Analysis
-
max time kernel
151s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 09:27
Static task
static1
Behavioral task
behavioral1
Sample
2f50000.exe
Resource
win7v20210408
General
-
Target
2f50000.exe
-
Size
434KB
-
MD5
e2f99487e970a27006cf282abab1d49a
-
SHA1
b5d6b3b95f265888ce74e1be495858928214eb00
-
SHA256
7176b06d8ef959057db3fa2868695ee2d3e810353fb236923840903ddb47019a
-
SHA512
40e23b344272daba585c707e7e6298450049102052ae516b7b98ca0591274676cdc4e9891d149204595388b0347ed701b42b65c64901683a17c930f925a19351
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 1236 GetX64BTIT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org 12 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2f50000.exepid process 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe 3692 2f50000.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2f50000.exepid process 3692 2f50000.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2f50000.exedescription pid process target process PID 3692 wrote to memory of 1236 3692 2f50000.exe GetX64BTIT.exe PID 3692 wrote to memory of 1236 3692 2f50000.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f50000.exe"C:\Users\Admin\AppData\Local\Temp\2f50000.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:1236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
9c6a19b33f25e14a7424d3ba827e2001
SHA15d66e6c370d7042a57740a83eada4ac872c6cf6b
SHA2565cdd0a21f86234aa80d93f5f96bc0afd9fae67caf2cab171fb57af6d576c6f3e
SHA51288dd0a99ac87509bf6428b04d46d0ee0c78bbb5b0d055cb736278f969b9dc945fa8f46bcff4d9e61be2023ea33b47d4a5f9e100023ff8c7bd58d19607bb7aa07
-
memory/1236-114-0x0000000000000000-mapping.dmp