Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 01:18
Static task
static1
Behavioral task
behavioral1
Sample
b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe
Resource
win7-20220414-en
General
-
Target
b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe
-
Size
89KB
-
MD5
ef794afbd770b7ee3c8a9ccffb9810fe
-
SHA1
1bc62eeef9f672fbde7df2de77b15b25dbc87610
-
SHA256
b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816
-
SHA512
bc2539be88630e38ebbf27ee603c666815be68f3a45a0b8c04e2df59c77fba094f71f5e1f40789ac558201e7a183b63a379526848cfb35ea724464ee3436d47d
Malware Config
Extracted
systembc
23hfdne.com:4035
23hfdne.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
qskbq.exepid process 1484 qskbq.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exedescription ioc process File opened for modification C:\Windows\Tasks\qskbq.job b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe File created C:\Windows\Tasks\qskbq.job b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4400 4260 WerFault.exe b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exepid process 4260 b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe 4260 b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe"C:\Users\Admin\AppData\Local\Temp\b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 9562⤵
- Program crash
PID:4400
-
C:\ProgramData\oeaj\qskbq.exeC:\ProgramData\oeaj\qskbq.exe start1⤵
- Executes dropped EXE
PID:1484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4260 -ip 42601⤵PID:1332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\oeaj\qskbq.exeFilesize
89KB
MD5ef794afbd770b7ee3c8a9ccffb9810fe
SHA11bc62eeef9f672fbde7df2de77b15b25dbc87610
SHA256b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816
SHA512bc2539be88630e38ebbf27ee603c666815be68f3a45a0b8c04e2df59c77fba094f71f5e1f40789ac558201e7a183b63a379526848cfb35ea724464ee3436d47d
-
C:\ProgramData\oeaj\qskbq.exeFilesize
89KB
MD5ef794afbd770b7ee3c8a9ccffb9810fe
SHA11bc62eeef9f672fbde7df2de77b15b25dbc87610
SHA256b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816
SHA512bc2539be88630e38ebbf27ee603c666815be68f3a45a0b8c04e2df59c77fba094f71f5e1f40789ac558201e7a183b63a379526848cfb35ea724464ee3436d47d
-
memory/1484-136-0x0000000000742000-0x0000000000749000-memory.dmpFilesize
28KB
-
memory/1484-137-0x0000000000742000-0x0000000000749000-memory.dmpFilesize
28KB
-
memory/1484-138-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/4260-130-0x0000000000898000-0x000000000089F000-memory.dmpFilesize
28KB
-
memory/4260-131-0x0000000000898000-0x000000000089F000-memory.dmpFilesize
28KB
-
memory/4260-132-0x0000000002220000-0x0000000002229000-memory.dmpFilesize
36KB
-
memory/4260-133-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB