Analysis
-
max time kernel
189s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 03:08
Static task
static1
Behavioral task
behavioral1
Sample
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe
Resource
win7-20220414-en
General
-
Target
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe
-
Size
217KB
-
MD5
790578f36d82b60747161ce1c95d320f
-
SHA1
99de20939bb24d34d2274c7e7960a5b610e8e546
-
SHA256
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e
-
SHA512
fc665610b537fd6fa30debaa3e821ca50edcc89e03a120163f0f9160cf5e36d64a4aefe19d6577c1396c78e2cf5327f2f853b06a1b82314e1e9904f1e06be1d7
Malware Config
Extracted
systembc
asdasd05.com:4035
asdasd05.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xogod.exepid process 112 xogod.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 49 api.ipify.org 50 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exedescription ioc process File created C:\Windows\Tasks\xogod.job e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe File opened for modification C:\Windows\Tasks\xogod.job e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4476 4216 WerFault.exe e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exepid process 4216 e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe 4216 e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe"C:\Users\Admin\AppData\Local\Temp\e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 4882⤵
- Program crash
-
C:\ProgramData\vxvx\xogod.exeC:\ProgramData\vxvx\xogod.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4216 -ip 42161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vxvx\xogod.exeFilesize
217KB
MD5790578f36d82b60747161ce1c95d320f
SHA199de20939bb24d34d2274c7e7960a5b610e8e546
SHA256e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e
SHA512fc665610b537fd6fa30debaa3e821ca50edcc89e03a120163f0f9160cf5e36d64a4aefe19d6577c1396c78e2cf5327f2f853b06a1b82314e1e9904f1e06be1d7
-
C:\ProgramData\vxvx\xogod.exeFilesize
217KB
MD5790578f36d82b60747161ce1c95d320f
SHA199de20939bb24d34d2274c7e7960a5b610e8e546
SHA256e7f4d680ea1ce138f3d3362a7bb03e1b1e692e4c44328d24d668e5dca24d6d9e
SHA512fc665610b537fd6fa30debaa3e821ca50edcc89e03a120163f0f9160cf5e36d64a4aefe19d6577c1396c78e2cf5327f2f853b06a1b82314e1e9904f1e06be1d7
-
memory/112-135-0x0000000000C46000-0x0000000000C4C000-memory.dmpFilesize
24KB
-
memory/112-136-0x0000000000400000-0x0000000000C11000-memory.dmpFilesize
8.1MB
-
memory/4216-130-0x0000000000D0A000-0x0000000000D11000-memory.dmpFilesize
28KB
-
memory/4216-131-0x0000000000CD0000-0x0000000000CD9000-memory.dmpFilesize
36KB
-
memory/4216-132-0x0000000000400000-0x0000000000C11000-memory.dmpFilesize
8.1MB