Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08-12-2021 14:20
Static task
static1
Behavioral task
behavioral1
Sample
25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
Resource
win7-en-20211104
General
-
Target
25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
-
Size
148KB
-
MD5
a6bb96f7c9972db7d27a415742d57a88
-
SHA1
d8e3c322e66d714db5a947ea0804f112f7971734
-
SHA256
25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb
-
SHA512
e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca
Malware Config
Extracted
systembc
mxblogs19.xyz:4044
sdadvert20.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ooifrs.exepid process 2476 ooifrs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org 17 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exedescription ioc process File created C:\Windows\Tasks\ooifrs.job 25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe File opened for modification C:\Windows\Tasks\ooifrs.job 25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exepid process 2568 25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe 2568 25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe"C:\Users\Admin\AppData\Local\Temp\25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2568
-
C:\ProgramData\qdcxw\ooifrs.exeC:\ProgramData\qdcxw\ooifrs.exe start1⤵
- Executes dropped EXE
PID:2476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a6bb96f7c9972db7d27a415742d57a88
SHA1d8e3c322e66d714db5a947ea0804f112f7971734
SHA25625e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb
SHA512e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca
-
MD5
a6bb96f7c9972db7d27a415742d57a88
SHA1d8e3c322e66d714db5a947ea0804f112f7971734
SHA25625e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb
SHA512e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca