Resubmissions
15/04/2024, 11:37
240415-nrnqwsfg3w 1015/04/2024, 11:37
240415-nrmtlafg3v 1015/04/2024, 11:37
240415-nrmhtsfg3t 1015/04/2024, 11:37
240415-nrlxasdd49 1015/04/2024, 11:37
240415-nrlarsdd48 1010/04/2024, 05:01
240410-fnxkmadd26 1010/04/2024, 05:01
240410-fnpj1sdd25 1010/04/2024, 05:01
240410-fnnygsdd24 1010/04/2024, 05:01
240410-fnjc1add22 10Analysis
-
max time kernel
260s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09/02/2023, 08:20
Behavioral task
behavioral1
Sample
5cacf2b43b8d5578156df066f2181117.exe
Resource
win7-20221111-en
General
-
Target
5cacf2b43b8d5578156df066f2181117.exe
-
Size
217KB
-
MD5
5cacf2b43b8d5578156df066f2181117
-
SHA1
7e4e1385713db3e859bdd5ad6b503e7013b37796
-
SHA256
7d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728
-
SHA512
c7a1e2fafc31d2ce366f5130d28835afdb88f9298fede4121c812f2d5222ff8d855f31e11e54b5b44fbc1d376e16103f0a04794baac62618c72f00aaef6a8142
-
SSDEEP
6144:YkriDRJpv8UfcWtfJOxM3zeKqjrdySHy:YkwRT8ctROxM3z/CrcSHy
Malware Config
Extracted
systembc
advertx15.xyz:4044
spacex17.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4632 lwkahq.exe -
resource yara_rule behavioral2/memory/632-132-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/632-133-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/files/0x0006000000022e00-136.dat upx behavioral2/files/0x0006000000022e00-137.dat upx behavioral2/memory/4632-138-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4632-139-0x0000000000400000-0x0000000000459000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\lwkahq.job 5cacf2b43b8d5578156df066f2181117.exe File opened for modification C:\Windows\Tasks\lwkahq.job 5cacf2b43b8d5578156df066f2181117.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 632 5cacf2b43b8d5578156df066f2181117.exe 632 5cacf2b43b8d5578156df066f2181117.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cacf2b43b8d5578156df066f2181117.exe"C:\Users\Admin\AppData\Local\Temp\5cacf2b43b8d5578156df066f2181117.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:632
-
C:\ProgramData\pgpfaej\lwkahq.exeC:\ProgramData\pgpfaej\lwkahq.exe start21⤵
- Executes dropped EXE
PID:4632
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217KB
MD55cacf2b43b8d5578156df066f2181117
SHA17e4e1385713db3e859bdd5ad6b503e7013b37796
SHA2567d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728
SHA512c7a1e2fafc31d2ce366f5130d28835afdb88f9298fede4121c812f2d5222ff8d855f31e11e54b5b44fbc1d376e16103f0a04794baac62618c72f00aaef6a8142
-
Filesize
217KB
MD55cacf2b43b8d5578156df066f2181117
SHA17e4e1385713db3e859bdd5ad6b503e7013b37796
SHA2567d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728
SHA512c7a1e2fafc31d2ce366f5130d28835afdb88f9298fede4121c812f2d5222ff8d855f31e11e54b5b44fbc1d376e16103f0a04794baac62618c72f00aaef6a8142