Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 10:11
Static task
static1
Behavioral task
behavioral1
Sample
e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe
Resource
win7-20220414-en
General
-
Target
e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe
-
Size
356KB
-
MD5
c851a0d3a2cb3e759e85d73f48437fe1
-
SHA1
3210b9c823d8c1d75f2770884abc1c675db8081b
-
SHA256
e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8
-
SHA512
a3b42489df794cffe8b539199dcfcb18dead5d820c6325f0e75cdd40abe6e67309c6980a8667da6905b0aa6dc000306c8a778ce125c5e4b54f0036e95983a9a0
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vncgkjm.exepid process 4588 vncgkjm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org 17 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exedescription ioc process File created C:\Windows\Tasks\vncgkjm.job e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe File opened for modification C:\Windows\Tasks\vncgkjm.job e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe -
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2228 4752 WerFault.exe e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe 4116 4588 WerFault.exe vncgkjm.exe 4496 4588 WerFault.exe vncgkjm.exe 1280 4752 WerFault.exe e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe 100 4752 WerFault.exe e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe 1944 4588 WerFault.exe vncgkjm.exe 2140 4588 WerFault.exe vncgkjm.exe 3048 4752 WerFault.exe e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exepid process 4752 e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe 4752 e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe"C:\Users\Admin\AppData\Local\Temp\e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 4962⤵
- Program crash
PID:2228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 9322⤵
- Program crash
PID:1280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 9762⤵
- Program crash
PID:100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 5042⤵
- Program crash
PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4752 -ip 47521⤵PID:860
-
C:\ProgramData\tqminjo\vncgkjm.exeC:\ProgramData\tqminjo\vncgkjm.exe start1⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 4842⤵
- Program crash
PID:4116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 7762⤵
- Program crash
PID:4496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 8802⤵
- Program crash
PID:1944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 8642⤵
- Program crash
PID:2140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4588 -ip 45881⤵PID:1520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4588 -ip 45881⤵PID:4916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4752 -ip 47521⤵PID:4148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4752 -ip 47521⤵PID:636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4588 -ip 45881⤵PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4588 -ip 45881⤵PID:4716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4752 -ip 47521⤵PID:4860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\tqminjo\vncgkjm.exeFilesize
356KB
MD5c851a0d3a2cb3e759e85d73f48437fe1
SHA13210b9c823d8c1d75f2770884abc1c675db8081b
SHA256e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8
SHA512a3b42489df794cffe8b539199dcfcb18dead5d820c6325f0e75cdd40abe6e67309c6980a8667da6905b0aa6dc000306c8a778ce125c5e4b54f0036e95983a9a0
-
C:\ProgramData\tqminjo\vncgkjm.exeFilesize
356KB
MD5c851a0d3a2cb3e759e85d73f48437fe1
SHA13210b9c823d8c1d75f2770884abc1c675db8081b
SHA256e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8
SHA512a3b42489df794cffe8b539199dcfcb18dead5d820c6325f0e75cdd40abe6e67309c6980a8667da6905b0aa6dc000306c8a778ce125c5e4b54f0036e95983a9a0
-
memory/4588-135-0x0000000000D33000-0x0000000000D3A000-memory.dmpFilesize
28KB
-
memory/4588-136-0x0000000000CB0000-0x0000000000CB9000-memory.dmpFilesize
36KB
-
memory/4588-137-0x0000000000400000-0x0000000000C33000-memory.dmpFilesize
8.2MB
-
memory/4752-130-0x0000000000D78000-0x0000000000D7F000-memory.dmpFilesize
28KB
-
memory/4752-131-0x0000000002970000-0x0000000002979000-memory.dmpFilesize
36KB
-
memory/4752-132-0x0000000000400000-0x0000000000C33000-memory.dmpFilesize
8.2MB