Analysis
-
max time kernel
75s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-01-2023 15:35
Static task
static1
Behavioral task
behavioral1
Sample
f89d628342ab6b02fb4e43b0959cffad.exe
Resource
win7-20221111-en
General
-
Target
f89d628342ab6b02fb4e43b0959cffad.exe
-
Size
185KB
-
MD5
f89d628342ab6b02fb4e43b0959cffad
-
SHA1
ef346df6771087873a820f92c595d2ef42de4958
-
SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35
-
SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d
-
SSDEEP
3072:t3USMV1WhtLYjE4QW5QNSmkKkb5fn/4pOSPCizVgrR4xWFZw/ZS7rsG:rMWLYjE7kCOuzVgV4m
Malware Config
Extracted
systembc
109.205.214.18:443
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rckej.exepid process 1504 rckej.exe -
Drops file in Windows directory 2 IoCs
Processes:
f89d628342ab6b02fb4e43b0959cffad.exedescription ioc process File created C:\Windows\Tasks\rckej.job f89d628342ab6b02fb4e43b0959cffad.exe File opened for modification C:\Windows\Tasks\rckej.job f89d628342ab6b02fb4e43b0959cffad.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f89d628342ab6b02fb4e43b0959cffad.exepid process 1544 f89d628342ab6b02fb4e43b0959cffad.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1796 wrote to memory of 1504 1796 taskeng.exe rckej.exe PID 1796 wrote to memory of 1504 1796 taskeng.exe rckej.exe PID 1796 wrote to memory of 1504 1796 taskeng.exe rckej.exe PID 1796 wrote to memory of 1504 1796 taskeng.exe rckej.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f89d628342ab6b02fb4e43b0959cffad.exe"C:\Users\Admin\AppData\Local\Temp\f89d628342ab6b02fb4e43b0959cffad.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {3E017DF4-731B-4546-88A6-76C601B7AB00} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\gjotm\rckej.exeC:\ProgramData\gjotm\rckej.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\gjotm\rckej.exeFilesize
185KB
MD5f89d628342ab6b02fb4e43b0959cffad
SHA1ef346df6771087873a820f92c595d2ef42de4958
SHA2563552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35
SHA51265b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d
-
C:\ProgramData\gjotm\rckej.exeFilesize
185KB
MD5f89d628342ab6b02fb4e43b0959cffad
SHA1ef346df6771087873a820f92c595d2ef42de4958
SHA2563552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35
SHA51265b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d
-
memory/1504-59-0x0000000000000000-mapping.dmp
-
memory/1504-62-0x000000000030D000-0x000000000031E000-memory.dmpFilesize
68KB
-
memory/1504-63-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1504-64-0x000000000030D000-0x000000000031E000-memory.dmpFilesize
68KB
-
memory/1544-54-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/1544-55-0x00000000005DD000-0x00000000005EE000-memory.dmpFilesize
68KB
-
memory/1544-56-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/1544-57-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB