Analysis
-
max time kernel
153s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
30-03-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491.exe
Resource
win7-20220331-en
General
-
Target
0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491.exe
-
Size
97KB
-
MD5
73e49c9180be6377ce35469e685724d6
-
SHA1
cc967c46335975279a91df318a37f0091a5a2a9e
-
SHA256
0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491
-
SHA512
22dd80c6b17b60ee489830711bffbc90189a8931c2e13640fdfd2c806df435aeef5a2f88a6b9488bcf88af40e994c230938d28824a84ae058341e15472a694f8
Malware Config
Extracted
systembc
dump17alertos.com:4039
dump17alertos.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bogte.exepid process 1468 bogte.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 ip4.seeip.org 7 ip4.seeip.org 4 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491.exedescription ioc process File created C:\Windows\Tasks\bogte.job 0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491.exe File opened for modification C:\Windows\Tasks\bogte.job 0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491.exepid process 2004 0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1212 wrote to memory of 1468 1212 taskeng.exe bogte.exe PID 1212 wrote to memory of 1468 1212 taskeng.exe bogte.exe PID 1212 wrote to memory of 1468 1212 taskeng.exe bogte.exe PID 1212 wrote to memory of 1468 1212 taskeng.exe bogte.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491.exe"C:\Users\Admin\AppData\Local\Temp\0a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2004
-
C:\Windows\system32\taskeng.exetaskeng.exe {0AF5160B-704E-4E74-8D67-BE25864725E6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\ProgramData\qeendf\bogte.exeC:\ProgramData\qeendf\bogte.exe start2⤵
- Executes dropped EXE
PID:1468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qeendf\bogte.exeFilesize
97KB
MD573e49c9180be6377ce35469e685724d6
SHA1cc967c46335975279a91df318a37f0091a5a2a9e
SHA2560a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491
SHA51222dd80c6b17b60ee489830711bffbc90189a8931c2e13640fdfd2c806df435aeef5a2f88a6b9488bcf88af40e994c230938d28824a84ae058341e15472a694f8
-
C:\ProgramData\qeendf\bogte.exeFilesize
97KB
MD573e49c9180be6377ce35469e685724d6
SHA1cc967c46335975279a91df318a37f0091a5a2a9e
SHA2560a422188253086dc87c6ca2d436e918b478069fa3480b957a1928f9f6ecae491
SHA51222dd80c6b17b60ee489830711bffbc90189a8931c2e13640fdfd2c806df435aeef5a2f88a6b9488bcf88af40e994c230938d28824a84ae058341e15472a694f8
-
memory/1468-60-0x0000000000000000-mapping.dmp
-
memory/1468-62-0x00000000030AB000-0x00000000030B2000-memory.dmpFilesize
28KB
-
memory/1468-65-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1468-64-0x00000000030AB000-0x00000000030B2000-memory.dmpFilesize
28KB
-
memory/1468-66-0x0000000000400000-0x0000000002FA3000-memory.dmpFilesize
43.6MB
-
memory/2004-54-0x000000000317B000-0x0000000003182000-memory.dmpFilesize
28KB
-
memory/2004-55-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/2004-57-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/2004-56-0x000000000317B000-0x0000000003182000-memory.dmpFilesize
28KB
-
memory/2004-58-0x0000000000400000-0x0000000002FA3000-memory.dmpFilesize
43.6MB