Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 10:12
Static task
static1
Behavioral task
behavioral1
Sample
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
Resource
win7-20220414-en
General
-
Target
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
-
Size
375KB
-
MD5
8ceb7cb380ad45d1264ffb75ad6363e1
-
SHA1
18311e80325eb3bce7f7d8197d5320c360fe42fd
-
SHA256
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9
-
SHA512
f328de68f70d265f73a044a620dc549b2c02481c10d0a377e0cb8fd890e6fe5fb5fbd77ea45075ab2476407580beeac66b13c1a77cb0e0947b65574dec7be960
Malware Config
Extracted
systembc
26asdcgd.com:4039
26asdcgd.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
axlk.exepid process 744 axlk.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org 6 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exedescription ioc process File created C:\Windows\Tasks\axlk.job b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe File opened for modification C:\Windows\Tasks\axlk.job b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exepid process 600 b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1140 wrote to memory of 744 1140 taskeng.exe axlk.exe PID 1140 wrote to memory of 744 1140 taskeng.exe axlk.exe PID 1140 wrote to memory of 744 1140 taskeng.exe axlk.exe PID 1140 wrote to memory of 744 1140 taskeng.exe axlk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe"C:\Users\Admin\AppData\Local\Temp\b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:600
-
C:\Windows\system32\taskeng.exetaskeng.exe {F0A2A388-A7FA-4F37-AE8E-6D88ED30B23D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\ProgramData\tcwebq\axlk.exeC:\ProgramData\tcwebq\axlk.exe start2⤵
- Executes dropped EXE
PID:744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\tcwebq\axlk.exeFilesize
375KB
MD58ceb7cb380ad45d1264ffb75ad6363e1
SHA118311e80325eb3bce7f7d8197d5320c360fe42fd
SHA256b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9
SHA512f328de68f70d265f73a044a620dc549b2c02481c10d0a377e0cb8fd890e6fe5fb5fbd77ea45075ab2476407580beeac66b13c1a77cb0e0947b65574dec7be960
-
C:\ProgramData\tcwebq\axlk.exeFilesize
375KB
MD58ceb7cb380ad45d1264ffb75ad6363e1
SHA118311e80325eb3bce7f7d8197d5320c360fe42fd
SHA256b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9
SHA512f328de68f70d265f73a044a620dc549b2c02481c10d0a377e0cb8fd890e6fe5fb5fbd77ea45075ab2476407580beeac66b13c1a77cb0e0947b65574dec7be960
-
memory/600-54-0x0000000075871000-0x0000000075873000-memory.dmpFilesize
8KB
-
memory/600-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/600-55-0x00000000024E7000-0x00000000024EE000-memory.dmpFilesize
28KB
-
memory/600-57-0x0000000000400000-0x000000000231A000-memory.dmpFilesize
31.1MB
-
memory/744-59-0x0000000000000000-mapping.dmp
-
memory/744-62-0x0000000002437000-0x000000000243D000-memory.dmpFilesize
24KB
-
memory/744-63-0x0000000000400000-0x000000000231A000-memory.dmpFilesize
31.1MB