38a36c357a50c0f3d6ba6cbaa600507d485271ac452212850dff78f1a430f9e1

Analysis

max time kernel
142s
max time network
149s
platform
windows10_x64
resource
win10v200722
submitted
10-10-2020 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3175c7553b29a8e22676a4d4bd7b0ce2.exe
Size

7.6MB
MD5

3175c7553b29a8e22676a4d4bd7b0ce2
SHA1

63af951a129db06f9d5a1be781e8bb9df818da9c
SHA256

38a36c357a50c0f3d6ba6cbaa600507d485271ac452212850dff78f1a430f9e1
SHA512

d5e87b6ba9448575f4be4988999d8050b1b6218ad505484e67c1bfacae4cfb55b0166105fe53dc148d99344e8b73f4a5df8ea8d8f73ebafce798221e8cf65067

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

1640 dllhost.exe

pid	process
1640	dllhost.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\24d388a3\tor\dllhost.exe	upx
C:\Users\Admin\AppData\Local\24d388a3\tor\dllhost.exe	upx
C:\Users\Admin\AppData\Local\24d388a3\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\24d388a3\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\24d388a3\tor\libssp-0.dll	upx
\Users\Admin\AppData\Local\24d388a3\tor\libssl-1_1.dll	upx
\Users\Admin\AppData\Local\24d388a3\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\24d388a3\tor\zlib1.dll	upx
\Users\Admin\AppData\Local\24d388a3\tor\zlib1.dll	upx
C:\Users\Admin\AppData\Local\24d388a3\tor\libevent-2-1-6.dll	upx
\Users\Admin\AppData\Local\24d388a3\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\24d388a3\tor\libwinpthread-1.dll	upx
\Users\Admin\AppData\Local\24d388a3\tor\libwinpthread-1.dll	upx
\Users\Admin\AppData\Local\24d388a3\tor\libcrypto-1_1.dll	upx
\Users\Admin\AppData\Local\24d388a3\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\24d388a3\tor\libgcc_s_sjlj-1.dll	upx
\Users\Admin\AppData\Local\24d388a3\tor\libgcc_s_sjlj-1.dll	upx
behavioral2/memory/1640-23-0x00000000737C0000-0x0000000073848000-memory.dmp	upx

Loads dropped DLL 8 IoCs

Processes:

dllhost.exe

pid process

1640 dllhost.exe
1640 dllhost.exe
1640 dllhost.exe
1640 dllhost.exe
1640 dllhost.exe
1640 dllhost.exe
1640 dllhost.exe
1640 dllhost.exe
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 myexternalip.com
17 myexternalip.com
18 myexternalip.com
23 myexternalip.com
26 myexternalip.com
27 myexternalip.com
29 myexternalip.com
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1640	dllhost.exe
1640	dllhost.exe
1640	dllhost.exe
1640	dllhost.exe
1640	dllhost.exe
1640	dllhost.exe
1640	dllhost.exe
1640	dllhost.exe

flow	ioc
30	myexternalip.com
17	myexternalip.com
18	myexternalip.com
23	myexternalip.com
26	myexternalip.com
27	myexternalip.com
29	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

3175c7553b29a8e22676a4d4bd7b0ce2.exe

pid	process
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3175c7553b29a8e22676a4d4bd7b0ce2.exe

description pid process

Token: SeShutdownPrivilege 3888 3175c7553b29a8e22676a4d4bd7b0ce2.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3175c7553b29a8e22676a4d4bd7b0ce2.exe

pid process

3888 3175c7553b29a8e22676a4d4bd7b0ce2.exe
3888 3175c7553b29a8e22676a4d4bd7b0ce2.exe

description	pid	process
Token: SeShutdownPrivilege	3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3175c7553b29a8e22676a4d4bd7b0ce2.exe

description	pid	process	target process
PID 3888 wrote to memory of 1640	3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe	dllhost.exe
PID 3888 wrote to memory of 1640	3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe	dllhost.exe
PID 3888 wrote to memory of 1640	3888	3175c7553b29a8e22676a4d4bd7b0ce2.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\3175c7553b29a8e22676a4d4bd7b0ce2.exe
"C:\Users\Admin\AppData\Local\Temp\3175c7553b29a8e22676a4d4bd7b0ce2.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\24d388a3\tor\dllhost.exe
  "C:\Users\Admin\AppData\Local\24d388a3\tor\dllhost.exe" -f torrc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\24d388a3\tor\dllhost.exe

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\24d388a3\tor\dllhost.exe

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\24d388a3\tor\libcrypto-1_1.dll

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
C:\Users\Admin\AppData\Local\24d388a3\tor\libevent-2-1-6.dll

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\24d388a3\tor\libgcc_s_sjlj-1.dll

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\24d388a3\tor\libssl-1_1.dll

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\24d388a3\tor\libssp-0.dll

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\24d388a3\tor\libwinpthread-1.dll

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\24d388a3\tor\torrc

MD5
e40ee6a078c43260923f34919ead064b

SHA1
f7a38aeb8eb1adbba9644dc03db94e6937fa16aa

SHA256
8b984e137d69522e2362f6ae8828d842e6178428a5e738201627e85334662947

SHA512
1e34ec1ebf1dbb8e305ccecd415370f2e3f8b1128f9fadb55f098f395ac30ee670b6c53c976289b3f5816390de86f4901faa9951ab4f0c313258641ce074aa0f

Download Submit
C:\Users\Admin\AppData\Local\24d388a3\tor\zlib1.dll

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
\Users\Admin\AppData\Local\24d388a3\tor\libcrypto-1_1.dll

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
\Users\Admin\AppData\Local\24d388a3\tor\libcrypto-1_1.dll

MD5
2384a02c4a1f7ec481adde3a020607d3

SHA1
7e848d35a10bf9296c8fa41956a3daa777f86365

SHA256
c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

SHA512
1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

Download Submit
\Users\Admin\AppData\Local\24d388a3\tor\libevent-2-1-6.dll

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
\Users\Admin\AppData\Local\24d388a3\tor\libgcc_s_sjlj-1.dll

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
\Users\Admin\AppData\Local\24d388a3\tor\libssl-1_1.dll

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
\Users\Admin\AppData\Local\24d388a3\tor\libssp-0.dll

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
\Users\Admin\AppData\Local\24d388a3\tor\libwinpthread-1.dll

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
\Users\Admin\AppData\Local\24d388a3\tor\zlib1.dll

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/1640-5-0x0000000000000000-mapping.dmp

Download
memory/1640-23-0x00000000737C0000-0x0000000073848000-memory.dmp

Filesize
544KB

Download