Analysis
-
max time kernel
277s -
max time network
302s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-11-2022 22:19
Static task
static1
Behavioral task
behavioral1
Sample
fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe
Resource
win10-20220901-en
General
-
Target
fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe
-
Size
4.8MB
-
MD5
cd4ac234ee1c9fca552d11ff31b9c5cc
-
SHA1
e3448c185bdf0e0a0859f2b28d1b5f28c38a0064
-
SHA256
fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8
-
SHA512
d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f
-
SSDEEP
49152:tAM3CiGxBRJHy51FmJgBaShRgd5MYh43VvATtg0IEqYjla27VdS5g+A:aMLGxBk1FmJgX2l4lv3EdZv+A
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svcupdater.exepid process 1468 svcupdater.exe -
Loads dropped DLL 2 IoCs
Processes:
taskeng.exepid process 2020 taskeng.exe 2020 taskeng.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 HTTP User-Agent header 6 Go-http-client/1.1 HTTP User-Agent header 8 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.execmd.exetaskeng.exedescription pid process target process PID 1324 wrote to memory of 1056 1324 fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe cmd.exe PID 1324 wrote to memory of 1056 1324 fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe cmd.exe PID 1324 wrote to memory of 1056 1324 fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe cmd.exe PID 1056 wrote to memory of 2008 1056 cmd.exe schtasks.exe PID 1056 wrote to memory of 2008 1056 cmd.exe schtasks.exe PID 1056 wrote to memory of 2008 1056 cmd.exe schtasks.exe PID 2020 wrote to memory of 1468 2020 taskeng.exe svcupdater.exe PID 2020 wrote to memory of 1468 2020 taskeng.exe svcupdater.exe PID 2020 wrote to memory of 1468 2020 taskeng.exe svcupdater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe"C:\Users\Admin\AppData\Local\Temp\fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe "/C schtasks /create /tn \ipNnOYSRDI /tr \"C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn \ipNnOYSRDI /tr \"C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {C2C1E2BA-8519-409F-B120-7F0F1F92BA25} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exeC:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exeFilesize
4.8MB
MD5cd4ac234ee1c9fca552d11ff31b9c5cc
SHA1e3448c185bdf0e0a0859f2b28d1b5f28c38a0064
SHA256fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8
SHA512d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f
-
C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exeFilesize
4.8MB
MD5cd4ac234ee1c9fca552d11ff31b9c5cc
SHA1e3448c185bdf0e0a0859f2b28d1b5f28c38a0064
SHA256fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8
SHA512d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f
-
\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exeFilesize
4.8MB
MD5cd4ac234ee1c9fca552d11ff31b9c5cc
SHA1e3448c185bdf0e0a0859f2b28d1b5f28c38a0064
SHA256fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8
SHA512d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f
-
\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exeFilesize
4.8MB
MD5cd4ac234ee1c9fca552d11ff31b9c5cc
SHA1e3448c185bdf0e0a0859f2b28d1b5f28c38a0064
SHA256fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8
SHA512d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f
-
memory/1056-54-0x0000000000000000-mapping.dmp
-
memory/1468-59-0x0000000000000000-mapping.dmp
-
memory/2008-55-0x0000000000000000-mapping.dmp