Analysis
-
max time kernel
168s -
max time network
215s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
09-02-2023 08:22
Static task
static1
Behavioral task
behavioral1
Sample
6f21ef2acc3d9b4bb18800d61c61b2f4.exe
Resource
win7-20221111-en
General
-
Target
6f21ef2acc3d9b4bb18800d61c61b2f4.exe
-
Size
827KB
-
MD5
6f21ef2acc3d9b4bb18800d61c61b2f4
-
SHA1
d176b38b567ce050c82ecb8b0e4e8cc44a7ea0e4
-
SHA256
1bd1c5a709b98d3b13c3cb3572c1c409334807a05257555e8c11f7ddc0d17e36
-
SHA512
45051de1630858e982b0a5050700b8dde734fa5e04d95720abaa137433d6a8239a15187638d88c0697d73641136248a9cace5f001eba4f744899da619ea90033
-
SSDEEP
1536:rvG6I+Lt6Pzw6u75dXWeBvfkkcCxauMjx2CaVcG15I4bzWXtmEQ:rvG6I+LUc6ul11cSkj8Rh15I417
Malware Config
Extracted
systembc
inredrs5er.xyz:4116
s5s4txirgtrtin.com:4116
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
evxl.exepid process 268 evxl.exe -
Drops file in Windows directory 2 IoCs
Processes:
6f21ef2acc3d9b4bb18800d61c61b2f4.exedescription ioc process File created C:\Windows\Tasks\evxl.job 6f21ef2acc3d9b4bb18800d61c61b2f4.exe File opened for modification C:\Windows\Tasks\evxl.job 6f21ef2acc3d9b4bb18800d61c61b2f4.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6f21ef2acc3d9b4bb18800d61c61b2f4.exepid process 2016 6f21ef2acc3d9b4bb18800d61c61b2f4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 472 wrote to memory of 268 472 taskeng.exe evxl.exe PID 472 wrote to memory of 268 472 taskeng.exe evxl.exe PID 472 wrote to memory of 268 472 taskeng.exe evxl.exe PID 472 wrote to memory of 268 472 taskeng.exe evxl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f21ef2acc3d9b4bb18800d61c61b2f4.exe"C:\Users\Admin\AppData\Local\Temp\6f21ef2acc3d9b4bb18800d61c61b2f4.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {0C037BB6-C8C5-4D8C-884C-53DF10441898} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\hciac\evxl.exeC:\ProgramData\hciac\evxl.exe start22⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hciac\evxl.exeFilesize
827KB
MD56f21ef2acc3d9b4bb18800d61c61b2f4
SHA1d176b38b567ce050c82ecb8b0e4e8cc44a7ea0e4
SHA2561bd1c5a709b98d3b13c3cb3572c1c409334807a05257555e8c11f7ddc0d17e36
SHA51245051de1630858e982b0a5050700b8dde734fa5e04d95720abaa137433d6a8239a15187638d88c0697d73641136248a9cace5f001eba4f744899da619ea90033
-
C:\ProgramData\hciac\evxl.exeFilesize
827KB
MD56f21ef2acc3d9b4bb18800d61c61b2f4
SHA1d176b38b567ce050c82ecb8b0e4e8cc44a7ea0e4
SHA2561bd1c5a709b98d3b13c3cb3572c1c409334807a05257555e8c11f7ddc0d17e36
SHA51245051de1630858e982b0a5050700b8dde734fa5e04d95720abaa137433d6a8239a15187638d88c0697d73641136248a9cace5f001eba4f744899da619ea90033
-
memory/268-59-0x0000000000000000-mapping.dmp
-
memory/268-62-0x0000000000380000-0x0000000000396000-memory.dmpFilesize
88KB
-
memory/2016-54-0x00000000002C0000-0x00000000002D6000-memory.dmpFilesize
88KB
-
memory/2016-55-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/2016-56-0x0000000000400000-0x00000000004D4000-memory.dmpFilesize
848KB
-
memory/2016-57-0x00000000002C0000-0x00000000002D6000-memory.dmpFilesize
88KB