Analysis
-
max time kernel
142s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 10:14
Static task
static1
Behavioral task
behavioral1
Sample
67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe
Resource
win7-20220414-en
General
-
Target
67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe
-
Size
381KB
-
MD5
8be0b78e7331f8376298b9c1f22dd340
-
SHA1
8af6cfecea6e51d6e92fb7a0b15b095c2cb2475e
-
SHA256
67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7
-
SHA512
f6cca3801b883d971bc4af10dbccb1f018084a18c8f71dd5bb14610aacffdda18057340dd4e88e49d681f6f91141b562a9fb8162c994f3ef6fc45207f65af9f8
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
chredwj.exepid process 952 chredwj.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org -
Drops file in Windows directory 2 IoCs
Processes:
67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exedescription ioc process File created C:\Windows\Tasks\chredwj.job 67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe File opened for modification C:\Windows\Tasks\chredwj.job 67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exepid process 660 67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 916 wrote to memory of 952 916 taskeng.exe chredwj.exe PID 916 wrote to memory of 952 916 taskeng.exe chredwj.exe PID 916 wrote to memory of 952 916 taskeng.exe chredwj.exe PID 916 wrote to memory of 952 916 taskeng.exe chredwj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe"C:\Users\Admin\AppData\Local\Temp\67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:660
-
C:\Windows\system32\taskeng.exetaskeng.exe {0D03EF73-F1F6-41E5-8B7A-97BEFA6F7641} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\ProgramData\amean\chredwj.exeC:\ProgramData\amean\chredwj.exe start2⤵
- Executes dropped EXE
PID:952
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\amean\chredwj.exeFilesize
381KB
MD58be0b78e7331f8376298b9c1f22dd340
SHA18af6cfecea6e51d6e92fb7a0b15b095c2cb2475e
SHA25667473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7
SHA512f6cca3801b883d971bc4af10dbccb1f018084a18c8f71dd5bb14610aacffdda18057340dd4e88e49d681f6f91141b562a9fb8162c994f3ef6fc45207f65af9f8
-
C:\ProgramData\amean\chredwj.exeFilesize
381KB
MD58be0b78e7331f8376298b9c1f22dd340
SHA18af6cfecea6e51d6e92fb7a0b15b095c2cb2475e
SHA25667473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7
SHA512f6cca3801b883d971bc4af10dbccb1f018084a18c8f71dd5bb14610aacffdda18057340dd4e88e49d681f6f91141b562a9fb8162c994f3ef6fc45207f65af9f8
-
memory/660-54-0x00000000027A7000-0x00000000027AE000-memory.dmpFilesize
28KB
-
memory/660-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/660-57-0x00000000003C0000-0x00000000003C9000-memory.dmpFilesize
36KB
-
memory/660-56-0x00000000027A7000-0x00000000027AE000-memory.dmpFilesize
28KB
-
memory/660-58-0x0000000000400000-0x000000000231C000-memory.dmpFilesize
31.1MB
-
memory/952-60-0x0000000000000000-mapping.dmp
-
memory/952-62-0x0000000000277000-0x000000000027D000-memory.dmpFilesize
24KB
-
memory/952-64-0x0000000000277000-0x000000000027D000-memory.dmpFilesize
24KB
-
memory/952-65-0x0000000000400000-0x000000000231C000-memory.dmpFilesize
31.1MB