Analysis
-
max time kernel
158s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
Resource
win7-20220414-en
General
-
Target
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
-
Size
87KB
-
MD5
6852984ac451a05e24c746a7beae2f7e
-
SHA1
647d364e9c10453271d21d4de892ccdbc1ec938e
-
SHA256
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
-
SHA512
c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220
Malware Config
Extracted
Family |
systembc |
C2 |
asdasd08.com:4039 asdasd08.xyz:4039 |
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE ⋅ 1 IoCs
Processes:
rihv.exepid process 2612 rihv.exe -
Looks up external IP address via web service ⋅ 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 71 api.ipify.org 72 api.ipify.org -
Uses Tor communications ⋅ 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
TTPs:
-
Drops file in Windows directory ⋅ 2 IoCs
Processes:
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exedescription ioc process File created C:\Windows\Tasks\rihv.job da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe File opened for modification C:\Windows\Tasks\rihv.job da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe -
Program crash ⋅ 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4028 4360 WerFault.exe da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
Processes:
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exepid process 4360 da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe 4360 da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"Drops file in Windows directorySuspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 948Program crash
-
C:\ProgramData\wrfhdxg\rihv.exeC:\ProgramData\wrfhdxg\rihv.exe startExecutes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4360 -ip 4360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\ProgramData\wrfhdxg\rihv.exeMD5
6852984ac451a05e24c746a7beae2f7e
SHA1647d364e9c10453271d21d4de892ccdbc1ec938e
SHA256da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
SHA512c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220
-
C:\ProgramData\wrfhdxg\rihv.exeMD5
6852984ac451a05e24c746a7beae2f7e
SHA1647d364e9c10453271d21d4de892ccdbc1ec938e
SHA256da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
SHA512c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220
-
memory/2612-135-0x0000000003082000-0x0000000003089000-memory.dmp
-
memory/2612-136-0x0000000000400000-0x0000000002FA1000-memory.dmp
-
memory/4360-130-0x00000000032B8000-0x00000000032BF000-memory.dmp
-
memory/4360-131-0x0000000003200000-0x0000000003209000-memory.dmp
-
memory/4360-132-0x0000000000400000-0x0000000002FA1000-memory.dmp