Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 18:16
Static task
static1
Behavioral task
behavioral1
Sample
ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542.exe
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
General
-
Target
ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542.exe
-
Size
112KB
-
MD5
5a768a70151584deef9a4cd29ff56eb9
-
SHA1
7b8761fb0cd6ab1fdc2a7a3bb3a3bf5115e3a826
-
SHA256
ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542
-
SHA512
645e50abbf1221689bd2ac25cf99fbda10b0ec89070a23f2dd78a5e680e009ee6799ce42d7b8968a10243cff87beda66e3b8be09fea27b50de1297d1b85c7ee0
-
SSDEEP
3072:3XVn8iDW2JpOxR7eAN1NdO/9T2/Qx5lCAuD2klHByblbfCQQPf:3l8qW2J8yA/NdO/kox5lCN2klHByblbi
Malware Config
Extracted
Family
gootkit
Botnet
1001
C2
pell-talak.com
gudsline.com
Attributes
-
vendor_id
1001
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1272 wrote to memory of 2116 1272 ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542.exe 79 PID 1272 wrote to memory of 2116 1272 ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542.exe 79 PID 1272 wrote to memory of 2116 1272 ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542.exe"C:\Users\Admin\AppData\Local\Temp\ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542.exe"C:\Users\Admin\AppData\Local\Temp\ae8c191199599e133cac67a50307f96e4b878e4ba04ef2f63cdabb17a39f2542.exe" kwzovjzzukghoeswvoyo2⤵PID:2116
-