Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
14-04-2022 11:37
Static task
static1
Behavioral task
behavioral1
Sample
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe
Resource
win7-20220331-en
General
-
Target
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe
-
Size
70KB
-
MD5
f195e871b1ab880b23404610b2b72020
-
SHA1
e1098fe407ab6c57d42cb30b31959eb1c9d3eacf
-
SHA256
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a
-
SHA512
1ceb677353244633fe6d0ee7c253e15c8bab140f01cc82374024e58ae48fd46218f3049e636de1830f671b83f4d619f2253ee266a3820662d5c02a371af8737e
Malware Config
Extracted
systembc
asdasd08.com:4039
asdasd08.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sxcg.exepid process 2716 sxcg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 api.ipify.org 23 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exedescription ioc process File opened for modification C:\Windows\Tasks\sxcg.job 61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe File created C:\Windows\Tasks\sxcg.job 61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2160 1580 WerFault.exe 61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exepid process 1580 61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe 1580 61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe"C:\Users\Admin\AppData\Local\Temp\61910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1580 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 4842⤵
- Program crash
PID:2160
-
C:\ProgramData\pgbvj\sxcg.exeC:\ProgramData\pgbvj\sxcg.exe start1⤵
- Executes dropped EXE
PID:2716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1580 -ip 15801⤵PID:4928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\pgbvj\sxcg.exeFilesize
70KB
MD5f195e871b1ab880b23404610b2b72020
SHA1e1098fe407ab6c57d42cb30b31959eb1c9d3eacf
SHA25661910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a
SHA5121ceb677353244633fe6d0ee7c253e15c8bab140f01cc82374024e58ae48fd46218f3049e636de1830f671b83f4d619f2253ee266a3820662d5c02a371af8737e
-
C:\ProgramData\pgbvj\sxcg.exeFilesize
70KB
MD5f195e871b1ab880b23404610b2b72020
SHA1e1098fe407ab6c57d42cb30b31959eb1c9d3eacf
SHA25661910440b8efa275a9aeb143b4d0441b4f67900f8710e8464e4dc4795739268a
SHA5121ceb677353244633fe6d0ee7c253e15c8bab140f01cc82374024e58ae48fd46218f3049e636de1830f671b83f4d619f2253ee266a3820662d5c02a371af8737e
-
memory/1580-134-0x0000000000648000-0x000000000064F000-memory.dmpFilesize
28KB
-
memory/1580-135-0x0000000000648000-0x000000000064F000-memory.dmpFilesize
28KB
-
memory/1580-136-0x0000000000620000-0x0000000000629000-memory.dmpFilesize
36KB
-
memory/1580-137-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2716-140-0x00000000007C3000-0x00000000007C9000-memory.dmpFilesize
24KB
-
memory/2716-142-0x0000000000720000-0x0000000000729000-memory.dmpFilesize
36KB
-
memory/2716-141-0x00000000007C3000-0x00000000007C9000-memory.dmpFilesize
24KB
-
memory/2716-143-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB