Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 02:33
Static task
static1
Behavioral task
behavioral1
Sample
b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe
Resource
win7-20220414-en
General
-
Target
b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe
-
Size
121KB
-
MD5
e60119dd588f168109ae6d25a187202d
-
SHA1
0b3cde408aa8eea80fbf9a8868a6cd194dc2b022
-
SHA256
b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825
-
SHA512
731ed02e9cb967bca1cddf93251ee607d499912df7dfbdf6720faa7339ea25674828d846052852b95bd4f4e8f1a7e287aa2883addd4eb6f1aaf75b13f59b9eac
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
ubaph.exepid process 1144 ubaph.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 4 api.ipify.org 5 api.ipify.org 6 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exedescription ioc process File created C:\Windows\Tasks\ubaph.job b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe File opened for modification C:\Windows\Tasks\ubaph.job b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exepid process 536 b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 952 wrote to memory of 1144 952 taskeng.exe ubaph.exe PID 952 wrote to memory of 1144 952 taskeng.exe ubaph.exe PID 952 wrote to memory of 1144 952 taskeng.exe ubaph.exe PID 952 wrote to memory of 1144 952 taskeng.exe ubaph.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe"C:\Users\Admin\AppData\Local\Temp\b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {E6915D9F-9E1E-4F33-8D26-7856677247E2} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\rigd\ubaph.exeC:\ProgramData\rigd\ubaph.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\rigd\ubaph.exeFilesize
121KB
MD5e60119dd588f168109ae6d25a187202d
SHA10b3cde408aa8eea80fbf9a8868a6cd194dc2b022
SHA256b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825
SHA512731ed02e9cb967bca1cddf93251ee607d499912df7dfbdf6720faa7339ea25674828d846052852b95bd4f4e8f1a7e287aa2883addd4eb6f1aaf75b13f59b9eac
-
C:\ProgramData\rigd\ubaph.exeFilesize
121KB
MD5e60119dd588f168109ae6d25a187202d
SHA10b3cde408aa8eea80fbf9a8868a6cd194dc2b022
SHA256b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825
SHA512731ed02e9cb967bca1cddf93251ee607d499912df7dfbdf6720faa7339ea25674828d846052852b95bd4f4e8f1a7e287aa2883addd4eb6f1aaf75b13f59b9eac
-
memory/536-54-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/536-56-0x00000000003B0000-0x00000000003B9000-memory.dmpFilesize
36KB
-
memory/536-55-0x000000000365B000-0x0000000003662000-memory.dmpFilesize
28KB
-
memory/536-57-0x0000000000400000-0x00000000031D1000-memory.dmpFilesize
45.8MB
-
memory/1144-59-0x0000000000000000-mapping.dmp
-
memory/1144-62-0x000000000335B000-0x0000000003362000-memory.dmpFilesize
28KB
-
memory/1144-63-0x0000000000400000-0x00000000031D1000-memory.dmpFilesize
45.8MB