Analysis
-
max time kernel
82s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/11/2022, 03:57
Static task
static1
Behavioral task
behavioral1
Sample
cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5.exe
Resource
win7-20220812-en
3 signatures
300 seconds
General
-
Target
cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5.exe
-
Size
322KB
-
MD5
8850b7c96abf365df3fd542cb17755c5
-
SHA1
90e77265727ab091e9ee48e82df170b8929998b4
-
SHA256
cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5
-
SHA512
d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933
-
SSDEEP
3072:cV8upnowD9Ec5Mk36eiPdBCG6hDuiBwMASzkazLz/o5tYVggjcGkNIVqIZ:K8upD2ny0PR6hDuKZzkaHzgi7ITsq4
Malware Config
Extracted
Family
systembc
C2
45.15.156.48:4254
146.70.53.169:4254
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\wow64.job cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5.exe File opened for modification C:\Windows\Tasks\wow64.job cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1508 wrote to memory of 624 1508 taskeng.exe 29 PID 1508 wrote to memory of 624 1508 taskeng.exe 29 PID 1508 wrote to memory of 624 1508 taskeng.exe 29 PID 1508 wrote to memory of 624 1508 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5.exe"C:\Users\Admin\AppData\Local\Temp\cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5.exe"1⤵
- Drops file in Windows directory
PID:1672
-
C:\Windows\system32\taskeng.exetaskeng.exe {18BC3B0D-879D-41B4-9057-326FFE2AEB07} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5.exeC:\Users\Admin\AppData\Local\Temp\cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5.exe start2⤵PID:624
-