Analysis
-
max time kernel
4294210s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
20-03-2022 03:24
Static task
static1
Behavioral task
behavioral1
Sample
10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe
Resource
win7-20220311-en
General
-
Target
10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe
-
Size
172KB
-
MD5
6047ef3dc3006268a9406af1a7be63e3
-
SHA1
57602f69a5e7d855643b61e80ff32c1947cc6d64
-
SHA256
10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28
-
SHA512
1e2ca97ab3e0edbbc44c89e6f854fcfb78a9b8927f8b970ac2971aa58a4011ab1cf1a66bc8efbfa60d30dbdd45df538e21e89ef876b410c1d66950ce8a4a4613
Malware Config
Extracted
systembc
dec15coma.com:4039
dec15coma.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
qxlpsc.exepid process 468 qxlpsc.exe -
Processes:
resource yara_rule C:\ProgramData\xojau\qxlpsc.exe upx C:\ProgramData\xojau\qxlpsc.exe upx -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exedescription ioc process File created C:\Windows\Tasks\qxlpsc.job 10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe File opened for modification C:\Windows\Tasks\qxlpsc.job 10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exepid process 1980 10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 280 wrote to memory of 468 280 taskeng.exe qxlpsc.exe PID 280 wrote to memory of 468 280 taskeng.exe qxlpsc.exe PID 280 wrote to memory of 468 280 taskeng.exe qxlpsc.exe PID 280 wrote to memory of 468 280 taskeng.exe qxlpsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe"C:\Users\Admin\AppData\Local\Temp\10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1980
-
C:\Windows\system32\taskeng.exetaskeng.exe {42B7EAA2-DE31-4D2C-B596-0D697B46D84A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:280 -
C:\ProgramData\xojau\qxlpsc.exeC:\ProgramData\xojau\qxlpsc.exe start2⤵
- Executes dropped EXE
PID:468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xojau\qxlpsc.exeMD5
6047ef3dc3006268a9406af1a7be63e3
SHA157602f69a5e7d855643b61e80ff32c1947cc6d64
SHA25610fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28
SHA5121e2ca97ab3e0edbbc44c89e6f854fcfb78a9b8927f8b970ac2971aa58a4011ab1cf1a66bc8efbfa60d30dbdd45df538e21e89ef876b410c1d66950ce8a4a4613
-
C:\ProgramData\xojau\qxlpsc.exeMD5
6047ef3dc3006268a9406af1a7be63e3
SHA157602f69a5e7d855643b61e80ff32c1947cc6d64
SHA25610fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28
SHA5121e2ca97ab3e0edbbc44c89e6f854fcfb78a9b8927f8b970ac2971aa58a4011ab1cf1a66bc8efbfa60d30dbdd45df538e21e89ef876b410c1d66950ce8a4a4613
-
memory/468-61-0x00000000055B9000-0x00000000055BF000-memory.dmpFilesize
24KB
-
memory/468-63-0x00000000055B9000-0x00000000055BF000-memory.dmpFilesize
24KB
-
memory/468-64-0x0000000000400000-0x000000000515E000-memory.dmpFilesize
77.4MB
-
memory/1980-54-0x0000000005339000-0x000000000533F000-memory.dmpFilesize
24KB
-
memory/1980-55-0x00000000767A1000-0x00000000767A3000-memory.dmpFilesize
8KB
-
memory/1980-56-0x0000000005339000-0x000000000533F000-memory.dmpFilesize
24KB
-
memory/1980-57-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1980-58-0x0000000000400000-0x000000000515E000-memory.dmpFilesize
77.4MB