Analysis
-
max time kernel
158s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
Resource
win7-20220414-en
General
-
Target
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
-
Size
87KB
-
MD5
6852984ac451a05e24c746a7beae2f7e
-
SHA1
647d364e9c10453271d21d4de892ccdbc1ec938e
-
SHA256
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
-
SHA512
c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220
Malware Config
Extracted
systembc
asdasd08.com:4039
asdasd08.xyz:4039
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
rihv.exepid process 2612 rihv.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 71 api.ipify.org 72 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exedescription ioc process File created C:\Windows\Tasks\rihv.job da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe File opened for modification C:\Windows\Tasks\rihv.job da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4028 4360 WerFault.exe da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exepid process 4360 da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe 4360 da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 9482⤵
- Program crash
-
C:\ProgramData\wrfhdxg\rihv.exeC:\ProgramData\wrfhdxg\rihv.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4360 -ip 43601⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\wrfhdxg\rihv.exeFilesize
87KB
MD56852984ac451a05e24c746a7beae2f7e
SHA1647d364e9c10453271d21d4de892ccdbc1ec938e
SHA256da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
SHA512c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220
-
C:\ProgramData\wrfhdxg\rihv.exeFilesize
87KB
MD56852984ac451a05e24c746a7beae2f7e
SHA1647d364e9c10453271d21d4de892ccdbc1ec938e
SHA256da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
SHA512c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220
-
memory/2612-135-0x0000000003082000-0x0000000003089000-memory.dmpFilesize
28KB
-
memory/2612-136-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB
-
memory/4360-130-0x00000000032B8000-0x00000000032BF000-memory.dmpFilesize
28KB
-
memory/4360-131-0x0000000003200000-0x0000000003209000-memory.dmpFilesize
36KB
-
memory/4360-132-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB