Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-04-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
Resource
win7-20220414-en
General
-
Target
88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
-
Size
357KB
-
MD5
32294f57e6775a1395ece90371a9deb3
-
SHA1
f10794c6e6df36de1d5709492f25b9a5a5a246ae
-
SHA256
88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9
-
SHA512
6cf3b10b5b5dc96a57a0ceb7376c31821e821b05900edf95ead5dc70ed2b2d8bab39d950ae6653fce8a1345d9dc0ef15256ccf2116fe3cb16c40713c8cc25677
Malware Config
Extracted
systembc
26asdcgd.com:4039
26asdcgd.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
qsxgbs.exepid process 1176 qsxgbs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exedescription ioc process File created C:\Windows\Tasks\qsxgbs.job 88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe File opened for modification C:\Windows\Tasks\qsxgbs.job 88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe -
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2508 1652 WerFault.exe 88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe 2504 1176 WerFault.exe qsxgbs.exe 3076 1176 WerFault.exe qsxgbs.exe 4756 1652 WerFault.exe 88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe 5032 1652 WerFault.exe 88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe 4428 1176 WerFault.exe qsxgbs.exe 4444 1176 WerFault.exe qsxgbs.exe 4640 1652 WerFault.exe 88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exepid process 1652 88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe 1652 88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe"C:\Users\Admin\AppData\Local\Temp\88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 4882⤵
- Program crash
PID:2508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 9442⤵
- Program crash
PID:4756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 9562⤵
- Program crash
PID:5032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 9362⤵
- Program crash
PID:4640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1652 -ip 16521⤵PID:2548
-
C:\ProgramData\ckjme\qsxgbs.exeC:\ProgramData\ckjme\qsxgbs.exe start1⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 2082⤵
- Program crash
PID:2504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 7682⤵
- Program crash
PID:3076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 7722⤵
- Program crash
PID:4428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 8682⤵
- Program crash
PID:4444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1176 -ip 11761⤵PID:1508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1176 -ip 11761⤵PID:2664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1652 -ip 16521⤵PID:4424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1652 -ip 16521⤵PID:4088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1176 -ip 11761⤵PID:5072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1176 -ip 11761⤵PID:2372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1652 -ip 16521⤵PID:5092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ckjme\qsxgbs.exeFilesize
357KB
MD532294f57e6775a1395ece90371a9deb3
SHA1f10794c6e6df36de1d5709492f25b9a5a5a246ae
SHA25688f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9
SHA5126cf3b10b5b5dc96a57a0ceb7376c31821e821b05900edf95ead5dc70ed2b2d8bab39d950ae6653fce8a1345d9dc0ef15256ccf2116fe3cb16c40713c8cc25677
-
C:\ProgramData\ckjme\qsxgbs.exeFilesize
357KB
MD532294f57e6775a1395ece90371a9deb3
SHA1f10794c6e6df36de1d5709492f25b9a5a5a246ae
SHA25688f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9
SHA5126cf3b10b5b5dc96a57a0ceb7376c31821e821b05900edf95ead5dc70ed2b2d8bab39d950ae6653fce8a1345d9dc0ef15256ccf2116fe3cb16c40713c8cc25677
-
memory/1176-136-0x0000000000DA4000-0x0000000000DAB000-memory.dmpFilesize
28KB
-
memory/1176-137-0x0000000000DA4000-0x0000000000DAB000-memory.dmpFilesize
28KB
-
memory/1176-138-0x0000000000D50000-0x0000000000D59000-memory.dmpFilesize
36KB
-
memory/1176-139-0x0000000000400000-0x0000000000C33000-memory.dmpFilesize
8.2MB
-
memory/1652-130-0x0000000000F78000-0x0000000000F7F000-memory.dmpFilesize
28KB
-
memory/1652-131-0x0000000000F78000-0x0000000000F7F000-memory.dmpFilesize
28KB
-
memory/1652-132-0x0000000000ED0000-0x0000000000ED9000-memory.dmpFilesize
36KB
-
memory/1652-133-0x0000000000400000-0x0000000000C33000-memory.dmpFilesize
8.2MB