Analysis
-
max time kernel
151s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe
Resource
win7-20220414-en
General
-
Target
5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe
-
Size
204KB
-
MD5
b8127c859906ad947b89b41119b9c310
-
SHA1
a9a59ee98af4cdf2587c678f06325b15bbe4d3a7
-
SHA256
5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0
-
SHA512
22957031c45c0aa140b932c9118a52980ad1c9e67aeca34784cb88eea8c7b9a3fddb11ff97752b3b34bdc3cbfdff46233bb267cc8ea5e27525f923b24fa5e9f9
Malware Config
Extracted
systembc
26asdcgd.com:4039
26asdcgd.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lpebjg.exepid process 1760 lpebjg.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exedescription ioc process File created C:\Windows\Tasks\lpebjg.job 5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe File opened for modification C:\Windows\Tasks\lpebjg.job 5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exepid process 1692 5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2044 wrote to memory of 1760 2044 taskeng.exe lpebjg.exe PID 2044 wrote to memory of 1760 2044 taskeng.exe lpebjg.exe PID 2044 wrote to memory of 1760 2044 taskeng.exe lpebjg.exe PID 2044 wrote to memory of 1760 2044 taskeng.exe lpebjg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe"C:\Users\Admin\AppData\Local\Temp\5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1692
-
C:\Windows\system32\taskeng.exetaskeng.exe {19BD68C2-AE3B-4899-9B2E-6287D3693A7D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\ProgramData\ahpspxu\lpebjg.exeC:\ProgramData\ahpspxu\lpebjg.exe start2⤵
- Executes dropped EXE
PID:1760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ahpspxu\lpebjg.exeFilesize
204KB
MD5b8127c859906ad947b89b41119b9c310
SHA1a9a59ee98af4cdf2587c678f06325b15bbe4d3a7
SHA2565106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0
SHA51222957031c45c0aa140b932c9118a52980ad1c9e67aeca34784cb88eea8c7b9a3fddb11ff97752b3b34bdc3cbfdff46233bb267cc8ea5e27525f923b24fa5e9f9
-
C:\ProgramData\ahpspxu\lpebjg.exeFilesize
204KB
MD5b8127c859906ad947b89b41119b9c310
SHA1a9a59ee98af4cdf2587c678f06325b15bbe4d3a7
SHA2565106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0
SHA51222957031c45c0aa140b932c9118a52980ad1c9e67aeca34784cb88eea8c7b9a3fddb11ff97752b3b34bdc3cbfdff46233bb267cc8ea5e27525f923b24fa5e9f9
-
memory/1692-54-0x00000000023DA000-0x00000000023E1000-memory.dmpFilesize
28KB
-
memory/1692-55-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1692-56-0x00000000023DA000-0x00000000023E1000-memory.dmpFilesize
28KB
-
memory/1692-57-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1692-58-0x0000000000400000-0x00000000022F0000-memory.dmpFilesize
30.9MB
-
memory/1760-60-0x0000000000000000-mapping.dmp
-
memory/1760-64-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/1760-65-0x0000000000400000-0x00000000022F0000-memory.dmpFilesize
30.9MB