Analysis
-
max time kernel
4294206s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
26-03-2022 03:08
Static task
static1
Behavioral task
behavioral1
Sample
4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe
Resource
win7-20220310-en
General
-
Target
4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe
-
Size
284KB
-
MD5
7f1fec40c35280a72c4863430821e0b5
-
SHA1
6bc22f20dd9a338224db71dc8856587c48376190
-
SHA256
4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e
-
SHA512
681b745e3fd3aab3ea7c7f65e8bec064a4f067f8dfddae0db7a6a1e58e8fba744cd0846e1b3882d69f16df236e0b064c7cf512ca8c3079f8403ef8374c8b9ca7
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
qqwgkei.exepid process 1776 qqwgkei.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exedescription ioc process File created C:\Windows\Tasks\qqwgkei.job 4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe File opened for modification C:\Windows\Tasks\qqwgkei.job 4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exepid process 1636 4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 792 wrote to memory of 1776 792 taskeng.exe qqwgkei.exe PID 792 wrote to memory of 1776 792 taskeng.exe qqwgkei.exe PID 792 wrote to memory of 1776 792 taskeng.exe qqwgkei.exe PID 792 wrote to memory of 1776 792 taskeng.exe qqwgkei.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe"C:\Users\Admin\AppData\Local\Temp\4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
C:\Windows\system32\taskeng.exetaskeng.exe {03ACC417-A1DC-4E68-B783-9198805F0548} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\ProgramData\kregact\qqwgkei.exeC:\ProgramData\kregact\qqwgkei.exe start2⤵
- Executes dropped EXE
PID:1776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\kregact\qqwgkei.exeMD5
7f1fec40c35280a72c4863430821e0b5
SHA16bc22f20dd9a338224db71dc8856587c48376190
SHA2564bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e
SHA512681b745e3fd3aab3ea7c7f65e8bec064a4f067f8dfddae0db7a6a1e58e8fba744cd0846e1b3882d69f16df236e0b064c7cf512ca8c3079f8403ef8374c8b9ca7
-
C:\ProgramData\kregact\qqwgkei.exeMD5
7f1fec40c35280a72c4863430821e0b5
SHA16bc22f20dd9a338224db71dc8856587c48376190
SHA2564bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e
SHA512681b745e3fd3aab3ea7c7f65e8bec064a4f067f8dfddae0db7a6a1e58e8fba744cd0846e1b3882d69f16df236e0b064c7cf512ca8c3079f8403ef8374c8b9ca7
-
memory/1636-54-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/1636-55-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/1636-56-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/1636-57-0x0000000000400000-0x00000000046C7000-memory.dmpFilesize
66.8MB
-
memory/1776-59-0x0000000000000000-mapping.dmp
-
memory/1776-62-0x0000000000370000-0x0000000000379000-memory.dmpFilesize
36KB
-
memory/1776-63-0x0000000000400000-0x00000000046C7000-memory.dmpFilesize
66.8MB