Analysis
-
max time kernel
151s -
max time network
130s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-03-2021 18:26
Static task
static1
Behavioral task
behavioral1
Sample
Secure_Viewer.exe_.exe
Resource
win7v20201028
General
-
Target
Secure_Viewer.exe_.exe
-
Size
1.4MB
-
MD5
0c09489446c609ba6893455661948ac7
-
SHA1
46e09d46a00ea8f151b661db6332c83695b1cf90
-
SHA256
4807f8fce08612cc316476fe34aa497188810fc10102c6c07bf18142655eb252
-
SHA512
07f3211408bb75cb25bad4042e3246320b38cd1d30d77635c38f12687bd90ca5b2f8241883aae0a956a606186b3ec0945dd4ad36c3944c1126aae98f2402ae06
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
cmd.exeGetX64BTIT.exepid process 1936 cmd.exe 1248 GetX64BTIT.exe -
Loads dropped DLL 2 IoCs
Processes:
notepad.execmd.exepid process 2016 notepad.exe 1936 cmd.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 10 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Tasks\Secure_Viewer.exe_.job cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Secure_Viewer.exe_.exenotepad.execmd.exepid process 1044 Secure_Viewer.exe_.exe 2016 notepad.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe 1936 cmd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
notepad.exepid process 2016 notepad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 1936 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Secure_Viewer.exe_.exenotepad.exedescription pid process target process PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 1044 wrote to memory of 2016 1044 Secure_Viewer.exe_.exe notepad.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe PID 2016 wrote to memory of 1936 2016 notepad.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Secure_Viewer.exe_.exe"C:\Users\Admin\AppData\Local\Temp\Secure_Viewer.exe_.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"4⤵
- Executes dropped EXE
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\cmd.exeMD5
ad7b9c14083b52bc532fba5948342b98
SHA1ee8cbf12d87c4d388f09b4f69bed2e91682920b5
SHA25617f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
SHA512e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
8e02df4b54e4444e9812ead4fabe7a28
SHA1a7715b3098c2fa02adaced93a613963c39bb1d5d
SHA256d52167b633008ec6311264c9e0c0bc93c91640e503d37b695db4177e4e1bcd2b
SHA5122b4c0d7f3e3457ec90a3e1a87e3e6747f9b26692875b587485f012d411d5865b10d4a4265d5285e46bf38bc1a236b7a0fc73fe1273982e864022c8b4840b2fe6
-
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
\Users\Admin\AppData\Local\Temp\cmd.exeMD5
ad7b9c14083b52bc532fba5948342b98
SHA1ee8cbf12d87c4d388f09b4f69bed2e91682920b5
SHA25617f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
SHA512e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1
-
memory/1044-5-0x0000000000270000-0x000000000027B000-memory.dmpFilesize
44KB
-
memory/1044-2-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1248-15-0x0000000000000000-mapping.dmp
-
memory/1936-9-0x0000000000000000-mapping.dmp
-
memory/1936-12-0x00000000001D0000-0x00000000001D8000-memory.dmpFilesize
32KB
-
memory/1936-13-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/2016-7-0x00000000001A0000-0x00000000001A8000-memory.dmpFilesize
32KB
-
memory/2016-6-0x00000000000D0000-0x00000000000D2000-memory.dmpFilesize
8KB
-
memory/2016-4-0x00000000760A1000-0x00000000760A3000-memory.dmpFilesize
8KB
-
memory/2016-3-0x0000000000000000-mapping.dmp