Analysis
-
max time kernel
188s -
max time network
200s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 05:53
Static task
static1
Behavioral task
behavioral1
Sample
dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab.exe
Resource
win7-20220414-en
General
-
Target
dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab.exe
-
Size
129KB
-
MD5
45c62274159056d7565d64faff15929e
-
SHA1
de96ebb4ca03273244dcd44ae140a0db52a7dfa2
-
SHA256
dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab
-
SHA512
81a2abd0d43463575f0db6885c9809bbdb462442a3675d3c825890d46064ada69a70cf4a6f73c75160565a768eb6eaad7a6f462f77d64e75ec1c70524c9f3b7a
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
lkriui.exepid process 1536 lkriui.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab.exedescription ioc process File created C:\Windows\Tasks\lkriui.job dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab.exe File opened for modification C:\Windows\Tasks\lkriui.job dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab.exepid process 1380 dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1628 wrote to memory of 1536 1628 taskeng.exe lkriui.exe PID 1628 wrote to memory of 1536 1628 taskeng.exe lkriui.exe PID 1628 wrote to memory of 1536 1628 taskeng.exe lkriui.exe PID 1628 wrote to memory of 1536 1628 taskeng.exe lkriui.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab.exe"C:\Users\Admin\AppData\Local\Temp\dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {8C34A666-166A-4F33-AF46-CCD76C046552} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\tcwnmxv\lkriui.exeC:\ProgramData\tcwnmxv\lkriui.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\tcwnmxv\lkriui.exeFilesize
129KB
MD545c62274159056d7565d64faff15929e
SHA1de96ebb4ca03273244dcd44ae140a0db52a7dfa2
SHA256dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab
SHA51281a2abd0d43463575f0db6885c9809bbdb462442a3675d3c825890d46064ada69a70cf4a6f73c75160565a768eb6eaad7a6f462f77d64e75ec1c70524c9f3b7a
-
C:\ProgramData\tcwnmxv\lkriui.exeFilesize
129KB
MD545c62274159056d7565d64faff15929e
SHA1de96ebb4ca03273244dcd44ae140a0db52a7dfa2
SHA256dbe74212670f3e8b68dd6107f659c4de2be4dd68aab6f9446956e8f425bb2aab
SHA51281a2abd0d43463575f0db6885c9809bbdb462442a3675d3c825890d46064ada69a70cf4a6f73c75160565a768eb6eaad7a6f462f77d64e75ec1c70524c9f3b7a
-
memory/1380-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1380-55-0x000000000090B000-0x0000000000912000-memory.dmpFilesize
28KB
-
memory/1380-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1380-57-0x0000000000400000-0x00000000007DD000-memory.dmpFilesize
3.9MB
-
memory/1536-59-0x0000000000000000-mapping.dmp
-
memory/1536-62-0x00000000002EB000-0x00000000002F2000-memory.dmpFilesize
28KB
-
memory/1536-63-0x0000000000400000-0x00000000007DD000-memory.dmpFilesize
3.9MB