Analysis
-
max time kernel
4294215s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
20-03-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe
Resource
win7-20220310-en
General
-
Target
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe
-
Size
234KB
-
MD5
226ee1dec8ea871161b64020b2ee8663
-
SHA1
0866413ef90e37186ff269d1270e57c2b50f6b2f
-
SHA256
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced
-
SHA512
c5d8eff81783afae5f6de0e8aeb0586ca7af086ee99c6fcff87867730cb36f6a4c067bc82a2c32e6a10fff1d24c93a57931270d2df4c33d317965499cb7f651d
Malware Config
Extracted
systembc
dec15coma.com:4039
dec15coma.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ehrtt.exepid process 1988 ehrtt.exe -
Processes:
resource yara_rule C:\ProgramData\nclsbfn\ehrtt.exe upx C:\ProgramData\nclsbfn\ehrtt.exe upx -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exedescription ioc process File created C:\Windows\Tasks\ehrtt.job eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe File opened for modification C:\Windows\Tasks\ehrtt.job eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exepid process 900 eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1956 wrote to memory of 1988 1956 taskeng.exe ehrtt.exe PID 1956 wrote to memory of 1988 1956 taskeng.exe ehrtt.exe PID 1956 wrote to memory of 1988 1956 taskeng.exe ehrtt.exe PID 1956 wrote to memory of 1988 1956 taskeng.exe ehrtt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe"C:\Users\Admin\AppData\Local\Temp\eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:900
-
C:\Windows\system32\taskeng.exetaskeng.exe {9EA984C8-DAB8-41CA-9BB4-A5ECD39B231E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\ProgramData\nclsbfn\ehrtt.exeC:\ProgramData\nclsbfn\ehrtt.exe start2⤵
- Executes dropped EXE
PID:1988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nclsbfn\ehrtt.exeMD5
226ee1dec8ea871161b64020b2ee8663
SHA10866413ef90e37186ff269d1270e57c2b50f6b2f
SHA256eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced
SHA512c5d8eff81783afae5f6de0e8aeb0586ca7af086ee99c6fcff87867730cb36f6a4c067bc82a2c32e6a10fff1d24c93a57931270d2df4c33d317965499cb7f651d
-
C:\ProgramData\nclsbfn\ehrtt.exeMD5
226ee1dec8ea871161b64020b2ee8663
SHA10866413ef90e37186ff269d1270e57c2b50f6b2f
SHA256eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced
SHA512c5d8eff81783afae5f6de0e8aeb0586ca7af086ee99c6fcff87867730cb36f6a4c067bc82a2c32e6a10fff1d24c93a57931270d2df4c33d317965499cb7f651d
-
memory/900-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/900-56-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/900-57-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/900-58-0x0000000000400000-0x0000000005163000-memory.dmpFilesize
77.4MB
-
memory/1988-61-0x0000000005258000-0x000000000525F000-memory.dmpFilesize
28KB
-
memory/1988-63-0x0000000005258000-0x000000000525F000-memory.dmpFilesize
28KB
-
memory/1988-64-0x0000000000400000-0x0000000005163000-memory.dmpFilesize
77.4MB