Analysis Overview
SHA256
2c3fade9317146109c3dad7e9e06168a2af28d04185c248a3322cd8b8ae8901f
Threat Level: Known bad
The file 2288.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Executes dropped EXE
Drops file in Windows directory
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-12-17 15:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-17 15:29
Reported
2022-12-17 15:34
Platform
win7-20220901-en
Max time kernel
297s
Max time network
303s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\icplu\kxlnr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\kxlnr.job | C:\Users\Admin\AppData\Local\Temp\2288.exe | N/A |
| File opened for modification | C:\Windows\Tasks\kxlnr.job | C:\Users\Admin\AppData\Local\Temp\2288.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2288.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1680 wrote to memory of 976 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\icplu\kxlnr.exe |
| PID 1680 wrote to memory of 976 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\icplu\kxlnr.exe |
| PID 1680 wrote to memory of 976 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\icplu\kxlnr.exe |
| PID 1680 wrote to memory of 976 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\icplu\kxlnr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2288.exe
"C:\Users\Admin\AppData\Local\Temp\2288.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {BB91848E-F31F-471B-8947-76F3CBFF86ED} S-1-5-18:NT AUTHORITY\System:Service:
C:\ProgramData\icplu\kxlnr.exe
C:\ProgramData\icplu\kxlnr.exe start
Network
| Country | Destination | Domain | Proto |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp |
Files
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp
memory/2032-56-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/2032-55-0x00000000002EC000-0x0000000000301000-memory.dmp
memory/2032-57-0x0000000000400000-0x0000000000451000-memory.dmp
C:\ProgramData\icplu\kxlnr.exe
| MD5 | a91d1ad4f99dc142a63342a79a04a61c |
| SHA1 | 9328310f5567fc7247516d21f339fb99b67706be |
| SHA256 | 2c3fade9317146109c3dad7e9e06168a2af28d04185c248a3322cd8b8ae8901f |
| SHA512 | f869c9568afb90bec12732ce55552e66fe1dc2f9a52212a8011e2509805bfc59574ecbe4f52144ed8bde0b240849816cdb261ccefcb9d00f1ba65f0daa9cc39a |
memory/976-59-0x0000000000000000-mapping.dmp
C:\ProgramData\icplu\kxlnr.exe
| MD5 | a91d1ad4f99dc142a63342a79a04a61c |
| SHA1 | 9328310f5567fc7247516d21f339fb99b67706be |
| SHA256 | 2c3fade9317146109c3dad7e9e06168a2af28d04185c248a3322cd8b8ae8901f |
| SHA512 | f869c9568afb90bec12732ce55552e66fe1dc2f9a52212a8011e2509805bfc59574ecbe4f52144ed8bde0b240849816cdb261ccefcb9d00f1ba65f0daa9cc39a |
memory/2032-61-0x00000000002EC000-0x0000000000301000-memory.dmp
memory/976-63-0x00000000002AC000-0x00000000002C1000-memory.dmp
memory/976-64-0x0000000000400000-0x0000000000451000-memory.dmp
memory/976-65-0x00000000002AC000-0x00000000002C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-17 15:29
Reported
2022-12-17 15:34
Platform
win10v2004-20220812-en
Max time kernel
292s
Max time network
296s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\ikablkr\tupqk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\tupqk.job | C:\Users\Admin\AppData\Local\Temp\2288.exe | N/A |
| File opened for modification | C:\Windows\Tasks\tupqk.job | C:\Users\Admin\AppData\Local\Temp\2288.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2288.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2288.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2288.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2288.exe
"C:\Users\Admin\AppData\Local\Temp\2288.exe"
C:\ProgramData\ikablkr\tupqk.exe
C:\ProgramData\ikablkr\tupqk.exe start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4716 -ip 4716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 980
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 20.189.173.10:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp | |
| N/A | 89.248.163.218:443 | tcp |
Files
memory/4716-132-0x000000000062C000-0x0000000000641000-memory.dmp
memory/4716-133-0x00000000005B0000-0x00000000005B9000-memory.dmp
memory/4716-134-0x0000000000400000-0x0000000000451000-memory.dmp
C:\ProgramData\ikablkr\tupqk.exe
| MD5 | a91d1ad4f99dc142a63342a79a04a61c |
| SHA1 | 9328310f5567fc7247516d21f339fb99b67706be |
| SHA256 | 2c3fade9317146109c3dad7e9e06168a2af28d04185c248a3322cd8b8ae8901f |
| SHA512 | f869c9568afb90bec12732ce55552e66fe1dc2f9a52212a8011e2509805bfc59574ecbe4f52144ed8bde0b240849816cdb261ccefcb9d00f1ba65f0daa9cc39a |
C:\ProgramData\ikablkr\tupqk.exe
| MD5 | a91d1ad4f99dc142a63342a79a04a61c |
| SHA1 | 9328310f5567fc7247516d21f339fb99b67706be |
| SHA256 | 2c3fade9317146109c3dad7e9e06168a2af28d04185c248a3322cd8b8ae8901f |
| SHA512 | f869c9568afb90bec12732ce55552e66fe1dc2f9a52212a8011e2509805bfc59574ecbe4f52144ed8bde0b240849816cdb261ccefcb9d00f1ba65f0daa9cc39a |
memory/3908-137-0x0000000000487000-0x000000000049C000-memory.dmp
memory/3908-138-0x0000000000400000-0x0000000000451000-memory.dmp
memory/3908-139-0x0000000000487000-0x000000000049C000-memory.dmp
memory/4716-140-0x000000000062C000-0x0000000000641000-memory.dmp
memory/4716-141-0x0000000000400000-0x0000000000451000-memory.dmp