Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-05-2022 14:52
Static task
static1
Behavioral task
behavioral1
Sample
38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc.exe
Resource
win7-20220414-en
General
-
Target
38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc.exe
-
Size
107KB
-
MD5
c76206e3213212b73b3efa6a51d9c1d6
-
SHA1
3ed40c6f3553b7f02ab984693258b6120577aa2d
-
SHA256
38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc
-
SHA512
fc1826163547e7d3b907da45bca77e52df96a056fa99c7830c8663ffcb7720a7ec4481dec3baa965dfa6e0dfd914f1bb85d5b4680b1e8d2b0da0a6d0a45b0854
Malware Config
Extracted
systembc
ok22asddvr.com:4035
ok22asddvr.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
plwdwh.exepid process 1368 plwdwh.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 7 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc.exedescription ioc process File created C:\Windows\Tasks\plwdwh.job 38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc.exe File opened for modification C:\Windows\Tasks\plwdwh.job 38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc.exepid process 1492 38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1172 wrote to memory of 1368 1172 taskeng.exe plwdwh.exe PID 1172 wrote to memory of 1368 1172 taskeng.exe plwdwh.exe PID 1172 wrote to memory of 1368 1172 taskeng.exe plwdwh.exe PID 1172 wrote to memory of 1368 1172 taskeng.exe plwdwh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc.exe"C:\Users\Admin\AppData\Local\Temp\38916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {3497B7DC-88D3-4ED5-8835-C3CE5F0A3DE4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\opvq\plwdwh.exeC:\ProgramData\opvq\plwdwh.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\opvq\plwdwh.exeFilesize
107KB
MD5c76206e3213212b73b3efa6a51d9c1d6
SHA13ed40c6f3553b7f02ab984693258b6120577aa2d
SHA25638916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc
SHA512fc1826163547e7d3b907da45bca77e52df96a056fa99c7830c8663ffcb7720a7ec4481dec3baa965dfa6e0dfd914f1bb85d5b4680b1e8d2b0da0a6d0a45b0854
-
C:\ProgramData\opvq\plwdwh.exeFilesize
107KB
MD5c76206e3213212b73b3efa6a51d9c1d6
SHA13ed40c6f3553b7f02ab984693258b6120577aa2d
SHA25638916764de03427d1ef5b77729bd3486e8429fd7966cc306a79e5e5e248a36cc
SHA512fc1826163547e7d3b907da45bca77e52df96a056fa99c7830c8663ffcb7720a7ec4481dec3baa965dfa6e0dfd914f1bb85d5b4680b1e8d2b0da0a6d0a45b0854
-
memory/1368-59-0x0000000000000000-mapping.dmp
-
memory/1368-62-0x000000000061B000-0x0000000000622000-memory.dmpFilesize
28KB
-
memory/1368-63-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/1492-54-0x0000000074C81000-0x0000000074C83000-memory.dmpFilesize
8KB
-
memory/1492-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1492-55-0x000000000093B000-0x0000000000942000-memory.dmpFilesize
28KB
-
memory/1492-57-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB