Analysis
-
max time kernel
142s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-04-2023 08:51
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
windows7-x64
3 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
283KB
-
MD5
373949447dfd88ce94f0d04cba6ea505
-
SHA1
b30b0268fa57ca3117957f99fa7372b244153306
-
SHA256
4246b1740af95e953c8010a6d99c0ab72622b892bc1dbb955eec4067d90d7763
-
SHA512
dfcdbf640ac89ae4c9efba10fe8260a4fa8354d1fd6d62f6625d0bec192dd21bb238d770d00c35a2b62d46d84f8445ffb415dd48a93023d70bac453bc50c8c88
-
SSDEEP
6144:J/y8+suv+onz8G+pqHxq8FNyMRn7HRGcdfMtVqgo:J/yZsvoz8G+QRq8fhN7y78
Malware Config
Extracted
Family
systembc
C2
185.215.113.105:4001
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Windows\Tasks\wow64.job tmp.exe File opened for modification C:\Windows\Tasks\wow64.job tmp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1500 wrote to memory of 1088 1500 taskeng.exe tmp.exe PID 1500 wrote to memory of 1088 1500 taskeng.exe tmp.exe PID 1500 wrote to memory of 1088 1500 taskeng.exe tmp.exe PID 1500 wrote to memory of 1088 1500 taskeng.exe tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in Windows directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {B8EEA0DA-3866-47D1-AD3F-000910D46EB6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe start2⤵