Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe
Resource
win7-20220414-en
General
-
Target
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe
-
Size
87KB
-
MD5
5781e34d8a456b34ad9d8f7ed8bf9453
-
SHA1
778cdb0dfbfc4651cedaa985505dd28a33d190aa
-
SHA256
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e
-
SHA512
e925c9b9c06249b12d4eaea21c9458668e57d2a7cb9f87625f8a10468ec6e4f70cf97b4e9a63299c939a16b546a6d28bb180b0c5b6de45b3739c002920989af3
Malware Config
Extracted
systembc
asdasd08.com:4039
asdasd08.xyz:4039
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
svwof.exepid process 3492 svwof.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 api.ipify.org 37 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exedescription ioc process File created C:\Windows\Tasks\svwof.job ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe File opened for modification C:\Windows\Tasks\svwof.job ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2484 4464 WerFault.exe ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exepid process 4464 ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe 4464 ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe"C:\Users\Admin\AppData\Local\Temp\ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 9362⤵
- Program crash
-
C:\ProgramData\ofukds\svwof.exeC:\ProgramData\ofukds\svwof.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4464 -ip 44641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ofukds\svwof.exeFilesize
87KB
MD55781e34d8a456b34ad9d8f7ed8bf9453
SHA1778cdb0dfbfc4651cedaa985505dd28a33d190aa
SHA256ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e
SHA512e925c9b9c06249b12d4eaea21c9458668e57d2a7cb9f87625f8a10468ec6e4f70cf97b4e9a63299c939a16b546a6d28bb180b0c5b6de45b3739c002920989af3
-
C:\ProgramData\ofukds\svwof.exeFilesize
87KB
MD55781e34d8a456b34ad9d8f7ed8bf9453
SHA1778cdb0dfbfc4651cedaa985505dd28a33d190aa
SHA256ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e
SHA512e925c9b9c06249b12d4eaea21c9458668e57d2a7cb9f87625f8a10468ec6e4f70cf97b4e9a63299c939a16b546a6d28bb180b0c5b6de45b3739c002920989af3
-
memory/3492-135-0x0000000003272000-0x0000000003279000-memory.dmpFilesize
28KB
-
memory/3492-136-0x00000000030F0000-0x00000000030F9000-memory.dmpFilesize
36KB
-
memory/3492-137-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB
-
memory/4464-130-0x0000000003029000-0x0000000003030000-memory.dmpFilesize
28KB
-
memory/4464-131-0x0000000003120000-0x0000000003129000-memory.dmpFilesize
36KB
-
memory/4464-132-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB