Analysis Overview
SHA256
ca958072c2483f5cfab83972b3e5a25a163eed2d0d6df7d310ddf200a6fec53c
Threat Level: Known bad
The file 84499558c48c4fdebac20cab68253aa7.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Executes dropped EXE
Drops file in Windows directory
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-04-11 09:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-11 09:14
Reported
2023-04-11 09:16
Platform
win7-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\fbcrwn\ccoppjj.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\ccoppjj.job | C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe | N/A |
| File opened for modification | C:\Windows\Tasks\ccoppjj.job | C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1440 wrote to memory of 1764 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fbcrwn\ccoppjj.exe |
| PID 1440 wrote to memory of 1764 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fbcrwn\ccoppjj.exe |
| PID 1440 wrote to memory of 1764 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fbcrwn\ccoppjj.exe |
| PID 1440 wrote to memory of 1764 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\fbcrwn\ccoppjj.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe
"C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {45090914-468F-4883-A28D-A99DBB9B8C43} S-1-5-18:NT AUTHORITY\System:Service:
C:\ProgramData\fbcrwn\ccoppjj.exe
C:\ProgramData\fbcrwn\ccoppjj.exe start
Network
| Country | Destination | Domain | Proto |
| NL | 109.205.214.18:443 | tcp | |
| NL | 109.205.214.18:443 | tcp | |
| NL | 109.205.214.18:443 | tcp |
Files
memory/1500-55-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/1500-56-0x0000000000400000-0x0000000000462000-memory.dmp
C:\ProgramData\fbcrwn\ccoppjj.exe
| MD5 | 84499558c48c4fdebac20cab68253aa7 |
| SHA1 | d4518c621d32ebc483a8f0761cf6ed0fe3c7b8ce |
| SHA256 | ca958072c2483f5cfab83972b3e5a25a163eed2d0d6df7d310ddf200a6fec53c |
| SHA512 | 00ad7c29108eb787d0283bb6a6c2955ff3b4a64254d03767c1c21e8bf3a1e14149958c9de8f4fd2f6489972b4573b07abc18a3bc2e96cba5fe2d4852d204d65a |
C:\ProgramData\fbcrwn\ccoppjj.exe
| MD5 | 84499558c48c4fdebac20cab68253aa7 |
| SHA1 | d4518c621d32ebc483a8f0761cf6ed0fe3c7b8ce |
| SHA256 | ca958072c2483f5cfab83972b3e5a25a163eed2d0d6df7d310ddf200a6fec53c |
| SHA512 | 00ad7c29108eb787d0283bb6a6c2955ff3b4a64254d03767c1c21e8bf3a1e14149958c9de8f4fd2f6489972b4573b07abc18a3bc2e96cba5fe2d4852d204d65a |
memory/1764-70-0x0000000000400000-0x0000000000462000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-11 09:14
Reported
2023-04-11 09:16
Platform
win10v2004-20230220-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\xofjvbf\ssfsb.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\ssfsb.job | C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe | N/A |
| File opened for modification | C:\Windows\Tasks\ssfsb.job | C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe
"C:\Users\Admin\AppData\Local\Temp\84499558c48c4fdebac20cab68253aa7.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2976 -ip 2976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 960
C:\ProgramData\xofjvbf\ssfsb.exe
C:\ProgramData\xofjvbf\ssfsb.exe start
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| DE | 162.19.139.184:2222 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 20.44.10.122:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| NL | 8.238.179.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| NL | 109.205.214.18:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| NL | 109.205.214.18:443 | tcp | |
| NL | 109.205.214.18:443 | tcp |
Files
memory/2976-134-0x00000000006C0000-0x00000000006C9000-memory.dmp
memory/2976-135-0x0000000000400000-0x0000000000462000-memory.dmp
C:\ProgramData\xofjvbf\ssfsb.exe
| MD5 | 84499558c48c4fdebac20cab68253aa7 |
| SHA1 | d4518c621d32ebc483a8f0761cf6ed0fe3c7b8ce |
| SHA256 | ca958072c2483f5cfab83972b3e5a25a163eed2d0d6df7d310ddf200a6fec53c |
| SHA512 | 00ad7c29108eb787d0283bb6a6c2955ff3b4a64254d03767c1c21e8bf3a1e14149958c9de8f4fd2f6489972b4573b07abc18a3bc2e96cba5fe2d4852d204d65a |
C:\ProgramData\xofjvbf\ssfsb.exe
| MD5 | 84499558c48c4fdebac20cab68253aa7 |
| SHA1 | d4518c621d32ebc483a8f0761cf6ed0fe3c7b8ce |
| SHA256 | ca958072c2483f5cfab83972b3e5a25a163eed2d0d6df7d310ddf200a6fec53c |
| SHA512 | 00ad7c29108eb787d0283bb6a6c2955ff3b4a64254d03767c1c21e8bf3a1e14149958c9de8f4fd2f6489972b4573b07abc18a3bc2e96cba5fe2d4852d204d65a |
memory/1392-149-0x0000000000400000-0x0000000000462000-memory.dmp