Analysis
-
max time kernel
150s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 10:12
Static task
static1
Behavioral task
behavioral1
Sample
b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69.exe
Resource
win7-20220414-en
General
-
Target
b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69.exe
-
Size
331KB
-
MD5
5141357dda4fab9146a6724f8793f634
-
SHA1
05ff08362df5e50e457cfa10c4c6b730ca722ea9
-
SHA256
b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69
-
SHA512
1a4d16fb1d0633909f8551d9095dd708966b4cba47ce8c3504fda3456c290ba685cd0e234a9fe98a78913eb19193877f014ca74c22090592ddccdba1d92f43be
Malware Config
Extracted
systembc
26asdcgd.com:4039
26asdcgd.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lnasq.exepid process 2044 lnasq.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69.exedescription ioc process File created C:\Windows\Tasks\lnasq.job b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69.exe File opened for modification C:\Windows\Tasks\lnasq.job b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69.exepid process 1652 b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1192 wrote to memory of 2044 1192 taskeng.exe lnasq.exe PID 1192 wrote to memory of 2044 1192 taskeng.exe lnasq.exe PID 1192 wrote to memory of 2044 1192 taskeng.exe lnasq.exe PID 1192 wrote to memory of 2044 1192 taskeng.exe lnasq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69.exe"C:\Users\Admin\AppData\Local\Temp\b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
C:\Windows\system32\taskeng.exetaskeng.exe {5BE5D619-6E45-4C1A-A49D-486A249DB7D4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\ProgramData\gmsedx\lnasq.exeC:\ProgramData\gmsedx\lnasq.exe start2⤵
- Executes dropped EXE
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\gmsedx\lnasq.exeFilesize
331KB
MD55141357dda4fab9146a6724f8793f634
SHA105ff08362df5e50e457cfa10c4c6b730ca722ea9
SHA256b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69
SHA5121a4d16fb1d0633909f8551d9095dd708966b4cba47ce8c3504fda3456c290ba685cd0e234a9fe98a78913eb19193877f014ca74c22090592ddccdba1d92f43be
-
C:\ProgramData\gmsedx\lnasq.exeFilesize
331KB
MD55141357dda4fab9146a6724f8793f634
SHA105ff08362df5e50e457cfa10c4c6b730ca722ea9
SHA256b1dd18e76c03df66c80e63806ab5e7117232c22dfbd5c275d4aea13da9a3bf69
SHA5121a4d16fb1d0633909f8551d9095dd708966b4cba47ce8c3504fda3456c290ba685cd0e234a9fe98a78913eb19193877f014ca74c22090592ddccdba1d92f43be
-
memory/1652-54-0x0000000000CC5000-0x0000000000CCC000-memory.dmpFilesize
28KB
-
memory/1652-55-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/1652-56-0x0000000000CC5000-0x0000000000CCC000-memory.dmpFilesize
28KB
-
memory/1652-57-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1652-58-0x0000000000400000-0x0000000000C2C000-memory.dmpFilesize
8.2MB
-
memory/2044-60-0x0000000000000000-mapping.dmp
-
memory/2044-62-0x0000000000DE5000-0x0000000000DEC000-memory.dmpFilesize
28KB
-
memory/2044-64-0x0000000000DE5000-0x0000000000DEC000-memory.dmpFilesize
28KB
-
memory/2044-65-0x0000000000400000-0x0000000000C2C000-memory.dmpFilesize
8.2MB