Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 13:25
Static task
static1
Behavioral task
behavioral1
Sample
8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe
Resource
win7-20220414-en
General
-
Target
8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe
-
Size
203KB
-
MD5
40bd21b534a875137016dd1c93407366
-
SHA1
941dcff9464e407c060051475758f84e80998417
-
SHA256
8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a
-
SHA512
e5466a0c3b4e1c74192ee2db85bf3809904687934b6e2ffb2a1469b8f6510d03d80c948b364a67ed43fd4f753b29355dcb3252ecc073bca21e2880b4254ab31e
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
bhuqb.exepid process 620 bhuqb.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 ip4.seeip.org 7 ip4.seeip.org 4 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exedescription ioc process File opened for modification C:\Windows\Tasks\bhuqb.job 8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe File created C:\Windows\Tasks\bhuqb.job 8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exepid process 2024 8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1672 wrote to memory of 620 1672 taskeng.exe bhuqb.exe PID 1672 wrote to memory of 620 1672 taskeng.exe bhuqb.exe PID 1672 wrote to memory of 620 1672 taskeng.exe bhuqb.exe PID 1672 wrote to memory of 620 1672 taskeng.exe bhuqb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe"C:\Users\Admin\AppData\Local\Temp\8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
C:\Windows\system32\taskeng.exetaskeng.exe {46AACDE0-CFB8-45EA-A84F-8D22EC209F49} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\ProgramData\owtpcf\bhuqb.exeC:\ProgramData\owtpcf\bhuqb.exe start2⤵
- Executes dropped EXE
PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\owtpcf\bhuqb.exeFilesize
203KB
MD540bd21b534a875137016dd1c93407366
SHA1941dcff9464e407c060051475758f84e80998417
SHA2568e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a
SHA512e5466a0c3b4e1c74192ee2db85bf3809904687934b6e2ffb2a1469b8f6510d03d80c948b364a67ed43fd4f753b29355dcb3252ecc073bca21e2880b4254ab31e
-
C:\ProgramData\owtpcf\bhuqb.exeFilesize
203KB
MD540bd21b534a875137016dd1c93407366
SHA1941dcff9464e407c060051475758f84e80998417
SHA2568e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a
SHA512e5466a0c3b4e1c74192ee2db85bf3809904687934b6e2ffb2a1469b8f6510d03d80c948b364a67ed43fd4f753b29355dcb3252ecc073bca21e2880b4254ab31e
-
memory/620-60-0x0000000000000000-mapping.dmp
-
memory/620-62-0x000000000030A000-0x0000000000310000-memory.dmpFilesize
24KB
-
memory/620-64-0x000000000030A000-0x0000000000310000-memory.dmpFilesize
24KB
-
memory/620-65-0x0000000000400000-0x00000000022EF000-memory.dmpFilesize
30.9MB
-
memory/2024-54-0x000000000242A000-0x0000000002430000-memory.dmpFilesize
24KB
-
memory/2024-55-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB
-
memory/2024-57-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/2024-56-0x000000000242A000-0x0000000002430000-memory.dmpFilesize
24KB
-
memory/2024-58-0x0000000000400000-0x00000000022EF000-memory.dmpFilesize
30.9MB