Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
c427b08548edc2deef70da3c60855d54.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c427b08548edc2deef70da3c60855d54.exe
Resource
win10v2004-20220812-en
General
-
Target
c427b08548edc2deef70da3c60855d54.exe
-
Size
4.6MB
-
MD5
c427b08548edc2deef70da3c60855d54
-
SHA1
7c2d7499133cc80b28e782659e80fb34b1f6eaef
-
SHA256
873e9fb03b58e3a8f103ef24933427a86409b8f7560e9ee2a442e9195883ec42
-
SHA512
cd153f47cc205d8ff84e3cf4194f0d79527e98ac43a089fcfce798d9262e9d3cc44b81aa78a6e6e993b3dd147021603590f73da7f8a87742dcec1ab9f19b2436
-
SSDEEP
49152:d/7Fssv0KaUhzp+Z9vAaE5FKY/t764UzLUA/AOiyjrbsnnzvSn9r8PN/+9njVVn+:d5sypV+Zp4UzJ/TknzpG9XOY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
BiPVblzpeN.exepid process 528 BiPVblzpeN.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 20 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c427b08548edc2deef70da3c60855d54.execmd.exedescription pid process target process PID 2492 wrote to memory of 2052 2492 c427b08548edc2deef70da3c60855d54.exe cmd.exe PID 2492 wrote to memory of 2052 2492 c427b08548edc2deef70da3c60855d54.exe cmd.exe PID 2492 wrote to memory of 2052 2492 c427b08548edc2deef70da3c60855d54.exe cmd.exe PID 2052 wrote to memory of 4352 2052 cmd.exe schtasks.exe PID 2052 wrote to memory of 4352 2052 cmd.exe schtasks.exe PID 2052 wrote to memory of 4352 2052 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c427b08548edc2deef70da3c60855d54.exe"C:\Users\Admin\AppData\Local\Temp\c427b08548edc2deef70da3c60855d54.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn qYbPaHSINu /tr C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn qYbPaHSINu /tr C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f3⤵
- Creates scheduled task(s)
PID:4352
-
C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exeC:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exe1⤵
- Executes dropped EXE
PID:528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exeFilesize
735.6MB
MD54cbd9eccc7e1e72de068467877087164
SHA13863f218ca2f1120af8300f7f4a1426b9be48d7a
SHA256fe7e9bec3e16caf3d35c5f762018d833e9b2c47d67f01c58b996a331b20a5e0d
SHA5124b28f5fbe8f0d3b986abfca4231392056a46d4ba73847707b14c42540c5a5d7df47aa7fa64a60cbbf43ed77e138bfa23128295821d95a004cdf790de302fac6e
-
C:\Users\Admin\AppData\Roaming\qYbPaHSINu\BiPVblzpeN.exeFilesize
735.6MB
MD54cbd9eccc7e1e72de068467877087164
SHA13863f218ca2f1120af8300f7f4a1426b9be48d7a
SHA256fe7e9bec3e16caf3d35c5f762018d833e9b2c47d67f01c58b996a331b20a5e0d
SHA5124b28f5fbe8f0d3b986abfca4231392056a46d4ba73847707b14c42540c5a5d7df47aa7fa64a60cbbf43ed77e138bfa23128295821d95a004cdf790de302fac6e
-
memory/2052-132-0x0000000000000000-mapping.dmp
-
memory/4352-133-0x0000000000000000-mapping.dmp