Analysis
-
max time kernel
164s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
19-03-2022 23:41
Static task
static1
Behavioral task
behavioral1
Sample
8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe
Resource
win7-20220311-en
General
-
Target
8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe
-
Size
233KB
-
MD5
cc16e6e7af14fcf5f4a001b85930dc8f
-
SHA1
580b5baff09663396fb27d52e43a58ef25ed43dd
-
SHA256
8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0
-
SHA512
c451ec2e3056086842b52e8105a04a67a50609d1e8a7c296e7171432ccc5572c62e69b1edb8d6e600ddb451240847ba4d8621452ea99e98036978cc3712274d9
Malware Config
Extracted
systembc
dec15coma.com:4039
dec15coma.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mnbg.exepid process 1004 mnbg.exe -
Processes:
resource yara_rule C:\ProgramData\grsv\mnbg.exe upx C:\ProgramData\grsv\mnbg.exe upx -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 64 api.ipify.org 65 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exedescription ioc process File opened for modification C:\Windows\Tasks\mnbg.job 8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe File created C:\Windows\Tasks\mnbg.job 8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3636 1772 WerFault.exe 8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exepid process 1772 8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe 1772 8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe"C:\Users\Admin\AppData\Local\Temp\8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 9482⤵
- Program crash
PID:3636
-
C:\ProgramData\grsv\mnbg.exeC:\ProgramData\grsv\mnbg.exe start1⤵
- Executes dropped EXE
PID:1004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1772 -ip 17721⤵PID:2324
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\grsv\mnbg.exeMD5
cc16e6e7af14fcf5f4a001b85930dc8f
SHA1580b5baff09663396fb27d52e43a58ef25ed43dd
SHA2568e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0
SHA512c451ec2e3056086842b52e8105a04a67a50609d1e8a7c296e7171432ccc5572c62e69b1edb8d6e600ddb451240847ba4d8621452ea99e98036978cc3712274d9
-
C:\ProgramData\grsv\mnbg.exeMD5
cc16e6e7af14fcf5f4a001b85930dc8f
SHA1580b5baff09663396fb27d52e43a58ef25ed43dd
SHA2568e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0
SHA512c451ec2e3056086842b52e8105a04a67a50609d1e8a7c296e7171432ccc5572c62e69b1edb8d6e600ddb451240847ba4d8621452ea99e98036978cc3712274d9
-
memory/1004-140-0x000000000538D000-0x0000000005394000-memory.dmpFilesize
28KB
-
memory/1004-141-0x000000000538D000-0x0000000005394000-memory.dmpFilesize
28KB
-
memory/1004-142-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/1004-143-0x0000000000400000-0x0000000005163000-memory.dmpFilesize
77.4MB
-
memory/1772-134-0x0000000005252000-0x0000000005259000-memory.dmpFilesize
28KB
-
memory/1772-135-0x0000000005252000-0x0000000005259000-memory.dmpFilesize
28KB
-
memory/1772-136-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/1772-137-0x0000000000400000-0x0000000005163000-memory.dmpFilesize
77.4MB