Analysis Overview
SHA256
d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
Threat Level: Known bad
The file D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
UPX packed file
Checks computer location settings
Executes dropped EXE
Checks installed software on the system
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-09 19:41
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-09 19:41
Reported
2023-02-09 19:43
Platform
win7-20220901-en
Max time kernel
125s
Max time network
53s
Command Line
Signatures
SystemBC
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation | C:\ProgramData\fbftbu\tivmkbf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\fbftbu\tivmkbf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\tivmkbf.job | C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe | N/A |
| File opened for modification | C:\Windows\Tasks\tivmkbf.job | C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 1476 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fbftbu\tivmkbf.exe |
| PID 1996 wrote to memory of 1476 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fbftbu\tivmkbf.exe |
| PID 1996 wrote to memory of 1476 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fbftbu\tivmkbf.exe |
| PID 1996 wrote to memory of 1476 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fbftbu\tivmkbf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe
"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {9F2E5836-C30E-4689-A75E-B31E53FC36B4} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
C:\ProgramData\fbftbu\tivmkbf.exe
C:\ProgramData\fbftbu\tivmkbf.exe start2
Network
| Country | Destination | Domain | Proto |
| RU | 62.204.41.4:80 | tcp |
Files
memory/1268-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
memory/1268-55-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1268-56-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1268-57-0x00000000722A1000-0x00000000722A3000-memory.dmp
memory/1268-58-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1268-59-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1268-60-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1268-61-0x0000000002160000-0x0000000002168000-memory.dmp
C:\ProgramData\fbftbu\tivmkbf.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
memory/1476-63-0x0000000000000000-mapping.dmp
C:\ProgramData\fbftbu\tivmkbf.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
memory/1476-66-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1476-67-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1476-71-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1268-72-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1476-73-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-09 19:41
Reported
2023-02-09 19:44
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
165s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\nceaa\wxbg.exe | N/A |
| N/A | N/A | C:\ProgramData\nceaa\wxbg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\wxbg.job | C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe | N/A |
| File opened for modification | C:\Windows\Tasks\wxbg.job | C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe
"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"
C:\ProgramData\nceaa\wxbg.exe
C:\ProgramData\nceaa\wxbg.exe start2
C:\ProgramData\nceaa\wxbg.exe
C:\ProgramData\nceaa\wxbg.exe start2
Network
| Country | Destination | Domain | Proto |
| US | 117.18.237.29:80 | tcp | |
| US | 117.18.232.200:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 52.182.141.63:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.247.210.126:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 104.18.32.68:80 | tcp |
Files
memory/3444-132-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3444-133-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3444-134-0x00000000007B0000-0x00000000007B8000-memory.dmp
memory/3444-135-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3444-136-0x00000000007B0000-0x00000000007B8000-memory.dmp
C:\ProgramData\nceaa\wxbg.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
C:\ProgramData\nceaa\wxbg.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
memory/4792-139-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4792-140-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4792-141-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3444-142-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4792-143-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\nceaa\wxbg.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
memory/60-145-0x0000000000400000-0x0000000000471000-memory.dmp