Analysis
-
max time kernel
160s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 03:08
Static task
static1
Behavioral task
behavioral1
Sample
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe
Resource
win7-20220414-en
General
-
Target
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe
-
Size
217KB
-
MD5
790578f36d82b60747161ce1c95d320f
-
SHA1
99de20939bb24d34d2274c7e7960a5b610e8e546
-
SHA256
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e
-
SHA512
fc665610b537fd6fa30debaa3e821ca50edcc89e03a120163f0f9160cf5e36d64a4aefe19d6577c1396c78e2cf5327f2f853b06a1b82314e1e9904f1e06be1d7
Malware Config
Extracted
systembc
asdasd05.com:4035
asdasd05.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
gpshkdg.exepid process 1216 gpshkdg.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exedescription ioc process File created C:\Windows\Tasks\gpshkdg.job e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe File opened for modification C:\Windows\Tasks\gpshkdg.job e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exepid process 1980 e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1328 wrote to memory of 1216 1328 taskeng.exe gpshkdg.exe PID 1328 wrote to memory of 1216 1328 taskeng.exe gpshkdg.exe PID 1328 wrote to memory of 1216 1328 taskeng.exe gpshkdg.exe PID 1328 wrote to memory of 1216 1328 taskeng.exe gpshkdg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe"C:\Users\Admin\AppData\Local\Temp\e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {99DBD146-ECF4-4F4E-BA98-38228E1C5097} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\hbukj\gpshkdg.exeC:\ProgramData\hbukj\gpshkdg.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hbukj\gpshkdg.exeFilesize
217KB
MD5790578f36d82b60747161ce1c95d320f
SHA199de20939bb24d34d2274c7e7960a5b610e8e546
SHA256e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e
SHA512fc665610b537fd6fa30debaa3e821ca50edcc89e03a120163f0f9160cf5e36d64a4aefe19d6577c1396c78e2cf5327f2f853b06a1b82314e1e9904f1e06be1d7
-
C:\ProgramData\hbukj\gpshkdg.exeFilesize
217KB
MD5790578f36d82b60747161ce1c95d320f
SHA199de20939bb24d34d2274c7e7960a5b610e8e546
SHA256e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e
SHA512fc665610b537fd6fa30debaa3e821ca50edcc89e03a120163f0f9160cf5e36d64a4aefe19d6577c1396c78e2cf5327f2f853b06a1b82314e1e9904f1e06be1d7
-
memory/1216-59-0x0000000000000000-mapping.dmp
-
memory/1216-62-0x0000000000DFA000-0x0000000000E00000-memory.dmpFilesize
24KB
-
memory/1216-63-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1216-64-0x0000000000400000-0x0000000000C11000-memory.dmpFilesize
8.1MB
-
memory/1980-54-0x00000000756A1000-0x00000000756A3000-memory.dmpFilesize
8KB
-
memory/1980-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1980-55-0x0000000000D1A000-0x0000000000D20000-memory.dmpFilesize
24KB
-
memory/1980-57-0x0000000000400000-0x0000000000C11000-memory.dmpFilesize
8.1MB