Analysis
-
max time kernel
172s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 01:57
Static task
static1
Behavioral task
behavioral1
Sample
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe
Resource
win7-20220414-en
General
-
Target
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe
-
Size
129KB
-
MD5
97df61f72744b694bc0ce16556510b83
-
SHA1
b6c9484e550f8f4ff3155c5ed8ae4a8e3422018c
-
SHA256
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b
-
SHA512
610a3b2b253d7e34c2091250354d9d08b524d8da3836ca75d96af2562551176a9e85fdb02d6ed6aeb417c84b19c1cdea9a4b9644136f3c4ed3bfb554e5f81486
Malware Config
Extracted
systembc
dasd13d.com:4035
dasd13d.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dajc.exepid process 408 dajc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 api.ipify.org 42 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exedescription ioc process File created C:\Windows\Tasks\dajc.job c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe File opened for modification C:\Windows\Tasks\dajc.job c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1216 4808 WerFault.exe c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exepid process 4808 c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe 4808 c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe"C:\Users\Admin\AppData\Local\Temp\c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 4802⤵
- Program crash
-
C:\ProgramData\enwudc\dajc.exeC:\ProgramData\enwudc\dajc.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4808 -ip 48081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\enwudc\dajc.exeFilesize
129KB
MD597df61f72744b694bc0ce16556510b83
SHA1b6c9484e550f8f4ff3155c5ed8ae4a8e3422018c
SHA256c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b
SHA512610a3b2b253d7e34c2091250354d9d08b524d8da3836ca75d96af2562551176a9e85fdb02d6ed6aeb417c84b19c1cdea9a4b9644136f3c4ed3bfb554e5f81486
-
C:\ProgramData\enwudc\dajc.exeFilesize
129KB
MD597df61f72744b694bc0ce16556510b83
SHA1b6c9484e550f8f4ff3155c5ed8ae4a8e3422018c
SHA256c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b
SHA512610a3b2b253d7e34c2091250354d9d08b524d8da3836ca75d96af2562551176a9e85fdb02d6ed6aeb417c84b19c1cdea9a4b9644136f3c4ed3bfb554e5f81486
-
memory/408-136-0x0000000000990000-0x0000000000A90000-memory.dmpFilesize
1024KB
-
memory/408-137-0x0000000000400000-0x00000000008BF000-memory.dmpFilesize
4.7MB
-
memory/4808-130-0x0000000000AE8000-0x0000000000AEF000-memory.dmpFilesize
28KB
-
memory/4808-131-0x0000000000930000-0x0000000000939000-memory.dmpFilesize
36KB
-
memory/4808-132-0x0000000000400000-0x00000000008BF000-memory.dmpFilesize
4.7MB