Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe
Resource
win7-20220414-en
General
-
Target
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe
-
Size
87KB
-
MD5
edeea6a91e82cf4da5cb8209580b4e74
-
SHA1
182c6cf748e0a1b5f4a12b9a761b3b6982017e6d
-
SHA256
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2
-
SHA512
7530eb2471bb1c65612e7f16793942d7ca02e8b994f390341090eef129634ff604018fb0fe1abe5443d68a7f739719ba332a934e4a0fa7d0bcd8ef1094723226
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
wfucon.exepid process 1656 wfucon.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exedescription ioc process File created C:\Windows\Tasks\wfucon.job 8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe File opened for modification C:\Windows\Tasks\wfucon.job 8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exepid process 1372 8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 240 wrote to memory of 1656 240 taskeng.exe wfucon.exe PID 240 wrote to memory of 1656 240 taskeng.exe wfucon.exe PID 240 wrote to memory of 1656 240 taskeng.exe wfucon.exe PID 240 wrote to memory of 1656 240 taskeng.exe wfucon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe"C:\Users\Admin\AppData\Local\Temp\8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {AE8AF0CC-B47D-4FF4-BD6D-141E6703D1A5} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ksih\wfucon.exeC:\ProgramData\ksih\wfucon.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ksih\wfucon.exeFilesize
87KB
MD5edeea6a91e82cf4da5cb8209580b4e74
SHA1182c6cf748e0a1b5f4a12b9a761b3b6982017e6d
SHA2568401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2
SHA5127530eb2471bb1c65612e7f16793942d7ca02e8b994f390341090eef129634ff604018fb0fe1abe5443d68a7f739719ba332a934e4a0fa7d0bcd8ef1094723226
-
C:\ProgramData\ksih\wfucon.exeFilesize
87KB
MD5edeea6a91e82cf4da5cb8209580b4e74
SHA1182c6cf748e0a1b5f4a12b9a761b3b6982017e6d
SHA2568401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2
SHA5127530eb2471bb1c65612e7f16793942d7ca02e8b994f390341090eef129634ff604018fb0fe1abe5443d68a7f739719ba332a934e4a0fa7d0bcd8ef1094723226
-
memory/1372-54-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/1372-55-0x00000000030FB000-0x0000000003102000-memory.dmpFilesize
28KB
-
memory/1372-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1372-57-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB
-
memory/1656-59-0x0000000000000000-mapping.dmp
-
memory/1656-62-0x00000000002CB000-0x00000000002D2000-memory.dmpFilesize
28KB
-
memory/1656-63-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB