Analysis
-
max time kernel
201s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe
Resource
win7-20220414-en
General
-
Target
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe
-
Size
87KB
-
MD5
edeea6a91e82cf4da5cb8209580b4e74
-
SHA1
182c6cf748e0a1b5f4a12b9a761b3b6982017e6d
-
SHA256
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2
-
SHA512
7530eb2471bb1c65612e7f16793942d7ca02e8b994f390341090eef129634ff604018fb0fe1abe5443d68a7f739719ba332a934e4a0fa7d0bcd8ef1094723226
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
lstmoja.exepid process 344 lstmoja.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 54 api.ipify.org 67 ip4.seeip.org 68 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exedescription ioc process File created C:\Windows\Tasks\lstmoja.job 8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe File opened for modification C:\Windows\Tasks\lstmoja.job 8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exepid process 2876 8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe 2876 8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe"C:\Users\Admin\AppData\Local\Temp\8401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\fxnr\lstmoja.exeC:\ProgramData\fxnr\lstmoja.exe start1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\fxnr\lstmoja.exeFilesize
87KB
MD5edeea6a91e82cf4da5cb8209580b4e74
SHA1182c6cf748e0a1b5f4a12b9a761b3b6982017e6d
SHA2568401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2
SHA5127530eb2471bb1c65612e7f16793942d7ca02e8b994f390341090eef129634ff604018fb0fe1abe5443d68a7f739719ba332a934e4a0fa7d0bcd8ef1094723226
-
C:\ProgramData\fxnr\lstmoja.exeFilesize
87KB
MD5edeea6a91e82cf4da5cb8209580b4e74
SHA1182c6cf748e0a1b5f4a12b9a761b3b6982017e6d
SHA2568401fa8aa07c8cd1d4f46e41f70fd2db414f288db8c324ea61ea5dcd5c99b3c2
SHA5127530eb2471bb1c65612e7f16793942d7ca02e8b994f390341090eef129634ff604018fb0fe1abe5443d68a7f739719ba332a934e4a0fa7d0bcd8ef1094723226
-
memory/344-135-0x0000000003183000-0x0000000003189000-memory.dmpFilesize
24KB
-
memory/344-136-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB
-
memory/2876-130-0x00000000030C8000-0x00000000030CF000-memory.dmpFilesize
28KB
-
memory/2876-131-0x0000000003070000-0x0000000003079000-memory.dmpFilesize
36KB
-
memory/2876-132-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB