Analysis
-
max time kernel
116s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-12-2022 12:10
Behavioral task
behavioral1
Sample
c9702d33d65b6b24d32170f461240217.exe
Resource
win7-20221111-en
General
-
Target
c9702d33d65b6b24d32170f461240217.exe
-
Size
214KB
-
MD5
c9702d33d65b6b24d32170f461240217
-
SHA1
aacac19e5153e82e046b07e0c51b039e59bb4f66
-
SHA256
9155fa1ea8c37176f6d3fc2438ac6217a4ca28ce279b510e9e7c1a89eb0f9800
-
SHA512
e333a10e7015b978d8c74c7fad5beeaccbcc7e717aa06232f4729d81bc5973e0d72f6d067e5ffc2323ec849b58e1db95005923f37fe0c85fae9f13d54a6e262e
-
SSDEEP
6144:Ig72OD+LbR4/R/yIoqy9r0wUXXCU/M7dvaUQ/Hw14fZNw:j6Oo5Jr0wU9/oo/GMZi
Malware Config
Extracted
systembc
scserv1.info:4077
scserv2.info:4077
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rqbdsgw.exerqbdsgw.exepid process 960 rqbdsgw.exe 692 rqbdsgw.exe -
Drops file in Windows directory 2 IoCs
Processes:
c9702d33d65b6b24d32170f461240217.exedescription ioc process File created C:\Windows\Tasks\rqbdsgw.job c9702d33d65b6b24d32170f461240217.exe File opened for modification C:\Windows\Tasks\rqbdsgw.job c9702d33d65b6b24d32170f461240217.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c9702d33d65b6b24d32170f461240217.exepid process 1784 c9702d33d65b6b24d32170f461240217.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
taskeng.exedescription pid process target process PID 2000 wrote to memory of 960 2000 taskeng.exe rqbdsgw.exe PID 2000 wrote to memory of 960 2000 taskeng.exe rqbdsgw.exe PID 2000 wrote to memory of 960 2000 taskeng.exe rqbdsgw.exe PID 2000 wrote to memory of 960 2000 taskeng.exe rqbdsgw.exe PID 2000 wrote to memory of 692 2000 taskeng.exe rqbdsgw.exe PID 2000 wrote to memory of 692 2000 taskeng.exe rqbdsgw.exe PID 2000 wrote to memory of 692 2000 taskeng.exe rqbdsgw.exe PID 2000 wrote to memory of 692 2000 taskeng.exe rqbdsgw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9702d33d65b6b24d32170f461240217.exe"C:\Users\Admin\AppData\Local\Temp\c9702d33d65b6b24d32170f461240217.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {A238E570-F99B-41B0-A7FD-856C837E542C} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\awers\rqbdsgw.exeC:\ProgramData\awers\rqbdsgw.exe start22⤵
- Executes dropped EXE
-
C:\ProgramData\awers\rqbdsgw.exeC:\ProgramData\awers\rqbdsgw.exe start22⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\awers\rqbdsgw.exeFilesize
214KB
MD5c9702d33d65b6b24d32170f461240217
SHA1aacac19e5153e82e046b07e0c51b039e59bb4f66
SHA2569155fa1ea8c37176f6d3fc2438ac6217a4ca28ce279b510e9e7c1a89eb0f9800
SHA512e333a10e7015b978d8c74c7fad5beeaccbcc7e717aa06232f4729d81bc5973e0d72f6d067e5ffc2323ec849b58e1db95005923f37fe0c85fae9f13d54a6e262e
-
C:\ProgramData\awers\rqbdsgw.exeFilesize
214KB
MD5c9702d33d65b6b24d32170f461240217
SHA1aacac19e5153e82e046b07e0c51b039e59bb4f66
SHA2569155fa1ea8c37176f6d3fc2438ac6217a4ca28ce279b510e9e7c1a89eb0f9800
SHA512e333a10e7015b978d8c74c7fad5beeaccbcc7e717aa06232f4729d81bc5973e0d72f6d067e5ffc2323ec849b58e1db95005923f37fe0c85fae9f13d54a6e262e
-
C:\ProgramData\awers\rqbdsgw.exeFilesize
214KB
MD5c9702d33d65b6b24d32170f461240217
SHA1aacac19e5153e82e046b07e0c51b039e59bb4f66
SHA2569155fa1ea8c37176f6d3fc2438ac6217a4ca28ce279b510e9e7c1a89eb0f9800
SHA512e333a10e7015b978d8c74c7fad5beeaccbcc7e717aa06232f4729d81bc5973e0d72f6d067e5ffc2323ec849b58e1db95005923f37fe0c85fae9f13d54a6e262e
-
memory/692-59-0x0000000000000000-mapping.dmp
-
memory/960-56-0x0000000000000000-mapping.dmp
-
memory/1784-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB