064

SHA256
fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8

SHA512
d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f

Download Submit
memory/1056-54-0x0000000000000000-mapping.dmp

Download
memory/1468-59-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download