Analysis
-
max time kernel
151s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 05:55
Static task
static1
Behavioral task
behavioral1
Sample
21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66.exe
Resource
win7-20220414-en
General
-
Target
21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66.exe
-
Size
307KB
-
MD5
53818ba0882a4f72965c01517b478499
-
SHA1
fd50ef3f7d99b87ab1c0f1edb2c1790021b7203f
-
SHA256
21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66
-
SHA512
9634cd14457db9be6e921bec1c15b192837610286dcd4ef0f3d81d73e504358bcbcc2eaa95d1a0388482207c7d58348ccd9eeefbe3c8e746eaf516d1952b0b75
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
abwhea.exepid process 1968 abwhea.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org 6 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66.exedescription ioc process File created C:\Windows\Tasks\abwhea.job 21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66.exe File opened for modification C:\Windows\Tasks\abwhea.job 21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66.exepid process 1016 21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2028 wrote to memory of 1968 2028 taskeng.exe abwhea.exe PID 2028 wrote to memory of 1968 2028 taskeng.exe abwhea.exe PID 2028 wrote to memory of 1968 2028 taskeng.exe abwhea.exe PID 2028 wrote to memory of 1968 2028 taskeng.exe abwhea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66.exe"C:\Users\Admin\AppData\Local\Temp\21e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {ED3AC209-0898-4730-AFCA-BAF00C816B87} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\bxxxcev\abwhea.exeC:\ProgramData\bxxxcev\abwhea.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\bxxxcev\abwhea.exeFilesize
307KB
MD553818ba0882a4f72965c01517b478499
SHA1fd50ef3f7d99b87ab1c0f1edb2c1790021b7203f
SHA25621e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66
SHA5129634cd14457db9be6e921bec1c15b192837610286dcd4ef0f3d81d73e504358bcbcc2eaa95d1a0388482207c7d58348ccd9eeefbe3c8e746eaf516d1952b0b75
-
C:\ProgramData\bxxxcev\abwhea.exeFilesize
307KB
MD553818ba0882a4f72965c01517b478499
SHA1fd50ef3f7d99b87ab1c0f1edb2c1790021b7203f
SHA25621e36cb944c9a595bc88ab53151ab15fe280d723a8d58f7ad97e60ecde167f66
SHA5129634cd14457db9be6e921bec1c15b192837610286dcd4ef0f3d81d73e504358bcbcc2eaa95d1a0388482207c7d58348ccd9eeefbe3c8e746eaf516d1952b0b75
-
memory/1016-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmpFilesize
8KB
-
memory/1016-55-0x0000000000DFB000-0x0000000000E02000-memory.dmpFilesize
28KB
-
memory/1016-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1016-57-0x0000000000400000-0x0000000000C2A000-memory.dmpFilesize
8.2MB
-
memory/1968-59-0x0000000000000000-mapping.dmp
-
memory/1968-63-0x0000000000400000-0x0000000000C2A000-memory.dmpFilesize
8.2MB
-
memory/1968-62-0x0000000000CBB000-0x0000000000CC2000-memory.dmpFilesize
28KB