Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 17:27
Static task
static1
Behavioral task
behavioral1
Sample
8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76.exe
Resource
win7-20220414-en
General
-
Target
8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76.exe
-
Size
138KB
-
MD5
6349f47feb74e0574f263830bd2de0ee
-
SHA1
dd9177300210b0647306b31329b2f760dc6e0c21
-
SHA256
8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76
-
SHA512
263aa7df76c5ea71d5716059e01e89e90b4deafb0937f9a84570b90d79c4929b6cca72c4c498494d03d98c01b11510ef7630f377226c1003cf8e9c81b574d026
Malware Config
Extracted
systembc
admex175x.xyz:4044
servx278x.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wjeik.exepid process 1784 wjeik.exe -
Processes:
resource yara_rule C:\ProgramData\npcisc\wjeik.exe upx C:\ProgramData\npcisc\wjeik.exe upx -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76.exedescription ioc process File created C:\Windows\Tasks\wjeik.job 8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76.exe File opened for modification C:\Windows\Tasks\wjeik.job 8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76.exepid process 316 8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 892 wrote to memory of 1784 892 taskeng.exe wjeik.exe PID 892 wrote to memory of 1784 892 taskeng.exe wjeik.exe PID 892 wrote to memory of 1784 892 taskeng.exe wjeik.exe PID 892 wrote to memory of 1784 892 taskeng.exe wjeik.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76.exe"C:\Users\Admin\AppData\Local\Temp\8684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {1A39404E-E835-4B3F-AD2A-29422163EDD5} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\npcisc\wjeik.exeC:\ProgramData\npcisc\wjeik.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\npcisc\wjeik.exeFilesize
138KB
MD56349f47feb74e0574f263830bd2de0ee
SHA1dd9177300210b0647306b31329b2f760dc6e0c21
SHA2568684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76
SHA512263aa7df76c5ea71d5716059e01e89e90b4deafb0937f9a84570b90d79c4929b6cca72c4c498494d03d98c01b11510ef7630f377226c1003cf8e9c81b574d026
-
C:\ProgramData\npcisc\wjeik.exeFilesize
138KB
MD56349f47feb74e0574f263830bd2de0ee
SHA1dd9177300210b0647306b31329b2f760dc6e0c21
SHA2568684ded985154dee21b01d6ffe6d8a0ded49fcaa3dcd23937374310d7cae6d76
SHA512263aa7df76c5ea71d5716059e01e89e90b4deafb0937f9a84570b90d79c4929b6cca72c4c498494d03d98c01b11510ef7630f377226c1003cf8e9c81b574d026
-
memory/316-54-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB
-
memory/316-55-0x0000000004F1A000-0x0000000004F20000-memory.dmpFilesize
24KB
-
memory/316-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/316-57-0x0000000000400000-0x0000000004D7C000-memory.dmpFilesize
73.5MB
-
memory/1784-59-0x0000000000000000-mapping.dmp
-
memory/1784-62-0x0000000004EAA000-0x0000000004EB0000-memory.dmpFilesize
24KB
-
memory/1784-63-0x0000000000400000-0x0000000004D7C000-memory.dmpFilesize
73.5MB