Analysis
-
max time kernel
4294222s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 11:55
Static task
static1
Behavioral task
behavioral1
Sample
d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe
Resource
win7-20220311-en
General
-
Target
d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe
-
Size
292KB
-
MD5
2c640457ce9535dfe46ba275e358cb50
-
SHA1
5e3b05d9ef93cf757325a4ec4d0fa1b881b2472d
-
SHA256
d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149
-
SHA512
a9ef2e06efde9eef6869e7c085eb1612cb1aa76b076d578e73870d75b56e0fd2daa0c03e2f1a3a5ae8c2cff0e9487da4d245b2cf0dd9c8996e15bffd80906a8f
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
eqrcwej.exepid process 1924 eqrcwej.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org 6 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exedescription ioc process File created C:\Windows\Tasks\eqrcwej.job d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe File opened for modification C:\Windows\Tasks\eqrcwej.job d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exepid process 1304 d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1660 wrote to memory of 1924 1660 taskeng.exe eqrcwej.exe PID 1660 wrote to memory of 1924 1660 taskeng.exe eqrcwej.exe PID 1660 wrote to memory of 1924 1660 taskeng.exe eqrcwej.exe PID 1660 wrote to memory of 1924 1660 taskeng.exe eqrcwej.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe"C:\Users\Admin\AppData\Local\Temp\d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1304
-
C:\Windows\system32\taskeng.exetaskeng.exe {A0ED2FCF-E1C7-426E-B520-56C824906A61} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\ProgramData\miedbxe\eqrcwej.exeC:\ProgramData\miedbxe\eqrcwej.exe start2⤵
- Executes dropped EXE
PID:1924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\miedbxe\eqrcwej.exeFilesize
292KB
MD52c640457ce9535dfe46ba275e358cb50
SHA15e3b05d9ef93cf757325a4ec4d0fa1b881b2472d
SHA256d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149
SHA512a9ef2e06efde9eef6869e7c085eb1612cb1aa76b076d578e73870d75b56e0fd2daa0c03e2f1a3a5ae8c2cff0e9487da4d245b2cf0dd9c8996e15bffd80906a8f
-
C:\ProgramData\miedbxe\eqrcwej.exeFilesize
292KB
MD52c640457ce9535dfe46ba275e358cb50
SHA15e3b05d9ef93cf757325a4ec4d0fa1b881b2472d
SHA256d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149
SHA512a9ef2e06efde9eef6869e7c085eb1612cb1aa76b076d578e73870d75b56e0fd2daa0c03e2f1a3a5ae8c2cff0e9487da4d245b2cf0dd9c8996e15bffd80906a8f
-
memory/1304-54-0x0000000075B01000-0x0000000075B03000-memory.dmpFilesize
8KB
-
memory/1304-55-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/1304-56-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/1304-57-0x0000000000400000-0x00000000046C8000-memory.dmpFilesize
66.8MB
-
memory/1924-59-0x0000000000000000-mapping.dmp
-
memory/1924-62-0x0000000000400000-0x00000000046C8000-memory.dmpFilesize
66.8MB