Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 01:29
Static task
static1
Behavioral task
behavioral1
Sample
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe
Resource
win7-20220414-en
General
-
Target
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe
-
Size
122KB
-
MD5
2085da3926285d53a13b68175bdf2ccb
-
SHA1
0853c04cd6646e3a33145d240290298a89eb3828
-
SHA256
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86
-
SHA512
7d13b931cfed63123107abc0a0ab5c6f3a616c5b22194bfb64e3b5035e94ee0b3a855f1a113eb4b214e0ebf9d328a54f11a855c0a7a897079e098b8c842ada24
Malware Config
Extracted
systembc
dasd13d.com:4035
dasd13d.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hkoerj.exepid process 852 hkoerj.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip4.seeip.org 7 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exedescription ioc process File created C:\Windows\Tasks\hkoerj.job cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe File opened for modification C:\Windows\Tasks\hkoerj.job cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exepid process 1096 cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1772 wrote to memory of 852 1772 taskeng.exe hkoerj.exe PID 1772 wrote to memory of 852 1772 taskeng.exe hkoerj.exe PID 1772 wrote to memory of 852 1772 taskeng.exe hkoerj.exe PID 1772 wrote to memory of 852 1772 taskeng.exe hkoerj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe"C:\Users\Admin\AppData\Local\Temp\cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {0AB8F117-31B7-4853-B9CA-CF9BC1E5DE28} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\jlpakse\hkoerj.exeC:\ProgramData\jlpakse\hkoerj.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\jlpakse\hkoerj.exeFilesize
122KB
MD52085da3926285d53a13b68175bdf2ccb
SHA10853c04cd6646e3a33145d240290298a89eb3828
SHA256cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86
SHA5127d13b931cfed63123107abc0a0ab5c6f3a616c5b22194bfb64e3b5035e94ee0b3a855f1a113eb4b214e0ebf9d328a54f11a855c0a7a897079e098b8c842ada24
-
C:\ProgramData\jlpakse\hkoerj.exeFilesize
122KB
MD52085da3926285d53a13b68175bdf2ccb
SHA10853c04cd6646e3a33145d240290298a89eb3828
SHA256cfdcc3ea8f9cd2cf619e755da0d07d1501afaec23bc9f5d2ecc195625172ad86
SHA5127d13b931cfed63123107abc0a0ab5c6f3a616c5b22194bfb64e3b5035e94ee0b3a855f1a113eb4b214e0ebf9d328a54f11a855c0a7a897079e098b8c842ada24
-
memory/852-59-0x0000000000000000-mapping.dmp
-
memory/852-62-0x0000000000A0B000-0x0000000000A12000-memory.dmpFilesize
28KB
-
memory/852-63-0x0000000000400000-0x00000000008BC000-memory.dmpFilesize
4.7MB
-
memory/1096-54-0x00000000768D1000-0x00000000768D3000-memory.dmpFilesize
8KB
-
memory/1096-55-0x0000000000AAB000-0x0000000000AB2000-memory.dmpFilesize
28KB
-
memory/1096-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1096-57-0x0000000000400000-0x00000000008BC000-memory.dmpFilesize
4.7MB