8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

Resubmissions

24-11-2022 16:33

221124-t22ndsaf9t 10

02-11-2022 14:52

221102-r8qhlacbgq 8

Analysis

max time kernel
111s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-11-2022 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6738634d9b3bfcf7ebca8be48c091b3e.exe
Size

4.8MB
MD5

6738634d9b3bfcf7ebca8be48c091b3e
SHA1

f08091a4b3f5c167bcdfa565584bed8ed2a69f0c
SHA256

8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27
SHA512

c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5
SSDEEP

49152:cAMzHHGxBRJHrcFFmJAhaShRgxuMY8qa9vjTIt0IEqYjla27/BS5g+A:bMjGxBQFFmJA3Foq+vOEdZZ+A

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svcupdater.exe

pid process

996 svcupdater.exe
Loads dropped DLL 2 IoCs

Processes:

taskeng.exe

pid process

1204 taskeng.exe
1204 taskeng.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1136 schtasks.exe
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 3 Go-http-client/1.1
HTTP User-Agent header 4 Go-http-client/1.1

pid	process
996	svcupdater.exe

pid	process
1204	taskeng.exe
1204	taskeng.exe

pid	process
1136	schtasks.exe

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1
HTTP User-Agent header	4	Go-http-client/1.1

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6738634d9b3bfcf7ebca8be48c091b3e.execmd.exetaskeng.exe

description	pid	process	target process
PID 1688 wrote to memory of 1032	1688	6738634d9b3bfcf7ebca8be48c091b3e.exe	cmd.exe
PID 1688 wrote to memory of 1032	1688	6738634d9b3bfcf7ebca8be48c091b3e.exe	cmd.exe
PID 1688 wrote to memory of 1032	1688	6738634d9b3bfcf7ebca8be48c091b3e.exe	cmd.exe
PID 1032 wrote to memory of 1136	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 1136	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 1136	1032	cmd.exe	schtasks.exe
PID 1204 wrote to memory of 996	1204	taskeng.exe	svcupdater.exe
PID 1204 wrote to memory of 996	1204	taskeng.exe	svcupdater.exe
PID 1204 wrote to memory of 996	1204	taskeng.exe	svcupdater.exe

C:\Users\Admin\AppData\Local\Temp\6738634d9b3bfcf7ebca8be48c091b3e.exe
"C:\Users\Admin\AppData\Local\Temp\6738634d9b3bfcf7ebca8be48c091b3e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\cmd.exe
cmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\schtasks.exe
schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
3⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\taskeng.exe
taskeng.exe {67A561F8-0A9F-4B32-AA56-A4D704C276B6} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
2⤵
- Executes dropped EXE
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
Filesize
4.8MB

MD5
6738634d9b3bfcf7ebca8be48c091b3e

SHA1
f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

SHA256
8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

SHA512
c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

Download Submit
C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
Filesize
4.8MB

MD5
6738634d9b3bfcf7ebca8be48c091b3e

SHA1
f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

SHA256
8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

SHA512
c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

Download Submit
\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
Filesize
4.8MB

MD5
6738634d9b3bfcf7ebca8be48c091b3e

SHA1
f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

SHA256
8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

SHA512
c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

Download Submit
\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe
Filesize
4.8MB

MD5
6738634d9b3bfcf7ebca8be48c091b3e

SHA1
f08091a4b3f5c167bcdfa565584bed8ed2a69f0c

SHA256
8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27

SHA512
c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5

Download Submit
memory/996-59-0x0000000000000000-mapping.dmp

Download
memory/1032-54-0x0000000000000000-mapping.dmp

Download
memory/1136-55-0x0000000000000000-mapping.dmp

Download