Analysis
-
max time kernel
187s -
max time network
202s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 05:55
Static task
static1
Behavioral task
behavioral1
Sample
6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe
Resource
win7-20220414-en
General
-
Target
6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe
-
Size
316KB
-
MD5
afbea4a6f073cac89a9f3cd6df0844a3
-
SHA1
3517690fa2065239a6ad49abcf7153248d02cbf0
-
SHA256
6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c
-
SHA512
3bedf050bbc9ac1ceb059e30efa590fc2db85ef1f0961d36b8f443166ece56a8895755fe5bcbacf6a7a8a3928708b28a9885375ae28b97d9363fc8d90d99c99d
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
vtbc.exepid process 1348 vtbc.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org 6 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exedescription ioc process File opened for modification C:\Windows\Tasks\vtbc.job 6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe File created C:\Windows\Tasks\vtbc.job 6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exepid process 1792 6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1264 wrote to memory of 1348 1264 taskeng.exe vtbc.exe PID 1264 wrote to memory of 1348 1264 taskeng.exe vtbc.exe PID 1264 wrote to memory of 1348 1264 taskeng.exe vtbc.exe PID 1264 wrote to memory of 1348 1264 taskeng.exe vtbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe"C:\Users\Admin\AppData\Local\Temp\6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {0C25B7A5-31C6-497C-B37C-4B847405118D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\qlpho\vtbc.exeC:\ProgramData\qlpho\vtbc.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\qlpho\vtbc.exeFilesize
316KB
MD5afbea4a6f073cac89a9f3cd6df0844a3
SHA13517690fa2065239a6ad49abcf7153248d02cbf0
SHA2566d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c
SHA5123bedf050bbc9ac1ceb059e30efa590fc2db85ef1f0961d36b8f443166ece56a8895755fe5bcbacf6a7a8a3928708b28a9885375ae28b97d9363fc8d90d99c99d
-
C:\ProgramData\qlpho\vtbc.exeFilesize
316KB
MD5afbea4a6f073cac89a9f3cd6df0844a3
SHA13517690fa2065239a6ad49abcf7153248d02cbf0
SHA2566d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c
SHA5123bedf050bbc9ac1ceb059e30efa590fc2db85ef1f0961d36b8f443166ece56a8895755fe5bcbacf6a7a8a3928708b28a9885375ae28b97d9363fc8d90d99c99d
-
memory/1348-59-0x0000000000000000-mapping.dmp
-
memory/1348-62-0x0000000000D7A000-0x0000000000D80000-memory.dmpFilesize
24KB
-
memory/1348-63-0x0000000000400000-0x0000000000C2B000-memory.dmpFilesize
8.2MB
-
memory/1792-54-0x0000000075841000-0x0000000075843000-memory.dmpFilesize
8KB
-
memory/1792-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1792-55-0x0000000000D8A000-0x0000000000D90000-memory.dmpFilesize
24KB
-
memory/1792-57-0x0000000000400000-0x0000000000C2B000-memory.dmpFilesize
8.2MB