Analysis
-
max time kernel
120s -
max time network
182s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 07:49
Behavioral task
behavioral1
Sample
4f8e09e50fc6ba0df7ca60b8780f328f.exe
Resource
win7-20220812-en
General
-
Target
4f8e09e50fc6ba0df7ca60b8780f328f.exe
-
Size
32KB
-
MD5
4f8e09e50fc6ba0df7ca60b8780f328f
-
SHA1
07db534ca7469dcce60f3b0e5d3b10603034aa55
-
SHA256
90840dc2454d579393366cb4cb9b5f813357b9ea3b9d1fb8fab4dfcd52ece396
-
SHA512
84ea3e6d3ec25daa7e3e0dd8f2a056ccb85ea8b417e66cb9129b15892cb82cd89808797f30a030fe7f3ebfa39ea7c883d97753e7eecf62e2a7838e840327bc00
-
SSDEEP
768:HqPzUdiJ8dayafVcCSWYVYnPrryFbnpoJo2TZKc6zlFg:YLJ8dayaaupDobnpo2wZGo
Malware Config
Extracted
systembc
89.248.163.218:443
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tixujqj.exepid process 1644 tixujqj.exe -
Drops file in Windows directory 2 IoCs
Processes:
4f8e09e50fc6ba0df7ca60b8780f328f.exedescription ioc process File created C:\Windows\Tasks\tixujqj.job 4f8e09e50fc6ba0df7ca60b8780f328f.exe File opened for modification C:\Windows\Tasks\tixujqj.job 4f8e09e50fc6ba0df7ca60b8780f328f.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4f8e09e50fc6ba0df7ca60b8780f328f.exepid process 2032 4f8e09e50fc6ba0df7ca60b8780f328f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1532 wrote to memory of 1644 1532 taskeng.exe tixujqj.exe PID 1532 wrote to memory of 1644 1532 taskeng.exe tixujqj.exe PID 1532 wrote to memory of 1644 1532 taskeng.exe tixujqj.exe PID 1532 wrote to memory of 1644 1532 taskeng.exe tixujqj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f8e09e50fc6ba0df7ca60b8780f328f.exe"C:\Users\Admin\AppData\Local\Temp\4f8e09e50fc6ba0df7ca60b8780f328f.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {23645084-2750-40A2-957C-FF0328475910} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ddbrnr\tixujqj.exeC:\ProgramData\ddbrnr\tixujqj.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ddbrnr\tixujqj.exeFilesize
32KB
MD54f8e09e50fc6ba0df7ca60b8780f328f
SHA107db534ca7469dcce60f3b0e5d3b10603034aa55
SHA25690840dc2454d579393366cb4cb9b5f813357b9ea3b9d1fb8fab4dfcd52ece396
SHA51284ea3e6d3ec25daa7e3e0dd8f2a056ccb85ea8b417e66cb9129b15892cb82cd89808797f30a030fe7f3ebfa39ea7c883d97753e7eecf62e2a7838e840327bc00
-
C:\ProgramData\ddbrnr\tixujqj.exeFilesize
32KB
MD54f8e09e50fc6ba0df7ca60b8780f328f
SHA107db534ca7469dcce60f3b0e5d3b10603034aa55
SHA25690840dc2454d579393366cb4cb9b5f813357b9ea3b9d1fb8fab4dfcd52ece396
SHA51284ea3e6d3ec25daa7e3e0dd8f2a056ccb85ea8b417e66cb9129b15892cb82cd89808797f30a030fe7f3ebfa39ea7c883d97753e7eecf62e2a7838e840327bc00
-
memory/1644-56-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB