Resubmissions
15/04/2024, 11:37
240415-nrnqwsfg3w 1015/04/2024, 11:37
240415-nrmtlafg3v 1015/04/2024, 11:37
240415-nrmhtsfg3t 1015/04/2024, 11:37
240415-nrlxasdd49 1015/04/2024, 11:37
240415-nrlarsdd48 1010/04/2024, 05:01
240410-fnxkmadd26 1010/04/2024, 05:01
240410-fnpj1sdd25 1010/04/2024, 05:01
240410-fnnygsdd24 1010/04/2024, 05:01
240410-fnjc1add22 10Analysis
-
max time kernel
171s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
09/02/2023, 08:20
Behavioral task
behavioral1
Sample
5cacf2b43b8d5578156df066f2181117.exe
Resource
win7-20221111-en
General
-
Target
5cacf2b43b8d5578156df066f2181117.exe
-
Size
217KB
-
MD5
5cacf2b43b8d5578156df066f2181117
-
SHA1
7e4e1385713db3e859bdd5ad6b503e7013b37796
-
SHA256
7d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728
-
SHA512
c7a1e2fafc31d2ce366f5130d28835afdb88f9298fede4121c812f2d5222ff8d855f31e11e54b5b44fbc1d376e16103f0a04794baac62618c72f00aaef6a8142
-
SSDEEP
6144:YkriDRJpv8UfcWtfJOxM3zeKqjrdySHy:YkwRT8ctROxM3z/CrcSHy
Malware Config
Extracted
systembc
advertx15.xyz:4044
spacex17.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1852 vpibwo.exe -
resource yara_rule behavioral1/memory/588-55-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/588-56-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/files/0x00090000000133ec-59.dat upx behavioral1/files/0x00090000000133ec-61.dat upx behavioral1/memory/1852-63-0x0000000000400000-0x0000000000459000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\vpibwo.job 5cacf2b43b8d5578156df066f2181117.exe File opened for modification C:\Windows\Tasks\vpibwo.job 5cacf2b43b8d5578156df066f2181117.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 588 5cacf2b43b8d5578156df066f2181117.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1480 wrote to memory of 1852 1480 taskeng.exe 29 PID 1480 wrote to memory of 1852 1480 taskeng.exe 29 PID 1480 wrote to memory of 1852 1480 taskeng.exe 29 PID 1480 wrote to memory of 1852 1480 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cacf2b43b8d5578156df066f2181117.exe"C:\Users\Admin\AppData\Local\Temp\5cacf2b43b8d5578156df066f2181117.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:588
-
C:\Windows\system32\taskeng.exetaskeng.exe {59AE4BBD-F34A-42F7-8E88-976DAF5CAF41} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\ProgramData\vkquc\vpibwo.exeC:\ProgramData\vkquc\vpibwo.exe start22⤵
- Executes dropped EXE
PID:1852
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217KB
MD55cacf2b43b8d5578156df066f2181117
SHA17e4e1385713db3e859bdd5ad6b503e7013b37796
SHA2567d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728
SHA512c7a1e2fafc31d2ce366f5130d28835afdb88f9298fede4121c812f2d5222ff8d855f31e11e54b5b44fbc1d376e16103f0a04794baac62618c72f00aaef6a8142
-
Filesize
217KB
MD55cacf2b43b8d5578156df066f2181117
SHA17e4e1385713db3e859bdd5ad6b503e7013b37796
SHA2567d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728
SHA512c7a1e2fafc31d2ce366f5130d28835afdb88f9298fede4121c812f2d5222ff8d855f31e11e54b5b44fbc1d376e16103f0a04794baac62618c72f00aaef6a8142