Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 13:20
Static task
static1
Behavioral task
behavioral1
Sample
e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e.exe
Resource
win7-20220414-en
General
-
Target
e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e.exe
-
Size
281KB
-
MD5
4492cce08449651654708c03f621ba63
-
SHA1
8896c08bec98a3b7f5c1b6fa8fd005586a035617
-
SHA256
e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e
-
SHA512
e0f9c97b2959bb17de8c351fc315ed9691d5f6154907541baedb29448c70e1f57d64cdf59d6cf7408ed8f229ac123da67f2075c53188ffcf1a562735ac417899
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
obslooi.exepid process 1544 obslooi.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e.exedescription ioc process File opened for modification C:\Windows\Tasks\obslooi.job e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e.exe File created C:\Windows\Tasks\obslooi.job e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e.exepid process 1240 e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1620 wrote to memory of 1544 1620 taskeng.exe obslooi.exe PID 1620 wrote to memory of 1544 1620 taskeng.exe obslooi.exe PID 1620 wrote to memory of 1544 1620 taskeng.exe obslooi.exe PID 1620 wrote to memory of 1544 1620 taskeng.exe obslooi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e.exe"C:\Users\Admin\AppData\Local\Temp\e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1240
-
C:\Windows\system32\taskeng.exetaskeng.exe {AFEAC796-239E-45C3-8431-8D7B41F906BD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\ProgramData\lpvbvb\obslooi.exeC:\ProgramData\lpvbvb\obslooi.exe start2⤵
- Executes dropped EXE
PID:1544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\lpvbvb\obslooi.exeFilesize
281KB
MD54492cce08449651654708c03f621ba63
SHA18896c08bec98a3b7f5c1b6fa8fd005586a035617
SHA256e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e
SHA512e0f9c97b2959bb17de8c351fc315ed9691d5f6154907541baedb29448c70e1f57d64cdf59d6cf7408ed8f229ac123da67f2075c53188ffcf1a562735ac417899
-
C:\ProgramData\lpvbvb\obslooi.exeFilesize
281KB
MD54492cce08449651654708c03f621ba63
SHA18896c08bec98a3b7f5c1b6fa8fd005586a035617
SHA256e3edf5e1c47e823f99c16bf388395a3a51708f492fdd057b58b19660dc96417e
SHA512e0f9c97b2959bb17de8c351fc315ed9691d5f6154907541baedb29448c70e1f57d64cdf59d6cf7408ed8f229ac123da67f2075c53188ffcf1a562735ac417899
-
memory/1240-54-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/1240-55-0x000000000245A000-0x0000000002460000-memory.dmpFilesize
24KB
-
memory/1240-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1240-57-0x0000000000400000-0x0000000002304000-memory.dmpFilesize
31.0MB
-
memory/1544-59-0x0000000000000000-mapping.dmp
-
memory/1544-62-0x000000000030A000-0x0000000000310000-memory.dmpFilesize
24KB
-
memory/1544-63-0x0000000000400000-0x0000000002304000-memory.dmpFilesize
31.0MB