Analysis
-
max time kernel
189s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 15:58
Static task
static1
Behavioral task
behavioral1
Sample
29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exe
Resource
win7-20220414-en
General
-
Target
29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exe
-
Size
267KB
-
MD5
96b1c3d8279ef00b1b8b1e2c4bc64d77
-
SHA1
d9cece2958797a7fe2895ef9fe9ebdb80717de73
-
SHA256
29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a
-
SHA512
120778338d6507742dfdf3a911f9c7de509bab853cf6c0332cd936c8ec0bb469e5c26fc1dda4768e66d09f6eadcbd98713efea26c49a35c433a5642e27f79127
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
igcsq.exepid process 3828 igcsq.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 57 api.ipify.org 64 ip4.seeip.org -
Drops file in Windows directory 2 IoCs
Processes:
29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exedescription ioc process File created C:\Windows\Tasks\igcsq.job 29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exe File opened for modification C:\Windows\Tasks\igcsq.job 29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4840 432 WerFault.exe 29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exepid process 432 29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exe 432 29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exe"C:\Users\Admin\AppData\Local\Temp\29419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 9482⤵
- Program crash
-
C:\ProgramData\caenqbp\igcsq.exeC:\ProgramData\caenqbp\igcsq.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 432 -ip 4321⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\caenqbp\igcsq.exeFilesize
267KB
MD596b1c3d8279ef00b1b8b1e2c4bc64d77
SHA1d9cece2958797a7fe2895ef9fe9ebdb80717de73
SHA25629419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a
SHA512120778338d6507742dfdf3a911f9c7de509bab853cf6c0332cd936c8ec0bb469e5c26fc1dda4768e66d09f6eadcbd98713efea26c49a35c433a5642e27f79127
-
C:\ProgramData\caenqbp\igcsq.exeFilesize
267KB
MD596b1c3d8279ef00b1b8b1e2c4bc64d77
SHA1d9cece2958797a7fe2895ef9fe9ebdb80717de73
SHA25629419e77b22185d288de119f4a415e5f5aebdd8034ab2fa5afbbca3b6866b20a
SHA512120778338d6507742dfdf3a911f9c7de509bab853cf6c0332cd936c8ec0bb469e5c26fc1dda4768e66d09f6eadcbd98713efea26c49a35c433a5642e27f79127
-
memory/432-130-0x0000000000030000-0x0000000000036000-memory.dmpFilesize
24KB
-
memory/432-131-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/432-132-0x0000000000400000-0x00000000004D3000-memory.dmpFilesize
844KB
-
memory/3828-135-0x0000000000400000-0x00000000004D3000-memory.dmpFilesize
844KB