Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 16:33
Static task
static1
Behavioral task
behavioral1
Sample
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe
Resource
win7-20220414-en
General
-
Target
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe
-
Size
129KB
-
MD5
6a122e54deeb8a43546f3c638bdad976
-
SHA1
fa47f6e797541e61050ad7e43822c931f8771b41
-
SHA256
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3
-
SHA512
abd86940d715ca0757ca485a4c8c9e823d236ea92db87f131dc0990e2e79095c627aa243017f439840fc17bdb9cea882ae84a310101c024ba62a94ce1850175b
Malware Config
Extracted
systembc
dasd13d.com:4035
dasd13d.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jmfru.exepid process 1348 jmfru.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org 6 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exedescription ioc process File created C:\Windows\Tasks\jmfru.job 7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe File opened for modification C:\Windows\Tasks\jmfru.job 7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exepid process 1620 7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1456 wrote to memory of 1348 1456 taskeng.exe jmfru.exe PID 1456 wrote to memory of 1348 1456 taskeng.exe jmfru.exe PID 1456 wrote to memory of 1348 1456 taskeng.exe jmfru.exe PID 1456 wrote to memory of 1348 1456 taskeng.exe jmfru.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe"C:\Users\Admin\AppData\Local\Temp\7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {78D838C6-CEFE-451B-AA36-E0D66E350F17} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\advsok\jmfru.exeC:\ProgramData\advsok\jmfru.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\advsok\jmfru.exeFilesize
129KB
MD56a122e54deeb8a43546f3c638bdad976
SHA1fa47f6e797541e61050ad7e43822c931f8771b41
SHA2567dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3
SHA512abd86940d715ca0757ca485a4c8c9e823d236ea92db87f131dc0990e2e79095c627aa243017f439840fc17bdb9cea882ae84a310101c024ba62a94ce1850175b
-
C:\ProgramData\advsok\jmfru.exeFilesize
129KB
MD56a122e54deeb8a43546f3c638bdad976
SHA1fa47f6e797541e61050ad7e43822c931f8771b41
SHA2567dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3
SHA512abd86940d715ca0757ca485a4c8c9e823d236ea92db87f131dc0990e2e79095c627aa243017f439840fc17bdb9cea882ae84a310101c024ba62a94ce1850175b
-
memory/1348-59-0x0000000000000000-mapping.dmp
-
memory/1348-62-0x0000000000A5B000-0x0000000000A62000-memory.dmpFilesize
28KB
-
memory/1348-63-0x0000000000400000-0x00000000008BF000-memory.dmpFilesize
4.7MB
-
memory/1620-54-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1620-55-0x00000000009AB000-0x00000000009B2000-memory.dmpFilesize
28KB
-
memory/1620-56-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/1620-57-0x0000000000400000-0x00000000008BF000-memory.dmpFilesize
4.7MB