Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 06:05
Static task
static1
Behavioral task
behavioral1
Sample
4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe
Resource
win7-20220414-en
General
-
Target
4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe
-
Size
168KB
-
MD5
a554fcbe9859c314ee657507f58bd1ab
-
SHA1
3355e28863ab4391e9bba4cf95c214acd44207c1
-
SHA256
4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd
-
SHA512
f5e6ebd159ec20352162837750fc6f7d45db6927ed54d75d41ab67d21e45113b596073c23e71ea39cfbe2aaf27bd46c75e2de656d63b254a1eaf208420471673
Malware Config
Extracted
systembc
26asdcgd.com:4039
26asdcgd.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bwqaio.exepid process 1720 bwqaio.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exedescription ioc process File created C:\Windows\Tasks\bwqaio.job 4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe File opened for modification C:\Windows\Tasks\bwqaio.job 4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exepid process 1948 4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 112 wrote to memory of 1720 112 taskeng.exe bwqaio.exe PID 112 wrote to memory of 1720 112 taskeng.exe bwqaio.exe PID 112 wrote to memory of 1720 112 taskeng.exe bwqaio.exe PID 112 wrote to memory of 1720 112 taskeng.exe bwqaio.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe"C:\Users\Admin\AppData\Local\Temp\4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A14B2CC-9F7D-408E-929A-7CC0F7266CDD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\ProgramData\weipwt\bwqaio.exeC:\ProgramData\weipwt\bwqaio.exe start2⤵
- Executes dropped EXE
PID:1720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\weipwt\bwqaio.exeFilesize
168KB
MD5a554fcbe9859c314ee657507f58bd1ab
SHA13355e28863ab4391e9bba4cf95c214acd44207c1
SHA2564d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd
SHA512f5e6ebd159ec20352162837750fc6f7d45db6927ed54d75d41ab67d21e45113b596073c23e71ea39cfbe2aaf27bd46c75e2de656d63b254a1eaf208420471673
-
C:\ProgramData\weipwt\bwqaio.exeFilesize
168KB
MD5a554fcbe9859c314ee657507f58bd1ab
SHA13355e28863ab4391e9bba4cf95c214acd44207c1
SHA2564d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd
SHA512f5e6ebd159ec20352162837750fc6f7d45db6927ed54d75d41ab67d21e45113b596073c23e71ea39cfbe2aaf27bd46c75e2de656d63b254a1eaf208420471673
-
memory/1720-59-0x0000000000000000-mapping.dmp
-
memory/1720-62-0x000000000067B000-0x0000000000682000-memory.dmpFilesize
28KB
-
memory/1720-63-0x0000000000400000-0x00000000004E4000-memory.dmpFilesize
912KB
-
memory/1948-54-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB
-
memory/1948-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1948-55-0x000000000058B000-0x0000000000592000-memory.dmpFilesize
28KB
-
memory/1948-57-0x0000000000400000-0x00000000004E4000-memory.dmpFilesize
912KB