Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe
Resource
win7-20220414-en
General
-
Target
e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe
-
Size
86KB
-
MD5
ee901758b646be29eec10374025e5aea
-
SHA1
5dce870f80a5a97d0a05df73696222b7c2a3d528
-
SHA256
e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6
-
SHA512
9c7b1911e92395e41bd10a5138475063ff7675220fdb10722e35f830e2f132d97a9449dfb61547f7866a3a1a9e6cf3401b29359e982035ebb08345fd0303fc65
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
infg.exepid process 960 infg.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 4 api.ipify.org 5 api.ipify.org 6 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exedescription ioc process File created C:\Windows\Tasks\infg.job e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe File opened for modification C:\Windows\Tasks\infg.job e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exepid process 1988 e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1216 wrote to memory of 960 1216 taskeng.exe infg.exe PID 1216 wrote to memory of 960 1216 taskeng.exe infg.exe PID 1216 wrote to memory of 960 1216 taskeng.exe infg.exe PID 1216 wrote to memory of 960 1216 taskeng.exe infg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe"C:\Users\Admin\AppData\Local\Temp\e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {F02F20C0-AE28-4216-8955-7E8D5915779E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\vvurk\infg.exeC:\ProgramData\vvurk\infg.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vvurk\infg.exeFilesize
86KB
MD5ee901758b646be29eec10374025e5aea
SHA15dce870f80a5a97d0a05df73696222b7c2a3d528
SHA256e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6
SHA5129c7b1911e92395e41bd10a5138475063ff7675220fdb10722e35f830e2f132d97a9449dfb61547f7866a3a1a9e6cf3401b29359e982035ebb08345fd0303fc65
-
C:\ProgramData\vvurk\infg.exeFilesize
86KB
MD5ee901758b646be29eec10374025e5aea
SHA15dce870f80a5a97d0a05df73696222b7c2a3d528
SHA256e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6
SHA5129c7b1911e92395e41bd10a5138475063ff7675220fdb10722e35f830e2f132d97a9449dfb61547f7866a3a1a9e6cf3401b29359e982035ebb08345fd0303fc65
-
memory/960-59-0x0000000000000000-mapping.dmp
-
memory/960-63-0x0000000000360000-0x0000000000369000-memory.dmpFilesize
36KB
-
memory/960-62-0x00000000030FB000-0x0000000003102000-memory.dmpFilesize
28KB
-
memory/960-64-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB
-
memory/1988-54-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/1988-55-0x000000000026B000-0x0000000000272000-memory.dmpFilesize
28KB
-
memory/1988-56-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/1988-57-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB