Analysis
-
max time kernel
154s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 17:56
Static task
static1
Behavioral task
behavioral1
Sample
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe
Resource
win7-20220414-en
General
-
Target
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe
-
Size
87KB
-
MD5
0314c338de096680748e36513fa6385f
-
SHA1
b73d4dfc157e69d6d8a90d1d5cfa1a34453f73c1
-
SHA256
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15
-
SHA512
8000e73b976cc6d23aa5015f401fda8f3eee5768c4d79c4715ecff9644cf183a17248f85b2b65379c9a62aa4a388ab23b15e6765043563bdb9f63c2ffcfee5f6
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
hbuc.exepid process 4904 hbuc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 api.ipify.org 38 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exedescription ioc process File created C:\Windows\Tasks\hbuc.job 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe File opened for modification C:\Windows\Tasks\hbuc.job 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1056 4032 WerFault.exe 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exepid process 4032 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe 4032 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe"C:\Users\Admin\AppData\Local\Temp\0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 9482⤵
- Program crash
-
C:\ProgramData\hevj\hbuc.exeC:\ProgramData\hevj\hbuc.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4032 -ip 40321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hevj\hbuc.exeFilesize
87KB
MD50314c338de096680748e36513fa6385f
SHA1b73d4dfc157e69d6d8a90d1d5cfa1a34453f73c1
SHA2560eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15
SHA5128000e73b976cc6d23aa5015f401fda8f3eee5768c4d79c4715ecff9644cf183a17248f85b2b65379c9a62aa4a388ab23b15e6765043563bdb9f63c2ffcfee5f6
-
C:\ProgramData\hevj\hbuc.exeFilesize
87KB
MD50314c338de096680748e36513fa6385f
SHA1b73d4dfc157e69d6d8a90d1d5cfa1a34453f73c1
SHA2560eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15
SHA5128000e73b976cc6d23aa5015f401fda8f3eee5768c4d79c4715ecff9644cf183a17248f85b2b65379c9a62aa4a388ab23b15e6765043563bdb9f63c2ffcfee5f6
-
memory/4032-131-0x0000000003070000-0x0000000003079000-memory.dmpFilesize
36KB
-
memory/4032-130-0x00000000030C8000-0x00000000030CF000-memory.dmpFilesize
28KB
-
memory/4032-132-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB
-
memory/4904-135-0x0000000003263000-0x0000000003269000-memory.dmpFilesize
24KB
-
memory/4904-136-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB