Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe
Resource
win7-20220414-en
General
-
Target
1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe
-
Size
254KB
-
MD5
db935d9703763461691ff0250366cfcc
-
SHA1
711569fe53a73d8083bc895f731e80a9a08d3814
-
SHA256
1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a
-
SHA512
d50c59b46ea4488560a9c343ad2108a3db47e0d33f636758362a2ed3d014f5feab6b0143196fb4ab116fec120433346cf2b43f19341a831cd7e0585c28c31555
Malware Config
Extracted
systembc
26asdcgd.com:4039
26asdcgd.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
fjqgn.exepid process 1416 fjqgn.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip4.seeip.org 7 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exedescription ioc process File created C:\Windows\Tasks\fjqgn.job 1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe File opened for modification C:\Windows\Tasks\fjqgn.job 1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exepid process 548 1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1508 wrote to memory of 1416 1508 taskeng.exe fjqgn.exe PID 1508 wrote to memory of 1416 1508 taskeng.exe fjqgn.exe PID 1508 wrote to memory of 1416 1508 taskeng.exe fjqgn.exe PID 1508 wrote to memory of 1416 1508 taskeng.exe fjqgn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe"C:\Users\Admin\AppData\Local\Temp\1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:548
-
C:\Windows\system32\taskeng.exetaskeng.exe {A7010D12-A3DC-48B7-B820-63159B4F1EBC} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\ProgramData\vopsr\fjqgn.exeC:\ProgramData\vopsr\fjqgn.exe start2⤵
- Executes dropped EXE
PID:1416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vopsr\fjqgn.exeFilesize
254KB
MD5db935d9703763461691ff0250366cfcc
SHA1711569fe53a73d8083bc895f731e80a9a08d3814
SHA2561cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a
SHA512d50c59b46ea4488560a9c343ad2108a3db47e0d33f636758362a2ed3d014f5feab6b0143196fb4ab116fec120433346cf2b43f19341a831cd7e0585c28c31555
-
C:\ProgramData\vopsr\fjqgn.exeFilesize
254KB
MD5db935d9703763461691ff0250366cfcc
SHA1711569fe53a73d8083bc895f731e80a9a08d3814
SHA2561cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a
SHA512d50c59b46ea4488560a9c343ad2108a3db47e0d33f636758362a2ed3d014f5feab6b0143196fb4ab116fec120433346cf2b43f19341a831cd7e0585c28c31555
-
memory/548-54-0x0000000002494000-0x000000000249B000-memory.dmpFilesize
28KB
-
memory/548-55-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/548-56-0x0000000002494000-0x000000000249B000-memory.dmpFilesize
28KB
-
memory/548-57-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/548-58-0x0000000000400000-0x00000000022FC000-memory.dmpFilesize
31.0MB
-
memory/1416-60-0x0000000000000000-mapping.dmp
-
memory/1416-62-0x00000000023B4000-0x00000000023BB000-memory.dmpFilesize
28KB
-
memory/1416-64-0x00000000023B4000-0x00000000023BB000-memory.dmpFilesize
28KB
-
memory/1416-65-0x0000000000400000-0x00000000022FC000-memory.dmpFilesize
31.0MB