Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
12-07-2023 09:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230703-en
windows7-x64
3 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
283KB
-
MD5
373949447dfd88ce94f0d04cba6ea505
-
SHA1
b30b0268fa57ca3117957f99fa7372b244153306
-
SHA256
4246b1740af95e953c8010a6d99c0ab72622b892bc1dbb955eec4067d90d7763
-
SHA512
dfcdbf640ac89ae4c9efba10fe8260a4fa8354d1fd6d62f6625d0bec192dd21bb238d770d00c35a2b62d46d84f8445ffb415dd48a93023d70bac453bc50c8c88
-
SSDEEP
6144:J/y8+suv+onz8G+pqHxq8FNyMRn7HRGcdfMtVqgo:J/yZsvoz8G+QRq8fhN7y78
Malware Config
Extracted
Family
systembc
C2
185.215.113.105:4001
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Windows\Tasks\wow64.job tmp.exe File opened for modification C:\Windows\Tasks\wow64.job tmp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2388 wrote to memory of 2180 2388 taskeng.exe tmp.exe PID 2388 wrote to memory of 2180 2388 taskeng.exe tmp.exe PID 2388 wrote to memory of 2180 2388 taskeng.exe tmp.exe PID 2388 wrote to memory of 2180 2388 taskeng.exe tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in Windows directory
PID:1144
-
C:\Windows\system32\taskeng.exetaskeng.exe {07952BE1-15D8-4790-B455-A85143A272D9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe start2⤵PID:2180