Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe
Resource
win7-20220414-en
General
-
Target
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe
-
Size
85KB
-
MD5
281ab6111ab22e0e725a98e5496e7ce5
-
SHA1
d9f0476d385901285953b8ed0a8fbcbcdfba7da3
-
SHA256
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d
-
SHA512
35c4f4b605476ee96270cc75897bc666c78d11f68107c25d1f3803bcd66ff2fff11388b51ff8cb1ffb12834ac3ed338ce2b3a0c911b67642cc77515eab6c300f
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
thfm.exepid process 1600 thfm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org 11 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exedescription ioc process File created C:\Windows\Tasks\thfm.job 90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe File opened for modification C:\Windows\Tasks\thfm.job 90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 812 1804 WerFault.exe 90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exepid process 1804 90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe 1804 90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe"C:\Users\Admin\AppData\Local\Temp\90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 9522⤵
- Program crash
PID:812
-
C:\ProgramData\fdmb\thfm.exeC:\ProgramData\fdmb\thfm.exe start1⤵
- Executes dropped EXE
PID:1600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1804 -ip 18041⤵PID:3200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\fdmb\thfm.exeFilesize
85KB
MD5281ab6111ab22e0e725a98e5496e7ce5
SHA1d9f0476d385901285953b8ed0a8fbcbcdfba7da3
SHA25690e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d
SHA51235c4f4b605476ee96270cc75897bc666c78d11f68107c25d1f3803bcd66ff2fff11388b51ff8cb1ffb12834ac3ed338ce2b3a0c911b67642cc77515eab6c300f
-
C:\ProgramData\fdmb\thfm.exeFilesize
85KB
MD5281ab6111ab22e0e725a98e5496e7ce5
SHA1d9f0476d385901285953b8ed0a8fbcbcdfba7da3
SHA25690e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d
SHA51235c4f4b605476ee96270cc75897bc666c78d11f68107c25d1f3803bcd66ff2fff11388b51ff8cb1ffb12834ac3ed338ce2b3a0c911b67642cc77515eab6c300f
-
memory/1600-136-0x00000000007B3000-0x00000000007B9000-memory.dmpFilesize
24KB
-
memory/1600-137-0x00000000007B3000-0x00000000007B9000-memory.dmpFilesize
24KB
-
memory/1600-138-0x00000000005B0000-0x00000000005B9000-memory.dmpFilesize
36KB
-
memory/1600-139-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1804-130-0x00000000005D8000-0x00000000005DF000-memory.dmpFilesize
28KB
-
memory/1804-131-0x00000000005D8000-0x00000000005DF000-memory.dmpFilesize
28KB
-
memory/1804-132-0x0000000002060000-0x0000000002069000-memory.dmpFilesize
36KB
-
memory/1804-133-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB