Analysis
-
max time kernel
201s -
max time network
208s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c.exe
Resource
win7-20220414-en
General
-
Target
6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c.exe
-
Size
89KB
-
MD5
754f68fbcd88c48a9c689632b66967c4
-
SHA1
fc20fe331d1699145df56ec11a95cb6d7f72279f
-
SHA256
6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c
-
SHA512
0b7e83826ec8a7599fd876590e8c096f71a034d56e34d138c4d29ac3bf8c512aecacebdd64a47ce5bf449a27802cf915a5a6a8ae251eb66a7262df1065a0f839
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
busfmr.exepid process 1164 busfmr.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c.exedescription ioc process File created C:\Windows\Tasks\busfmr.job 6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c.exe File opened for modification C:\Windows\Tasks\busfmr.job 6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c.exepid process 688 6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1816 wrote to memory of 1164 1816 taskeng.exe busfmr.exe PID 1816 wrote to memory of 1164 1816 taskeng.exe busfmr.exe PID 1816 wrote to memory of 1164 1816 taskeng.exe busfmr.exe PID 1816 wrote to memory of 1164 1816 taskeng.exe busfmr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c.exe"C:\Users\Admin\AppData\Local\Temp\6bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {F007ED0F-F347-4C9B-A40B-ADE139D0B17B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\jrvs\busfmr.exeC:\ProgramData\jrvs\busfmr.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\jrvs\busfmr.exeFilesize
89KB
MD5754f68fbcd88c48a9c689632b66967c4
SHA1fc20fe331d1699145df56ec11a95cb6d7f72279f
SHA2566bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c
SHA5120b7e83826ec8a7599fd876590e8c096f71a034d56e34d138c4d29ac3bf8c512aecacebdd64a47ce5bf449a27802cf915a5a6a8ae251eb66a7262df1065a0f839
-
C:\ProgramData\jrvs\busfmr.exeFilesize
89KB
MD5754f68fbcd88c48a9c689632b66967c4
SHA1fc20fe331d1699145df56ec11a95cb6d7f72279f
SHA2566bc401f2d24746bb192fb23fcaf705b94b7f6742b9d651266345bbab434e351c
SHA5120b7e83826ec8a7599fd876590e8c096f71a034d56e34d138c4d29ac3bf8c512aecacebdd64a47ce5bf449a27802cf915a5a6a8ae251eb66a7262df1065a0f839
-
memory/688-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/688-55-0x000000000319B000-0x00000000031A2000-memory.dmpFilesize
28KB
-
memory/688-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/688-57-0x0000000000400000-0x0000000002FA2000-memory.dmpFilesize
43.6MB
-
memory/1164-59-0x0000000000000000-mapping.dmp
-
memory/1164-62-0x00000000030CB000-0x00000000030D2000-memory.dmpFilesize
28KB
-
memory/1164-63-0x0000000000400000-0x0000000002FA2000-memory.dmpFilesize
43.6MB