Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 05:54
Static task
static1
Behavioral task
behavioral1
Sample
3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe
Resource
win7-20220414-en
General
-
Target
3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe
-
Size
94KB
-
MD5
8d63b4b33f84d55f999fe7f2c07f1898
-
SHA1
4b72592eb314d60c52e7dc13a4c99b5afb902bf3
-
SHA256
3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e
-
SHA512
d734614ccba6dd7f3e84e5a39484a45bead737f3d27ab7dbc62654c5a7ea96133c68b02f0e63a073e29105a05ebd2120dd2156d63c901eabad096c65a0e7f263
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
avmaqa.exepid process 2824 avmaqa.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 api.ipify.org 38 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exedescription ioc process File created C:\Windows\Tasks\avmaqa.job 3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe File opened for modification C:\Windows\Tasks\avmaqa.job 3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4216 2084 WerFault.exe 3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exepid process 2084 3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe 2084 3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe"C:\Users\Admin\AppData\Local\Temp\3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 4842⤵
- Program crash
-
C:\ProgramData\cqlaei\avmaqa.exeC:\ProgramData\cqlaei\avmaqa.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2084 -ip 20841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cqlaei\avmaqa.exeFilesize
94KB
MD58d63b4b33f84d55f999fe7f2c07f1898
SHA14b72592eb314d60c52e7dc13a4c99b5afb902bf3
SHA2563c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e
SHA512d734614ccba6dd7f3e84e5a39484a45bead737f3d27ab7dbc62654c5a7ea96133c68b02f0e63a073e29105a05ebd2120dd2156d63c901eabad096c65a0e7f263
-
C:\ProgramData\cqlaei\avmaqa.exeFilesize
94KB
MD58d63b4b33f84d55f999fe7f2c07f1898
SHA14b72592eb314d60c52e7dc13a4c99b5afb902bf3
SHA2563c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e
SHA512d734614ccba6dd7f3e84e5a39484a45bead737f3d27ab7dbc62654c5a7ea96133c68b02f0e63a073e29105a05ebd2120dd2156d63c901eabad096c65a0e7f263
-
memory/2084-130-0x0000000001332000-0x0000000001338000-memory.dmpFilesize
24KB
-
memory/2084-131-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2084-132-0x0000000000400000-0x0000000000F75000-memory.dmpFilesize
11.5MB
-
memory/2824-135-0x000000000102D000-0x0000000001034000-memory.dmpFilesize
28KB
-
memory/2824-136-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2824-137-0x0000000000400000-0x0000000000F75000-memory.dmpFilesize
11.5MB