Analysis
-
max time kernel
154s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 09:27
Static task
static1
Behavioral task
behavioral1
Sample
2bb0000.exe
Resource
win7v20210408
General
-
Target
2bb0000.exe
-
Size
434KB
-
MD5
1cdb3fb1f8aceed1ebe8dbf591f3d8db
-
SHA1
21bd149cf8eec05f453665b888aae9b2b8e62320
-
SHA256
4bd4ccdaefa72f9326ba93542ddc447f6df1452a6f626a54d43c3a4c37e23968
-
SHA512
4df44aea1de81ee299cc0944d14da5a28290d1d3cf60691bf85a650ea12e4be73017f68bbb01466f757203e9f6d4fbdb3446a468f241a9383b35cd8f681b3021
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 1264 GetX64BTIT.exe -
Loads dropped DLL 1 IoCs
Processes:
2bb0000.exepid process 1920 2bb0000.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2bb0000.exepid process 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe 1920 2bb0000.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2bb0000.exepid process 1920 2bb0000.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2bb0000.exedescription pid process target process PID 1920 wrote to memory of 1264 1920 2bb0000.exe GetX64BTIT.exe PID 1920 wrote to memory of 1264 1920 2bb0000.exe GetX64BTIT.exe PID 1920 wrote to memory of 1264 1920 2bb0000.exe GetX64BTIT.exe PID 1920 wrote to memory of 1264 1920 2bb0000.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bb0000.exe"C:\Users\Admin\AppData\Local\Temp\2bb0000.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
3ac29e1fd2da4b6e3b3b4b30ca6e83cf
SHA108c76853bb83949e26a2c9d59e6ef244d1cd74f8
SHA256b8b658921e91f7ea33378f73bba6eb95d0eb5d0448051b504bf099657f2bd902
SHA512adec073fb527a4e485e1c1fd2a86ba0b7bf0b57f4963c3997a3446c18ae574e6b259ed9d2e41172ca8460abe455a00f9afe4be5bbf5553c4242e3d33cae6c47e
-
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
memory/1264-62-0x0000000000000000-mapping.dmp
-
memory/1920-60-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB