Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe
Resource
win7-20220414-en
General
-
Target
efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe
-
Size
218KB
-
MD5
f8a0cd4e6952e95016502054cc56454f
-
SHA1
7470a9b6949954168867e4f7dcc3b36cd8dbc0f2
-
SHA256
efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b
-
SHA512
9be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
djlviu.exepid process 1352 djlviu.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exedescription ioc process File created C:\Windows\Tasks\djlviu.job efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe File opened for modification C:\Windows\Tasks\djlviu.job efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exepid process 1796 efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1956 wrote to memory of 1352 1956 taskeng.exe djlviu.exe PID 1956 wrote to memory of 1352 1956 taskeng.exe djlviu.exe PID 1956 wrote to memory of 1352 1956 taskeng.exe djlviu.exe PID 1956 wrote to memory of 1352 1956 taskeng.exe djlviu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe"C:\Users\Admin\AppData\Local\Temp\efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {78D838C6-CEFE-451B-AA36-E0D66E350F17} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\bbxrevp\djlviu.exeC:\ProgramData\bbxrevp\djlviu.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\bbxrevp\djlviu.exeFilesize
218KB
MD5f8a0cd4e6952e95016502054cc56454f
SHA17470a9b6949954168867e4f7dcc3b36cd8dbc0f2
SHA256efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b
SHA5129be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064
-
C:\ProgramData\bbxrevp\djlviu.exeFilesize
218KB
MD5f8a0cd4e6952e95016502054cc56454f
SHA17470a9b6949954168867e4f7dcc3b36cd8dbc0f2
SHA256efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b
SHA5129be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064
-
memory/1352-59-0x0000000000000000-mapping.dmp
-
memory/1352-62-0x000000000088B000-0x0000000000892000-memory.dmpFilesize
28KB
-
memory/1352-63-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB
-
memory/1796-54-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1796-55-0x000000000087C000-0x0000000000882000-memory.dmpFilesize
24KB
-
memory/1796-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1796-57-0x0000000000400000-0x0000000000708000-memory.dmpFilesize
3.0MB