Analysis
-
max time kernel
157s -
max time network
185s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 20:06
Static task
static1
Behavioral task
behavioral1
Sample
07c48efec256157d37cfad4f429050f6.exe
Resource
win7-20221111-en
General
-
Target
07c48efec256157d37cfad4f429050f6.exe
-
Size
163KB
-
MD5
07c48efec256157d37cfad4f429050f6
-
SHA1
95ee9560e06a1b7f6ca2e88c3a86987d3fcc5b1e
-
SHA256
304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3
-
SHA512
a47fc8d88e0cf03382db2e1a5d194834fa7e6add376402fbac4b5ca46bc6de06e4ff8ee1a605e209a0cc3a16d3b498bfa2fb2d2b00c8b1cd7d8a6b8d16d816ac
-
SSDEEP
3072:VbeMh5pve3qP87Lp56bkqe5WfSCQ5I7HWYLS4dt1f3RaNewDDp:V35pm3w87MkqeISCgIjBLS4v1paLDp
Malware Config
Extracted
systembc
89.248.163.218:443
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wvwrock.exepid process 468 wvwrock.exe -
Drops file in Windows directory 2 IoCs
Processes:
07c48efec256157d37cfad4f429050f6.exedescription ioc process File created C:\Windows\Tasks\wvwrock.job 07c48efec256157d37cfad4f429050f6.exe File opened for modification C:\Windows\Tasks\wvwrock.job 07c48efec256157d37cfad4f429050f6.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
07c48efec256157d37cfad4f429050f6.exepid process 1716 07c48efec256157d37cfad4f429050f6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 660 wrote to memory of 468 660 taskeng.exe wvwrock.exe PID 660 wrote to memory of 468 660 taskeng.exe wvwrock.exe PID 660 wrote to memory of 468 660 taskeng.exe wvwrock.exe PID 660 wrote to memory of 468 660 taskeng.exe wvwrock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07c48efec256157d37cfad4f429050f6.exe"C:\Users\Admin\AppData\Local\Temp\07c48efec256157d37cfad4f429050f6.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {167B7BA6-06B9-477A-95A9-2F3846B2D114} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\hprlrxf\wvwrock.exeC:\ProgramData\hprlrxf\wvwrock.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hprlrxf\wvwrock.exeFilesize
163KB
MD507c48efec256157d37cfad4f429050f6
SHA195ee9560e06a1b7f6ca2e88c3a86987d3fcc5b1e
SHA256304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3
SHA512a47fc8d88e0cf03382db2e1a5d194834fa7e6add376402fbac4b5ca46bc6de06e4ff8ee1a605e209a0cc3a16d3b498bfa2fb2d2b00c8b1cd7d8a6b8d16d816ac
-
C:\ProgramData\hprlrxf\wvwrock.exeFilesize
163KB
MD507c48efec256157d37cfad4f429050f6
SHA195ee9560e06a1b7f6ca2e88c3a86987d3fcc5b1e
SHA256304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3
SHA512a47fc8d88e0cf03382db2e1a5d194834fa7e6add376402fbac4b5ca46bc6de06e4ff8ee1a605e209a0cc3a16d3b498bfa2fb2d2b00c8b1cd7d8a6b8d16d816ac
-
memory/468-60-0x0000000000000000-mapping.dmp
-
memory/468-63-0x000000000062B000-0x000000000063B000-memory.dmpFilesize
64KB
-
memory/468-64-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1.6MB
-
memory/1716-54-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1716-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1716-55-0x000000000063B000-0x000000000064C000-memory.dmpFilesize
68KB
-
memory/1716-57-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1.6MB
-
memory/1716-58-0x000000000063B000-0x000000000064C000-memory.dmpFilesize
68KB