Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 10:03
Static task
static1
Behavioral task
behavioral1
Sample
2f50000.exe
Resource
win7v20210410
General
-
Target
2f50000.exe
-
Size
434KB
-
MD5
e2f99487e970a27006cf282abab1d49a
-
SHA1
b5d6b3b95f265888ce74e1be495858928214eb00
-
SHA256
7176b06d8ef959057db3fa2868695ee2d3e810353fb236923840903ddb47019a
-
SHA512
40e23b344272daba585c707e7e6298450049102052ae516b7b98ca0591274676cdc4e9891d149204595388b0347ed701b42b65c64901683a17c930f925a19351
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 2448 GetX64BTIT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org 11 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2f50000.exepid process 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe 644 2f50000.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2f50000.exepid process 644 2f50000.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2f50000.exedescription pid process target process PID 644 wrote to memory of 2448 644 2f50000.exe GetX64BTIT.exe PID 644 wrote to memory of 2448 644 2f50000.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f50000.exe"C:\Users\Admin\AppData\Local\Temp\2f50000.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:2448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
4df3636c50284e9dae973bb34c75fcc2
SHA13f70898fdc89431ac413c6dccf0e243bbb0ba6e1
SHA2567ff3698cb1ae933bc9e05bb7d1765d3b2893ab5cd8bd4529a6855d383f97ce25
SHA51254c4dd5503a8a41d2c7cfd5f8740d12de328b982737e19a8506527aa97c547bf92f7527c5dedadf67aa7dca24a6ed1e2e7b9a2dc5783bf477609117662cbd47a
-
memory/2448-114-0x0000000000000000-mapping.dmp