Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-09-2021 09:43
Static task
static1
Behavioral task
behavioral1
Sample
test.txt.exe
Resource
win7v20210408
General
-
Target
test.txt.exe
-
Size
329KB
-
MD5
af6cc661c03857f4cbf6c325ebe27743
-
SHA1
7fde4507b2430e37c7dc9a1df8904371bc1bf9b2
-
SHA256
2fc970b717486762f6c890f525329962662074eb632f0827c901fb1081cbd98f
-
SHA512
13e5fcbb68708f5079aca5fbc875e3d18a88fa591b8d74f208a0ba05b7af3dda55fc41466683a9963d81e41e2c39a9de5a3b0fbc0d7f1c51c28ba070c3a44b61
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 1728 GetX64BTIT.exe -
Loads dropped DLL 1 IoCs
Processes:
test.txt.exepid process 1828 test.txt.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.txt.exepid process 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe 1828 test.txt.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
test.txt.exepid process 1828 test.txt.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
test.txt.exedescription pid process target process PID 1828 wrote to memory of 1728 1828 test.txt.exe GetX64BTIT.exe PID 1828 wrote to memory of 1728 1828 test.txt.exe GetX64BTIT.exe PID 1828 wrote to memory of 1728 1828 test.txt.exe GetX64BTIT.exe PID 1828 wrote to memory of 1728 1828 test.txt.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.txt.exe"C:\Users\Admin\AppData\Local\Temp\test.txt.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
e5366a5ead8bf0ec08f9e3f4438eaff2
SHA1ce3c49a04fea3c359481e28e6a0b19b3da8c7a43
SHA256479c23364dc24b0896cad7371b3fb35e6d167a38a0f1d567659210364f8ca2b9
SHA512bd6aa869e7f2dd2a8f8bd73bece7d03c810a65af6addef1bc97a8b7f5d8972575b3e870499f52cbc30d1c7d05170ffbd2227d09f17d440d21bfaf694c27ee24a
-
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
memory/1728-63-0x0000000000000000-mapping.dmp
-
memory/1828-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1828-61-0x00000000000F0000-0x000000000018F000-memory.dmpFilesize
636KB