Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 13:17
Static task
static1
Behavioral task
behavioral1
Sample
fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe
Resource
win7-20220414-en
General
-
Target
fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe
-
Size
203KB
-
MD5
3b357e5c6891ce1a4ad293a63ac75cdb
-
SHA1
dc4fc7e3bffa09591dfe75d76d8cdebec9e169f8
-
SHA256
fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25
-
SHA512
5780e9966b40756f434b67b8f5b2e46e5de24adc4e728f52783e9b8d29a027b7718748a330144e1353820af4348acdda373fb99ff1d89b7b5bfeccb03a0f8d2b
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
nnbjklt.exepid process 940 nnbjklt.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exedescription ioc process File created C:\Windows\Tasks\nnbjklt.job fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe File opened for modification C:\Windows\Tasks\nnbjklt.job fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exepid process 1480 fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1172 wrote to memory of 940 1172 taskeng.exe nnbjklt.exe PID 1172 wrote to memory of 940 1172 taskeng.exe nnbjklt.exe PID 1172 wrote to memory of 940 1172 taskeng.exe nnbjklt.exe PID 1172 wrote to memory of 940 1172 taskeng.exe nnbjklt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe"C:\Users\Admin\AppData\Local\Temp\fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
C:\Windows\system32\taskeng.exetaskeng.exe {F0A2A388-A7FA-4F37-AE8E-6D88ED30B23D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\ProgramData\fwavpmq\nnbjklt.exeC:\ProgramData\fwavpmq\nnbjklt.exe start2⤵
- Executes dropped EXE
PID:940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\fwavpmq\nnbjklt.exeFilesize
203KB
MD53b357e5c6891ce1a4ad293a63ac75cdb
SHA1dc4fc7e3bffa09591dfe75d76d8cdebec9e169f8
SHA256fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25
SHA5125780e9966b40756f434b67b8f5b2e46e5de24adc4e728f52783e9b8d29a027b7718748a330144e1353820af4348acdda373fb99ff1d89b7b5bfeccb03a0f8d2b
-
C:\ProgramData\fwavpmq\nnbjklt.exeFilesize
203KB
MD53b357e5c6891ce1a4ad293a63ac75cdb
SHA1dc4fc7e3bffa09591dfe75d76d8cdebec9e169f8
SHA256fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25
SHA5125780e9966b40756f434b67b8f5b2e46e5de24adc4e728f52783e9b8d29a027b7718748a330144e1353820af4348acdda373fb99ff1d89b7b5bfeccb03a0f8d2b
-
memory/940-60-0x0000000000000000-mapping.dmp
-
memory/940-62-0x000000000249A000-0x00000000024A0000-memory.dmpFilesize
24KB
-
memory/940-64-0x000000000249A000-0x00000000024A0000-memory.dmpFilesize
24KB
-
memory/940-65-0x0000000000400000-0x00000000022EF000-memory.dmpFilesize
30.9MB
-
memory/1480-54-0x000000000238A000-0x0000000002390000-memory.dmpFilesize
24KB
-
memory/1480-55-0x0000000075871000-0x0000000075873000-memory.dmpFilesize
8KB
-
memory/1480-57-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/1480-56-0x000000000238A000-0x0000000002390000-memory.dmpFilesize
24KB
-
memory/1480-58-0x0000000000400000-0x00000000022EF000-memory.dmpFilesize
30.9MB