Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
Resource
win7-20220414-en
General
-
Target
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
-
Size
87KB
-
MD5
6852984ac451a05e24c746a7beae2f7e
-
SHA1
647d364e9c10453271d21d4de892ccdbc1ec938e
-
SHA256
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
-
SHA512
c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220
Malware Config
Extracted
Family |
systembc |
C2 |
asdasd08.com:4039 asdasd08.xyz:4039 |
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE ⋅ 1 IoCs
Processes:
eeposr.exepid process 852 eeposr.exe -
Looks up external IP address via web service ⋅ 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip4.seeip.org 7 ip4.seeip.org -
Uses Tor communications ⋅ 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
TTPs:
-
Drops file in Windows directory ⋅ 2 IoCs
Processes:
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exedescription ioc process File created C:\Windows\Tasks\eeposr.job da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe File opened for modification C:\Windows\Tasks\eeposr.job da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 1 IoCs
Processes:
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exepid process 1948 da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe -
Suspicious use of WriteProcessMemory ⋅ 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1488 wrote to memory of 852 1488 taskeng.exe eeposr.exe PID 1488 wrote to memory of 852 1488 taskeng.exe eeposr.exe PID 1488 wrote to memory of 852 1488 taskeng.exe eeposr.exe PID 1488 wrote to memory of 852 1488 taskeng.exe eeposr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"Drops file in Windows directorySuspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {C294F48A-372D-4401-BEF0-1B656F7C7BB5} S-1-5-18:NT AUTHORITY\System:Service:Suspicious use of WriteProcessMemory
-
C:\ProgramData\rhjnko\eeposr.exeC:\ProgramData\rhjnko\eeposr.exe startExecutes dropped EXE
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\ProgramData\rhjnko\eeposr.exeMD5
6852984ac451a05e24c746a7beae2f7e
SHA1647d364e9c10453271d21d4de892ccdbc1ec938e
SHA256da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
SHA512c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220
-
C:\ProgramData\rhjnko\eeposr.exeMD5
6852984ac451a05e24c746a7beae2f7e
SHA1647d364e9c10453271d21d4de892ccdbc1ec938e
SHA256da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
SHA512c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220
-
memory/852-59-0x0000000000000000-mapping.dmp
-
memory/852-62-0x00000000030DB000-0x00000000030E2000-memory.dmp
-
memory/852-63-0x0000000000400000-0x0000000002FA1000-memory.dmp
-
memory/1948-54-0x0000000076571000-0x0000000076573000-memory.dmp
-
memory/1948-56-0x0000000000230000-0x0000000000239000-memory.dmp
-
memory/1948-55-0x000000000317B000-0x0000000003182000-memory.dmp
-
memory/1948-57-0x0000000000400000-0x0000000002FA1000-memory.dmp