Analysis
-
max time kernel
155s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 16:33
Static task
static1
Behavioral task
behavioral1
Sample
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe
Resource
win7-20220414-en
General
-
Target
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe
-
Size
129KB
-
MD5
6a122e54deeb8a43546f3c638bdad976
-
SHA1
fa47f6e797541e61050ad7e43822c931f8771b41
-
SHA256
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3
-
SHA512
abd86940d715ca0757ca485a4c8c9e823d236ea92db87f131dc0990e2e79095c627aa243017f439840fc17bdb9cea882ae84a310101c024ba62a94ce1850175b
Malware Config
Extracted
systembc
dasd13d.com:4035
dasd13d.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hddbox.exepid process 2612 hddbox.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 51 api.ipify.org 50 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exedescription ioc process File created C:\Windows\Tasks\hddbox.job 7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe File opened for modification C:\Windows\Tasks\hddbox.job 7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4052 4300 WerFault.exe 7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exepid process 4300 7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe 4300 7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe"C:\Users\Admin\AppData\Local\Temp\7dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 9482⤵
- Program crash
-
C:\ProgramData\slnb\hddbox.exeC:\ProgramData\slnb\hddbox.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4300 -ip 43001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\slnb\hddbox.exeFilesize
129KB
MD56a122e54deeb8a43546f3c638bdad976
SHA1fa47f6e797541e61050ad7e43822c931f8771b41
SHA2567dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3
SHA512abd86940d715ca0757ca485a4c8c9e823d236ea92db87f131dc0990e2e79095c627aa243017f439840fc17bdb9cea882ae84a310101c024ba62a94ce1850175b
-
C:\ProgramData\slnb\hddbox.exeFilesize
129KB
MD56a122e54deeb8a43546f3c638bdad976
SHA1fa47f6e797541e61050ad7e43822c931f8771b41
SHA2567dc7d64d4102b3d131ed39640ba2c5ac043235feeaf223880a783a6b87d3c6b3
SHA512abd86940d715ca0757ca485a4c8c9e823d236ea92db87f131dc0990e2e79095c627aa243017f439840fc17bdb9cea882ae84a310101c024ba62a94ce1850175b
-
memory/2612-136-0x0000000000BF2000-0x0000000000BF9000-memory.dmpFilesize
28KB
-
memory/2612-137-0x0000000000400000-0x00000000008BF000-memory.dmpFilesize
4.7MB
-
memory/4300-131-0x0000000000B68000-0x0000000000B6F000-memory.dmpFilesize
28KB
-
memory/4300-132-0x0000000000B10000-0x0000000000B19000-memory.dmpFilesize
36KB
-
memory/4300-133-0x0000000000400000-0x00000000008BF000-memory.dmpFilesize
4.7MB