Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 01:19
Static task
static1
Behavioral task
behavioral1
Sample
6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431.exe
Resource
win7-20230220-en
General
-
Target
6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431.exe
-
Size
145KB
-
MD5
44c9814d3dba7526300bfee720853ea2
-
SHA1
ec239ce6d39a144a7a78aa623298e756548f1634
-
SHA256
6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431
-
SHA512
ba2991eebcee48d92a8fcc3dd783791d8c3dd523aa98b8bfe3909587692c848874d4d703a9277428465c6d37a66333dad71bc6efa949b824932fa4e1606e36bd
-
SSDEEP
3072:ETCKOJL9+xhMcgMUzcuNJ6G7V5bnqouw1NckiTdI4O:EO5L9AWzb6mqoT8v
Malware Config
Extracted
systembc
45.182.189.231:443
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ktaewbg.exepid process 1716 ktaewbg.exe -
Drops file in Windows directory 2 IoCs
Processes:
6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431.exedescription ioc process File opened for modification C:\Windows\Tasks\ktaewbg.job 6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431.exe File created C:\Windows\Tasks\ktaewbg.job 6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431.exepid process 1476 6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1860 wrote to memory of 1716 1860 taskeng.exe ktaewbg.exe PID 1860 wrote to memory of 1716 1860 taskeng.exe ktaewbg.exe PID 1860 wrote to memory of 1716 1860 taskeng.exe ktaewbg.exe PID 1860 wrote to memory of 1716 1860 taskeng.exe ktaewbg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431.exe"C:\Users\Admin\AppData\Local\Temp\6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {EE171BA0-746A-4B26-9155-73182868BB3B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\nvkhpc\ktaewbg.exeC:\ProgramData\nvkhpc\ktaewbg.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nvkhpc\ktaewbg.exeFilesize
145KB
MD544c9814d3dba7526300bfee720853ea2
SHA1ec239ce6d39a144a7a78aa623298e756548f1634
SHA2566fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431
SHA512ba2991eebcee48d92a8fcc3dd783791d8c3dd523aa98b8bfe3909587692c848874d4d703a9277428465c6d37a66333dad71bc6efa949b824932fa4e1606e36bd
-
C:\ProgramData\nvkhpc\ktaewbg.exeFilesize
145KB
MD544c9814d3dba7526300bfee720853ea2
SHA1ec239ce6d39a144a7a78aa623298e756548f1634
SHA2566fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431
SHA512ba2991eebcee48d92a8fcc3dd783791d8c3dd523aa98b8bfe3909587692c848874d4d703a9277428465c6d37a66333dad71bc6efa949b824932fa4e1606e36bd
-
memory/1476-55-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1476-56-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/1716-70-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB