Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-03-2022 17:56
Static task
static1
General
-
Target
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe
-
Size
232KB
-
MD5
f7205e928a07057d45dd80680d956abc
-
SHA1
429cebb14558371bbb1535743ff4b8c4c2401742
-
SHA256
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173
-
SHA512
c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c
Malware Config
Extracted
systembc
31.44.185.6:4001
31.44.185.11:4001
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
-
Executes dropped EXE 1 IoCs
Processes:
qnqjuah.exepid process 3180 qnqjuah.exe -
Drops file in Windows directory 2 IoCs
Processes:
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exedescription ioc process File created C:\Windows\Tasks\qnqjuah.job cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe File opened for modification C:\Windows\Tasks\qnqjuah.job cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 644 3088 WerFault.exe cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exepid process 3088 cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe 3088 cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe"C:\Users\Admin\AppData\Local\Temp\cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 5562⤵
- Program crash
PID:644
-
C:\ProgramData\codnddd\qnqjuah.exeC:\ProgramData\codnddd\qnqjuah.exe start1⤵
- Executes dropped EXE
PID:3180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3088 -ip 30881⤵PID:1940
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\codnddd\qnqjuah.exeMD5
f7205e928a07057d45dd80680d956abc
SHA1429cebb14558371bbb1535743ff4b8c4c2401742
SHA256cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173
SHA512c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c
-
C:\ProgramData\codnddd\qnqjuah.exeMD5
f7205e928a07057d45dd80680d956abc
SHA1429cebb14558371bbb1535743ff4b8c4c2401742
SHA256cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173
SHA512c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c
-
memory/3088-130-0x00000000007E9000-0x00000000007F2000-memory.dmpFilesize
36KB
-
memory/3088-132-0x00000000007C0000-0x00000000007C9000-memory.dmpFilesize
36KB
-
memory/3088-131-0x00000000007E9000-0x00000000007F2000-memory.dmpFilesize
36KB
-
memory/3088-133-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/3180-136-0x0000000000765000-0x000000000076E000-memory.dmpFilesize
36KB
-
memory/3180-137-0x0000000000765000-0x000000000076E000-memory.dmpFilesize
36KB
-
memory/3180-138-0x0000000000C20000-0x0000000000C29000-memory.dmpFilesize
36KB
-
memory/3180-139-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB