Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-04-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe
Resource
win7-20220414-en
General
-
Target
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe
-
Size
85KB
-
MD5
281ab6111ab22e0e725a98e5496e7ce5
-
SHA1
d9f0476d385901285953b8ed0a8fbcbcdfba7da3
-
SHA256
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d
-
SHA512
35c4f4b605476ee96270cc75897bc666c78d11f68107c25d1f3803bcd66ff2fff11388b51ff8cb1ffb12834ac3ed338ce2b3a0c911b67642cc77515eab6c300f
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vejgt.exepid process 1736 vejgt.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exedescription ioc process File created C:\Windows\Tasks\vejgt.job 90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe File opened for modification C:\Windows\Tasks\vejgt.job 90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exepid process 1044 90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 936 wrote to memory of 1736 936 taskeng.exe vejgt.exe PID 936 wrote to memory of 1736 936 taskeng.exe vejgt.exe PID 936 wrote to memory of 1736 936 taskeng.exe vejgt.exe PID 936 wrote to memory of 1736 936 taskeng.exe vejgt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe"C:\Users\Admin\AppData\Local\Temp\90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
C:\Windows\system32\taskeng.exetaskeng.exe {7661E5F3-475E-43BF-959C-E32E2086EAA7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\ProgramData\nssje\vejgt.exeC:\ProgramData\nssje\vejgt.exe start2⤵
- Executes dropped EXE
PID:1736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nssje\vejgt.exeFilesize
85KB
MD5281ab6111ab22e0e725a98e5496e7ce5
SHA1d9f0476d385901285953b8ed0a8fbcbcdfba7da3
SHA25690e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d
SHA51235c4f4b605476ee96270cc75897bc666c78d11f68107c25d1f3803bcd66ff2fff11388b51ff8cb1ffb12834ac3ed338ce2b3a0c911b67642cc77515eab6c300f
-
C:\ProgramData\nssje\vejgt.exeFilesize
85KB
MD5281ab6111ab22e0e725a98e5496e7ce5
SHA1d9f0476d385901285953b8ed0a8fbcbcdfba7da3
SHA25690e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d
SHA51235c4f4b605476ee96270cc75897bc666c78d11f68107c25d1f3803bcd66ff2fff11388b51ff8cb1ffb12834ac3ed338ce2b3a0c911b67642cc77515eab6c300f
-
memory/1044-54-0x00000000004FB000-0x0000000000502000-memory.dmpFilesize
28KB
-
memory/1044-55-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1044-56-0x00000000004FB000-0x0000000000502000-memory.dmpFilesize
28KB
-
memory/1044-57-0x00000000002B0000-0x00000000002B9000-memory.dmpFilesize
36KB
-
memory/1044-58-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1736-60-0x0000000000000000-mapping.dmp
-
memory/1736-62-0x00000000005CB000-0x00000000005D2000-memory.dmpFilesize
28KB
-
memory/1736-64-0x00000000005CB000-0x00000000005D2000-memory.dmpFilesize
28KB
-
memory/1736-65-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB