Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf.exe
Resource
win7-20220414-en
General
-
Target
e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf.exe
-
Size
89KB
-
MD5
223f824fbc8cacd41d0e119034c1d043
-
SHA1
3b8e9eff67bc8f37431b26dbcde55e0c1767519d
-
SHA256
e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf
-
SHA512
849c3d8345b4fcb22afc6786052e06cfa9cb5ac853a318e91be934dbeda7a15ebc068d2d6e2f8b2ad0d7fd88e30660f71703557512175808656c64e337d688e1
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
qnjj.exepid process 1156 qnjj.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf.exedescription ioc process File created C:\Windows\Tasks\qnjj.job e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf.exe File opened for modification C:\Windows\Tasks\qnjj.job e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf.exepid process 1100 e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1664 wrote to memory of 1156 1664 taskeng.exe qnjj.exe PID 1664 wrote to memory of 1156 1664 taskeng.exe qnjj.exe PID 1664 wrote to memory of 1156 1664 taskeng.exe qnjj.exe PID 1664 wrote to memory of 1156 1664 taskeng.exe qnjj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf.exe"C:\Users\Admin\AppData\Local\Temp\e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {3E25DAF9-6DB0-4704-AAA5-D37DDB5CB97D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\qfjkj\qnjj.exeC:\ProgramData\qfjkj\qnjj.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qfjkj\qnjj.exeFilesize
89KB
MD5223f824fbc8cacd41d0e119034c1d043
SHA13b8e9eff67bc8f37431b26dbcde55e0c1767519d
SHA256e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf
SHA512849c3d8345b4fcb22afc6786052e06cfa9cb5ac853a318e91be934dbeda7a15ebc068d2d6e2f8b2ad0d7fd88e30660f71703557512175808656c64e337d688e1
-
C:\ProgramData\qfjkj\qnjj.exeFilesize
89KB
MD5223f824fbc8cacd41d0e119034c1d043
SHA13b8e9eff67bc8f37431b26dbcde55e0c1767519d
SHA256e1d879e9b873962cde3f42e555a2583eca3c135d1f63aebfbbf3dd95f77a30cf
SHA512849c3d8345b4fcb22afc6786052e06cfa9cb5ac853a318e91be934dbeda7a15ebc068d2d6e2f8b2ad0d7fd88e30660f71703557512175808656c64e337d688e1
-
memory/1100-54-0x0000000075E31000-0x0000000075E33000-memory.dmpFilesize
8KB
-
memory/1100-56-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/1100-55-0x000000000026B000-0x0000000000272000-memory.dmpFilesize
28KB
-
memory/1100-57-0x0000000000400000-0x0000000002FA2000-memory.dmpFilesize
43.6MB
-
memory/1156-59-0x0000000000000000-mapping.dmp
-
memory/1156-62-0x00000000030AB000-0x00000000030B2000-memory.dmpFilesize
28KB
-
memory/1156-63-0x0000000000400000-0x0000000002FA2000-memory.dmpFilesize
43.6MB