Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 14:34
Static task
static1
Behavioral task
behavioral1
Sample
902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe
Resource
win7-20240221-en
General
-
Target
902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe
-
Size
898KB
-
MD5
1b1ecd323162c054864b63ada693cd71
-
SHA1
333a67545a5d1aad4d73a3501f7152b4529b6b3e
-
SHA256
902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff
-
SHA512
f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71
-
SSDEEP
24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
work.exejergs.exehuvegw.exehuvegw.exepid process 2568 work.exe 2464 jergs.exe 2348 huvegw.exe 1640 huvegw.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2956 cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
jergs.exedescription ioc process File created C:\Windows\Tasks\huvegw.job jergs.exe File opened for modification C:\Windows\Tasks\huvegw.job jergs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
jergs.exepid process 2464 jergs.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.execmd.exework.exetaskeng.exedescription pid process target process PID 2304 wrote to memory of 2956 2304 902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe cmd.exe PID 2304 wrote to memory of 2956 2304 902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe cmd.exe PID 2304 wrote to memory of 2956 2304 902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe cmd.exe PID 2956 wrote to memory of 2568 2956 cmd.exe work.exe PID 2956 wrote to memory of 2568 2956 cmd.exe work.exe PID 2956 wrote to memory of 2568 2956 cmd.exe work.exe PID 2568 wrote to memory of 2464 2568 work.exe jergs.exe PID 2568 wrote to memory of 2464 2568 work.exe jergs.exe PID 2568 wrote to memory of 2464 2568 work.exe jergs.exe PID 2568 wrote to memory of 2464 2568 work.exe jergs.exe PID 2012 wrote to memory of 2348 2012 taskeng.exe huvegw.exe PID 2012 wrote to memory of 2348 2012 taskeng.exe huvegw.exe PID 2012 wrote to memory of 2348 2012 taskeng.exe huvegw.exe PID 2012 wrote to memory of 2348 2012 taskeng.exe huvegw.exe PID 2012 wrote to memory of 1640 2012 taskeng.exe huvegw.exe PID 2012 wrote to memory of 1640 2012 taskeng.exe huvegw.exe PID 2012 wrote to memory of 1640 2012 taskeng.exe huvegw.exe PID 2012 wrote to memory of 1640 2012 taskeng.exe huvegw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe"C:\Users\Admin\AppData\Local\Temp\902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2464
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5DB2EDB9-642A-463B-943D-5BE6EECC8208} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\ProgramData\pkot\huvegw.exeC:\ProgramData\pkot\huvegw.exe start22⤵
- Executes dropped EXE
PID:2348
-
-
C:\ProgramData\pkot\huvegw.exeC:\ProgramData\pkot\huvegw.exe start22⤵
- Executes dropped EXE
PID:1640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
Filesize
16KB
MD5c661a77c31f83c413a96b5537ad31989
SHA18a5a47e39a9efa9dc4de447d2ae4cd5e375e3557
SHA256cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1
SHA512b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
453KB
MD5405b7fbe8c0ed98620064f0cd80f24c4
SHA1bb9e45038e8a9f7b7cd0db62858ac65c74b74821
SHA2569dd8267e66dc584eecb3bece47e826d3189e41077f4083acdfc9a4f623b9c187
SHA5123dd4c407f6c2250d20c005e816e80ad442bb07f84ab02e25951331808fb4229219f9fddbcf1ac2e6d70985e3077a6401905f18a8b2c633e9d0a8b9cc6971b61d