Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 01:57
Static task
static1
Behavioral task
behavioral1
Sample
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe
Resource
win7-20220414-en
General
-
Target
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe
-
Size
129KB
-
MD5
97df61f72744b694bc0ce16556510b83
-
SHA1
b6c9484e550f8f4ff3155c5ed8ae4a8e3422018c
-
SHA256
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b
-
SHA512
610a3b2b253d7e34c2091250354d9d08b524d8da3836ca75d96af2562551176a9e85fdb02d6ed6aeb417c84b19c1cdea9a4b9644136f3c4ed3bfb554e5f81486
Malware Config
Extracted
systembc
dasd13d.com:4035
dasd13d.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pvjcuvw.exepid process 1496 pvjcuvw.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip4.seeip.org 7 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exedescription ioc process File created C:\Windows\Tasks\pvjcuvw.job c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe File opened for modification C:\Windows\Tasks\pvjcuvw.job c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exepid process 1668 c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1500 wrote to memory of 1496 1500 taskeng.exe pvjcuvw.exe PID 1500 wrote to memory of 1496 1500 taskeng.exe pvjcuvw.exe PID 1500 wrote to memory of 1496 1500 taskeng.exe pvjcuvw.exe PID 1500 wrote to memory of 1496 1500 taskeng.exe pvjcuvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe"C:\Users\Admin\AppData\Local\Temp\c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {72214483-2411-4E30-9A20-CDA546606628} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\uxjukp\pvjcuvw.exeC:\ProgramData\uxjukp\pvjcuvw.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uxjukp\pvjcuvw.exeFilesize
129KB
MD597df61f72744b694bc0ce16556510b83
SHA1b6c9484e550f8f4ff3155c5ed8ae4a8e3422018c
SHA256c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b
SHA512610a3b2b253d7e34c2091250354d9d08b524d8da3836ca75d96af2562551176a9e85fdb02d6ed6aeb417c84b19c1cdea9a4b9644136f3c4ed3bfb554e5f81486
-
C:\ProgramData\uxjukp\pvjcuvw.exeFilesize
129KB
MD597df61f72744b694bc0ce16556510b83
SHA1b6c9484e550f8f4ff3155c5ed8ae4a8e3422018c
SHA256c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b
SHA512610a3b2b253d7e34c2091250354d9d08b524d8da3836ca75d96af2562551176a9e85fdb02d6ed6aeb417c84b19c1cdea9a4b9644136f3c4ed3bfb554e5f81486
-
memory/1496-59-0x0000000000000000-mapping.dmp
-
memory/1496-62-0x00000000009EB000-0x00000000009F2000-memory.dmpFilesize
28KB
-
memory/1496-63-0x0000000000400000-0x00000000008BF000-memory.dmpFilesize
4.7MB
-
memory/1668-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/1668-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1668-55-0x0000000000AAB000-0x0000000000AB2000-memory.dmpFilesize
28KB
-
memory/1668-57-0x0000000000400000-0x00000000008BF000-memory.dmpFilesize
4.7MB