Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:56
Static task
static1
Behavioral task
behavioral1
Sample
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe
Resource
win7-20220414-en
General
-
Target
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe
-
Size
87KB
-
MD5
0314c338de096680748e36513fa6385f
-
SHA1
b73d4dfc157e69d6d8a90d1d5cfa1a34453f73c1
-
SHA256
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15
-
SHA512
8000e73b976cc6d23aa5015f401fda8f3eee5768c4d79c4715ecff9644cf183a17248f85b2b65379c9a62aa4a388ab23b15e6765043563bdb9f63c2ffcfee5f6
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
mmcxvu.exepid process 1720 mmcxvu.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip4.seeip.org 7 ip4.seeip.org 4 api.ipify.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exedescription ioc process File created C:\Windows\Tasks\mmcxvu.job 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe File opened for modification C:\Windows\Tasks\mmcxvu.job 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exepid process 1668 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1312 wrote to memory of 1720 1312 taskeng.exe mmcxvu.exe PID 1312 wrote to memory of 1720 1312 taskeng.exe mmcxvu.exe PID 1312 wrote to memory of 1720 1312 taskeng.exe mmcxvu.exe PID 1312 wrote to memory of 1720 1312 taskeng.exe mmcxvu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe"C:\Users\Admin\AppData\Local\Temp\0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A14B2CC-9F7D-408E-929A-7CC0F7266CDD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\dimfx\mmcxvu.exeC:\ProgramData\dimfx\mmcxvu.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\dimfx\mmcxvu.exeFilesize
87KB
MD50314c338de096680748e36513fa6385f
SHA1b73d4dfc157e69d6d8a90d1d5cfa1a34453f73c1
SHA2560eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15
SHA5128000e73b976cc6d23aa5015f401fda8f3eee5768c4d79c4715ecff9644cf183a17248f85b2b65379c9a62aa4a388ab23b15e6765043563bdb9f63c2ffcfee5f6
-
C:\ProgramData\dimfx\mmcxvu.exeFilesize
87KB
MD50314c338de096680748e36513fa6385f
SHA1b73d4dfc157e69d6d8a90d1d5cfa1a34453f73c1
SHA2560eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15
SHA5128000e73b976cc6d23aa5015f401fda8f3eee5768c4d79c4715ecff9644cf183a17248f85b2b65379c9a62aa4a388ab23b15e6765043563bdb9f63c2ffcfee5f6
-
memory/1668-54-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB
-
memory/1668-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1668-55-0x000000000307B000-0x0000000003082000-memory.dmpFilesize
28KB
-
memory/1668-57-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB
-
memory/1720-59-0x0000000000000000-mapping.dmp
-
memory/1720-62-0x000000000026B000-0x0000000000272000-memory.dmpFilesize
28KB
-
memory/1720-63-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB