Analysis
-
max time kernel
152s -
max time network
189s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe
Resource
win7-20220414-en
General
-
Target
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe
-
Size
87KB
-
MD5
5781e34d8a456b34ad9d8f7ed8bf9453
-
SHA1
778cdb0dfbfc4651cedaa985505dd28a33d190aa
-
SHA256
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e
-
SHA512
e925c9b9c06249b12d4eaea21c9458668e57d2a7cb9f87625f8a10468ec6e4f70cf97b4e9a63299c939a16b546a6d28bb180b0c5b6de45b3739c002920989af3
Malware Config
Extracted
systembc
asdasd08.com:4039
asdasd08.xyz:4039
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
olshkxp.exepid process 2044 olshkxp.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exedescription ioc process File opened for modification C:\Windows\Tasks\olshkxp.job ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe File created C:\Windows\Tasks\olshkxp.job ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exepid process 1752 ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1712 wrote to memory of 2044 1712 taskeng.exe olshkxp.exe PID 1712 wrote to memory of 2044 1712 taskeng.exe olshkxp.exe PID 1712 wrote to memory of 2044 1712 taskeng.exe olshkxp.exe PID 1712 wrote to memory of 2044 1712 taskeng.exe olshkxp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe"C:\Users\Admin\AppData\Local\Temp\ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {6DAEAF14-9778-4012-B89C-3D616D663D65} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\vkpa\olshkxp.exeC:\ProgramData\vkpa\olshkxp.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vkpa\olshkxp.exeFilesize
87KB
MD55781e34d8a456b34ad9d8f7ed8bf9453
SHA1778cdb0dfbfc4651cedaa985505dd28a33d190aa
SHA256ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e
SHA512e925c9b9c06249b12d4eaea21c9458668e57d2a7cb9f87625f8a10468ec6e4f70cf97b4e9a63299c939a16b546a6d28bb180b0c5b6de45b3739c002920989af3
-
C:\ProgramData\vkpa\olshkxp.exeFilesize
87KB
MD55781e34d8a456b34ad9d8f7ed8bf9453
SHA1778cdb0dfbfc4651cedaa985505dd28a33d190aa
SHA256ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e
SHA512e925c9b9c06249b12d4eaea21c9458668e57d2a7cb9f87625f8a10468ec6e4f70cf97b4e9a63299c939a16b546a6d28bb180b0c5b6de45b3739c002920989af3
-
memory/1752-54-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1752-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1752-55-0x000000000342B000-0x0000000003432000-memory.dmpFilesize
28KB
-
memory/1752-57-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB
-
memory/2044-59-0x0000000000000000-mapping.dmp
-
memory/2044-62-0x000000000310B000-0x0000000003112000-memory.dmpFilesize
28KB
-
memory/2044-63-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB