Analysis Overview
SHA256
6f78256f20eb2b5594391095a341f8749395e7566fdd2ddd3a34a0db9bb9f871
Threat Level: Known bad
The file scks.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Adds Run key to start application
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-06 12:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-06 12:00
Reported
2023-05-06 12:02
Platform
win10v2004-20230220-en
Max time kernel
134s
Max time network
139s
Command Line
Signatures
SystemBC
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\scks.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\scks.exe'\"" | C:\Users\Admin\AppData\Local\Temp\scks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\scks.exe
"C:\Users\Admin\AppData\Local\Temp\scks.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 20.189.173.5:443 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| BE | 23.55.97.181:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 15.204.166.162:5757 | tcp | |
| US | 8.8.8.8:53 | 162.166.204.15.in-addr.arpa | udp |
Files
memory/4196-133-0x00000000001C0000-0x00000000002B3000-memory.dmp
memory/4196-134-0x00000000012E0000-0x00000000012E6000-memory.dmp
memory/4196-135-0x00000000001C0000-0x00000000002B3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-06 12:00
Reported
2023-05-06 12:02
Platform
win7-20230220-en
Max time kernel
132s
Max time network
135s
Command Line
Signatures
SystemBC
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\scks.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& ''\"" | C:\Users\Admin\AppData\Local\Temp\scks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\scks.exe
"C:\Users\Admin\AppData\Local\Temp\scks.exe"
Network
| Country | Destination | Domain | Proto |
| US | 15.204.166.162:5757 | tcp |
Files
memory/2008-54-0x0000000000130000-0x0000000000136000-memory.dmp
memory/2008-55-0x0000000000CF0000-0x0000000000DE3000-memory.dmp