Analysis
-
max time kernel
1187s -
max time network
1191s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/12/2022, 12:07
Static task
static1
Behavioral task
behavioral1
Sample
6CA5.exe
Resource
win7-20220812-en
General
-
Target
6CA5.exe
-
Size
327KB
-
MD5
a533eeaaec1a873d84936633e153dd0a
-
SHA1
a16f84c4039ddccf9960cee21cb8860f2f1cf34c
-
SHA256
3f6c84150d51188f54330ce514518c879705052abad3f89325e9c279f1d9403e
-
SHA512
c599ec24478794dbe3fd1f3124bb93423b610a5d36eb76d625a2401fcc5f368ee40bca9585ba156a06747c593bc415369ae2106ee48b94044a72a59bd1949b79
-
SSDEEP
6144:3YktL97wOl/cNqWoZAR5Lv2mXMcXQEjSbjfxur/tb:d57rl/ccJ4omxjSbjJurR
Malware Config
Extracted
systembc
109.205.214.18:443
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 904 nkih.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\nkih.job 6CA5.exe File opened for modification C:\Windows\Tasks\nkih.job 6CA5.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1184 6CA5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1748 wrote to memory of 904 1748 taskeng.exe 27 PID 1748 wrote to memory of 904 1748 taskeng.exe 27 PID 1748 wrote to memory of 904 1748 taskeng.exe 27 PID 1748 wrote to memory of 904 1748 taskeng.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\6CA5.exe"C:\Users\Admin\AppData\Local\Temp\6CA5.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1184
-
C:\Windows\system32\taskeng.exetaskeng.exe {1D5B761E-E049-44B5-AD14-A0A808448793} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\ProgramData\mmxrbk\nkih.exeC:\ProgramData\mmxrbk\nkih.exe start2⤵
- Executes dropped EXE
PID:904
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD5a533eeaaec1a873d84936633e153dd0a
SHA1a16f84c4039ddccf9960cee21cb8860f2f1cf34c
SHA2563f6c84150d51188f54330ce514518c879705052abad3f89325e9c279f1d9403e
SHA512c599ec24478794dbe3fd1f3124bb93423b610a5d36eb76d625a2401fcc5f368ee40bca9585ba156a06747c593bc415369ae2106ee48b94044a72a59bd1949b79
-
Filesize
327KB
MD5a533eeaaec1a873d84936633e153dd0a
SHA1a16f84c4039ddccf9960cee21cb8860f2f1cf34c
SHA2563f6c84150d51188f54330ce514518c879705052abad3f89325e9c279f1d9403e
SHA512c599ec24478794dbe3fd1f3124bb93423b610a5d36eb76d625a2401fcc5f368ee40bca9585ba156a06747c593bc415369ae2106ee48b94044a72a59bd1949b79