Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 17:25
Static task
static1
Behavioral task
behavioral1
Sample
98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe
Resource
win7-20220414-en
General
-
Target
98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe
-
Size
137KB
-
MD5
c684031ab0b9aab1f82ec9cf2e52ae18
-
SHA1
18af53cd6dc37bd5b1963dcf0562d4b98f6aa466
-
SHA256
98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8
-
SHA512
e78f5f8e917f3dd85e7cf2df43b2af4882118bd37cc04b56e660700011f1863c0580b4e6d797fee55fab2caeca55a92ba205da651707fa9b519a8e497fd156a5
Malware Config
Extracted
systembc
admex175x.xyz:4044
servx278x.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xckux.exepid process 932 xckux.exe -
Processes:
resource yara_rule C:\ProgramData\imll\xckux.exe upx C:\ProgramData\imll\xckux.exe upx -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip4.seeip.org 7 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exedescription ioc process File created C:\Windows\Tasks\xckux.job 98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe File opened for modification C:\Windows\Tasks\xckux.job 98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exepid process 784 98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 876 wrote to memory of 932 876 taskeng.exe xckux.exe PID 876 wrote to memory of 932 876 taskeng.exe xckux.exe PID 876 wrote to memory of 932 876 taskeng.exe xckux.exe PID 876 wrote to memory of 932 876 taskeng.exe xckux.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe"C:\Users\Admin\AppData\Local\Temp\98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {BE1723DA-9D7F-4577-BEC0-5EC39B076573} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\imll\xckux.exeC:\ProgramData\imll\xckux.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\imll\xckux.exeFilesize
137KB
MD5c684031ab0b9aab1f82ec9cf2e52ae18
SHA118af53cd6dc37bd5b1963dcf0562d4b98f6aa466
SHA25698de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8
SHA512e78f5f8e917f3dd85e7cf2df43b2af4882118bd37cc04b56e660700011f1863c0580b4e6d797fee55fab2caeca55a92ba205da651707fa9b519a8e497fd156a5
-
C:\ProgramData\imll\xckux.exeFilesize
137KB
MD5c684031ab0b9aab1f82ec9cf2e52ae18
SHA118af53cd6dc37bd5b1963dcf0562d4b98f6aa466
SHA25698de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8
SHA512e78f5f8e917f3dd85e7cf2df43b2af4882118bd37cc04b56e660700011f1863c0580b4e6d797fee55fab2caeca55a92ba205da651707fa9b519a8e497fd156a5
-
memory/784-54-0x0000000075701000-0x0000000075703000-memory.dmpFilesize
8KB
-
memory/784-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/784-55-0x0000000004EDA000-0x0000000004EE0000-memory.dmpFilesize
24KB
-
memory/784-57-0x0000000000400000-0x0000000004D7C000-memory.dmpFilesize
73.5MB
-
memory/932-59-0x0000000000000000-mapping.dmp
-
memory/932-62-0x0000000004E4A000-0x0000000004E50000-memory.dmpFilesize
24KB
-
memory/932-63-0x0000000000400000-0x0000000004D7C000-memory.dmpFilesize
73.5MB