Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 07:45
Static task
static1
Behavioral task
behavioral1
Sample
5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db.exe
Resource
win7-20220414-en
General
-
Target
5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db.exe
-
Size
128KB
-
MD5
8b462afe450df7f333a7da76f731cb62
-
SHA1
73e532ebfbd033039575b5457ac7023f920741fe
-
SHA256
5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db
-
SHA512
2c4029871f2efa811b4cf17e1b55e273254716c01302de5f1489ec9ecc1342b58de929fac043f4f3b6720c1170c59e549540e626d46087bc687991b98256c3cd
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
otsuek.exepid process 856 otsuek.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip4.seeip.org 7 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db.exedescription ioc process File created C:\Windows\Tasks\otsuek.job 5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db.exe File opened for modification C:\Windows\Tasks\otsuek.job 5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db.exepid process 1660 5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1724 wrote to memory of 856 1724 taskeng.exe otsuek.exe PID 1724 wrote to memory of 856 1724 taskeng.exe otsuek.exe PID 1724 wrote to memory of 856 1724 taskeng.exe otsuek.exe PID 1724 wrote to memory of 856 1724 taskeng.exe otsuek.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db.exe"C:\Users\Admin\AppData\Local\Temp\5e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {A7F3301D-B96D-46A3-A588-B033ADA06137} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\hdswux\otsuek.exeC:\ProgramData\hdswux\otsuek.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hdswux\otsuek.exeFilesize
128KB
MD58b462afe450df7f333a7da76f731cb62
SHA173e532ebfbd033039575b5457ac7023f920741fe
SHA2565e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db
SHA5122c4029871f2efa811b4cf17e1b55e273254716c01302de5f1489ec9ecc1342b58de929fac043f4f3b6720c1170c59e549540e626d46087bc687991b98256c3cd
-
C:\ProgramData\hdswux\otsuek.exeFilesize
128KB
MD58b462afe450df7f333a7da76f731cb62
SHA173e532ebfbd033039575b5457ac7023f920741fe
SHA2565e27c0fcfbf3bbabdcac743b1d948f88560cbe30ffb8f45beb062d555fd7c3db
SHA5122c4029871f2efa811b4cf17e1b55e273254716c01302de5f1489ec9ecc1342b58de929fac043f4f3b6720c1170c59e549540e626d46087bc687991b98256c3cd
-
memory/856-59-0x0000000000000000-mapping.dmp
-
memory/856-62-0x00000000030AB000-0x00000000030B1000-memory.dmpFilesize
24KB
-
memory/856-63-0x0000000000400000-0x0000000002FAB000-memory.dmpFilesize
43.7MB
-
memory/1660-54-0x0000000076421000-0x0000000076423000-memory.dmpFilesize
8KB
-
memory/1660-56-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/1660-55-0x00000000002CB000-0x00000000002D2000-memory.dmpFilesize
28KB
-
memory/1660-57-0x0000000000400000-0x0000000002FAB000-memory.dmpFilesize
43.7MB