Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-03-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe
Resource
win7-20220310-en
General
-
Target
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe
-
Size
234KB
-
MD5
226ee1dec8ea871161b64020b2ee8663
-
SHA1
0866413ef90e37186ff269d1270e57c2b50f6b2f
-
SHA256
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced
-
SHA512
c5d8eff81783afae5f6de0e8aeb0586ca7af086ee99c6fcff87867730cb36f6a4c067bc82a2c32e6a10fff1d24c93a57931270d2df4c33d317965499cb7f651d
Malware Config
Extracted
systembc
dec15coma.com:4039
dec15coma.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dtwj.exepid process 3616 dtwj.exe -
Processes:
resource yara_rule C:\ProgramData\vamavsq\dtwj.exe upx C:\ProgramData\vamavsq\dtwj.exe upx -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org 16 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exedescription ioc process File opened for modification C:\Windows\Tasks\dtwj.job eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe File created C:\Windows\Tasks\dtwj.job eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2652 2124 WerFault.exe eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exepid process 2124 eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe 2124 eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe"C:\Users\Admin\AppData\Local\Temp\eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 9522⤵
- Program crash
PID:2652
-
C:\ProgramData\vamavsq\dtwj.exeC:\ProgramData\vamavsq\dtwj.exe start1⤵
- Executes dropped EXE
PID:3616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2124 -ip 21241⤵PID:2956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vamavsq\dtwj.exeMD5
226ee1dec8ea871161b64020b2ee8663
SHA10866413ef90e37186ff269d1270e57c2b50f6b2f
SHA256eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced
SHA512c5d8eff81783afae5f6de0e8aeb0586ca7af086ee99c6fcff87867730cb36f6a4c067bc82a2c32e6a10fff1d24c93a57931270d2df4c33d317965499cb7f651d
-
C:\ProgramData\vamavsq\dtwj.exeMD5
226ee1dec8ea871161b64020b2ee8663
SHA10866413ef90e37186ff269d1270e57c2b50f6b2f
SHA256eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced
SHA512c5d8eff81783afae5f6de0e8aeb0586ca7af086ee99c6fcff87867730cb36f6a4c067bc82a2c32e6a10fff1d24c93a57931270d2df4c33d317965499cb7f651d
-
memory/2124-130-0x00000000051C2000-0x00000000051C9000-memory.dmpFilesize
28KB
-
memory/2124-131-0x00000000051C2000-0x00000000051C9000-memory.dmpFilesize
28KB
-
memory/2124-132-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2124-133-0x0000000000400000-0x0000000005163000-memory.dmpFilesize
77.4MB
-
memory/3616-136-0x00000000051CD000-0x00000000051D4000-memory.dmpFilesize
28KB
-
memory/3616-137-0x00000000051CD000-0x00000000051D4000-memory.dmpFilesize
28KB
-
memory/3616-138-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/3616-139-0x0000000000400000-0x0000000005163000-memory.dmpFilesize
77.4MB