Analysis
-
max time kernel
151s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
14-04-2022 11:37
Static task
static1
Behavioral task
behavioral1
Sample
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe
Resource
win7-20220331-en
General
-
Target
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe
-
Size
70KB
-
MD5
f195e871b1ab880b23404610b2b72020
-
SHA1
e1098fe407ab6c57d42cb30b31959eb1c9d3eacf
-
SHA256
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a
-
SHA512
1ceb677353244633fe6d0ee7c253e15c8bab140f01cc82374024e58ae48fd46218f3049e636de1830f671b83f4d619f2253ee266a3820662d5c02a371af8737e
Malware Config
Extracted
systembc
asdasd08.com:4039
asdasd08.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xxll.exepid process 1188 xxll.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exedescription ioc process File created C:\Windows\Tasks\xxll.job 61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe File opened for modification C:\Windows\Tasks\xxll.job 61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exepid process 1668 61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2004 wrote to memory of 1188 2004 taskeng.exe xxll.exe PID 2004 wrote to memory of 1188 2004 taskeng.exe xxll.exe PID 2004 wrote to memory of 1188 2004 taskeng.exe xxll.exe PID 2004 wrote to memory of 1188 2004 taskeng.exe xxll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe"C:\Users\Admin\AppData\Local\Temp\61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1668
-
C:\Windows\system32\taskeng.exetaskeng.exe {2A83C22A-5EA4-4376-B757-DE8C2BA7F5AD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\ProgramData\esmc\xxll.exeC:\ProgramData\esmc\xxll.exe start2⤵
- Executes dropped EXE
PID:1188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\esmc\xxll.exeFilesize
70KB
MD5f195e871b1ab880b23404610b2b72020
SHA1e1098fe407ab6c57d42cb30b31959eb1c9d3eacf
SHA25661910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a
SHA5121ceb677353244633fe6d0ee7c253e15c8bab140f01cc82374024e58ae48fd46218f3049e636de1830f671b83f4d619f2253ee266a3820662d5c02a371af8737e
-
C:\ProgramData\esmc\xxll.exeFilesize
70KB
MD5f195e871b1ab880b23404610b2b72020
SHA1e1098fe407ab6c57d42cb30b31959eb1c9d3eacf
SHA25661910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a
SHA5121ceb677353244633fe6d0ee7c253e15c8bab140f01cc82374024e58ae48fd46218f3049e636de1830f671b83f4d619f2253ee266a3820662d5c02a371af8737e
-
memory/1188-60-0x0000000000000000-mapping.dmp
-
memory/1188-62-0x000000000066B000-0x0000000000672000-memory.dmpFilesize
28KB
-
memory/1188-64-0x000000000066B000-0x0000000000672000-memory.dmpFilesize
28KB
-
memory/1188-65-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1668-54-0x000000000060B000-0x0000000000612000-memory.dmpFilesize
28KB
-
memory/1668-55-0x00000000759C1000-0x00000000759C3000-memory.dmpFilesize
8KB
-
memory/1668-57-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1668-56-0x000000000060B000-0x0000000000612000-memory.dmpFilesize
28KB
-
memory/1668-58-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB