Analysis
-
max time kernel
73s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 15:29
Static task
static1
Behavioral task
behavioral1
Sample
304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3.exe
Resource
win7-20220901-en
General
-
Target
304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3.exe
-
Size
163KB
-
MD5
07c48efec256157d37cfad4f429050f6
-
SHA1
95ee9560e06a1b7f6ca2e88c3a86987d3fcc5b1e
-
SHA256
304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3
-
SHA512
a47fc8d88e0cf03382db2e1a5d194834fa7e6add376402fbac4b5ca46bc6de06e4ff8ee1a605e209a0cc3a16d3b498bfa2fb2d2b00c8b1cd7d8a6b8d16d816ac
-
SSDEEP
3072:VbeMh5pve3qP87Lp56bkqe5WfSCQ5I7HWYLS4dt1f3RaNewDDp:V35pm3w87MkqeISCgIjBLS4v1paLDp
Malware Config
Extracted
systembc
89.248.163.218:443
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xexgkr.exepid process 2036 xexgkr.exe -
Drops file in Windows directory 2 IoCs
Processes:
304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3.exedescription ioc process File created C:\Windows\Tasks\xexgkr.job 304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3.exe File opened for modification C:\Windows\Tasks\xexgkr.job 304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3.exepid process 1128 304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2004 wrote to memory of 2036 2004 taskeng.exe xexgkr.exe PID 2004 wrote to memory of 2036 2004 taskeng.exe xexgkr.exe PID 2004 wrote to memory of 2036 2004 taskeng.exe xexgkr.exe PID 2004 wrote to memory of 2036 2004 taskeng.exe xexgkr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3.exe"C:\Users\Admin\AppData\Local\Temp\304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {83A76972-6FAD-4620-93F6-0347C79D407F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\pcqd\xexgkr.exeC:\ProgramData\pcqd\xexgkr.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\pcqd\xexgkr.exeFilesize
163KB
MD507c48efec256157d37cfad4f429050f6
SHA195ee9560e06a1b7f6ca2e88c3a86987d3fcc5b1e
SHA256304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3
SHA512a47fc8d88e0cf03382db2e1a5d194834fa7e6add376402fbac4b5ca46bc6de06e4ff8ee1a605e209a0cc3a16d3b498bfa2fb2d2b00c8b1cd7d8a6b8d16d816ac
-
C:\ProgramData\pcqd\xexgkr.exeFilesize
163KB
MD507c48efec256157d37cfad4f429050f6
SHA195ee9560e06a1b7f6ca2e88c3a86987d3fcc5b1e
SHA256304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3
SHA512a47fc8d88e0cf03382db2e1a5d194834fa7e6add376402fbac4b5ca46bc6de06e4ff8ee1a605e209a0cc3a16d3b498bfa2fb2d2b00c8b1cd7d8a6b8d16d816ac
-
memory/1128-54-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1128-56-0x00000000003B0000-0x00000000003B9000-memory.dmpFilesize
36KB
-
memory/1128-55-0x0000000000A0B000-0x0000000000A1C000-memory.dmpFilesize
68KB
-
memory/1128-57-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1.6MB
-
memory/1128-64-0x0000000000A0B000-0x0000000000A1C000-memory.dmpFilesize
68KB
-
memory/2036-59-0x0000000000000000-mapping.dmp
-
memory/2036-62-0x000000000028B000-0x000000000029B000-memory.dmpFilesize
64KB
-
memory/2036-63-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1.6MB