Analysis
-
max time kernel
169s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 10:12
Static task
static1
Behavioral task
behavioral1
Sample
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
Resource
win7-20220414-en
General
-
Target
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
-
Size
375KB
-
MD5
8ceb7cb380ad45d1264ffb75ad6363e1
-
SHA1
18311e80325eb3bce7f7d8197d5320c360fe42fd
-
SHA256
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9
-
SHA512
f328de68f70d265f73a044a620dc549b2c02481c10d0a377e0cb8fd890e6fe5fb5fbd77ea45075ab2476407580beeac66b13c1a77cb0e0947b65574dec7be960
Malware Config
Extracted
systembc
26asdcgd.com:4039
26asdcgd.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
nqom.exepid process 3528 nqom.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 api.ipify.org 23 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exedescription ioc process File created C:\Windows\Tasks\nqom.job b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe File opened for modification C:\Windows\Tasks\nqom.job b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe -
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1336 3528 WerFault.exe nqom.exe 264 3528 WerFault.exe nqom.exe 2988 1312 WerFault.exe b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe 1320 1312 WerFault.exe b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe 2148 3528 WerFault.exe nqom.exe 4604 3528 WerFault.exe nqom.exe 4288 1312 WerFault.exe b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe 3868 3528 WerFault.exe nqom.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exepid process 1312 b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe 1312 b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe"C:\Users\Admin\AppData\Local\Temp\b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 9642⤵
- Program crash
PID:2988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 9762⤵
- Program crash
PID:1320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 4842⤵
- Program crash
PID:4288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1312 -ip 13121⤵PID:4444
-
C:\ProgramData\vhlg\nqom.exeC:\ProgramData\vhlg\nqom.exe start1⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1842⤵
- Program crash
PID:1336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 5842⤵
- Program crash
PID:264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 5842⤵
- Program crash
PID:2148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 4922⤵
- Program crash
PID:4604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 8922⤵
- Program crash
PID:3868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3528 -ip 35281⤵PID:4612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3528 -ip 35281⤵PID:312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1312 -ip 13121⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1312 -ip 13121⤵PID:4988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3528 -ip 35281⤵PID:4380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3528 -ip 35281⤵PID:1664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1312 -ip 13121⤵PID:3516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3528 -ip 35281⤵PID:2624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vhlg\nqom.exeFilesize
375KB
MD58ceb7cb380ad45d1264ffb75ad6363e1
SHA118311e80325eb3bce7f7d8197d5320c360fe42fd
SHA256b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9
SHA512f328de68f70d265f73a044a620dc549b2c02481c10d0a377e0cb8fd890e6fe5fb5fbd77ea45075ab2476407580beeac66b13c1a77cb0e0947b65574dec7be960
-
C:\ProgramData\vhlg\nqom.exeFilesize
375KB
MD58ceb7cb380ad45d1264ffb75ad6363e1
SHA118311e80325eb3bce7f7d8197d5320c360fe42fd
SHA256b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9
SHA512f328de68f70d265f73a044a620dc549b2c02481c10d0a377e0cb8fd890e6fe5fb5fbd77ea45075ab2476407580beeac66b13c1a77cb0e0947b65574dec7be960
-
memory/1312-130-0x00000000023C7000-0x00000000023CE000-memory.dmpFilesize
28KB
-
memory/1312-131-0x0000000004050000-0x0000000004059000-memory.dmpFilesize
36KB
-
memory/1312-132-0x0000000000400000-0x000000000231A000-memory.dmpFilesize
31.1MB
-
memory/3528-135-0x0000000002352000-0x0000000002359000-memory.dmpFilesize
28KB
-
memory/3528-136-0x0000000002490000-0x0000000002499000-memory.dmpFilesize
36KB
-
memory/3528-137-0x0000000000400000-0x000000000231A000-memory.dmpFilesize
31.1MB