Analysis
-
max time kernel
155s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 02:26
Static task
static1
Behavioral task
behavioral1
Sample
e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763.exe
Resource
win7-20220414-en
General
-
Target
e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763.exe
-
Size
95KB
-
MD5
0fa62d99e9fa9e4da58a1e2a7dc3d5a9
-
SHA1
cf0f9fa093bc1a1ff51c368194e03c8bf66d6a73
-
SHA256
e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763
-
SHA512
58fb9d1689a69bd63bea760cefadc18d3821e545b1540f166e63f65e480b62a3e36e6a327539dd0ae729c073d38d497e2ac091b6fec6a044fe8be0bb9e66b729
Malware Config
Extracted
systembc
dasdasd28asd.com:4035
sasdcs28sd.xyz:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ebvb.exepid process 1752 ebvb.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip4.seeip.org 6 api.ipify.org 7 api.ipify.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763.exedescription ioc process File created C:\Windows\Tasks\ebvb.job e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763.exe File opened for modification C:\Windows\Tasks\ebvb.job e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763.exepid process 2020 e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1072 wrote to memory of 1752 1072 taskeng.exe ebvb.exe PID 1072 wrote to memory of 1752 1072 taskeng.exe ebvb.exe PID 1072 wrote to memory of 1752 1072 taskeng.exe ebvb.exe PID 1072 wrote to memory of 1752 1072 taskeng.exe ebvb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763.exe"C:\Users\Admin\AppData\Local\Temp\e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {728A341D-8797-4900-983C-E32F5B0A1679} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\nncuv\ebvb.exeC:\ProgramData\nncuv\ebvb.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nncuv\ebvb.exeFilesize
95KB
MD50fa62d99e9fa9e4da58a1e2a7dc3d5a9
SHA1cf0f9fa093bc1a1ff51c368194e03c8bf66d6a73
SHA256e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763
SHA51258fb9d1689a69bd63bea760cefadc18d3821e545b1540f166e63f65e480b62a3e36e6a327539dd0ae729c073d38d497e2ac091b6fec6a044fe8be0bb9e66b729
-
C:\ProgramData\nncuv\ebvb.exeFilesize
95KB
MD50fa62d99e9fa9e4da58a1e2a7dc3d5a9
SHA1cf0f9fa093bc1a1ff51c368194e03c8bf66d6a73
SHA256e71a3a3daea6774b51d0e10142ce3ef4168175ef3415fd095a1e5c0486f02763
SHA51258fb9d1689a69bd63bea760cefadc18d3821e545b1540f166e63f65e480b62a3e36e6a327539dd0ae729c073d38d497e2ac091b6fec6a044fe8be0bb9e66b729
-
memory/1752-59-0x0000000000000000-mapping.dmp
-
memory/1752-63-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1752-62-0x000000000105B000-0x0000000001062000-memory.dmpFilesize
28KB
-
memory/1752-64-0x0000000000400000-0x0000000000F75000-memory.dmpFilesize
11.5MB
-
memory/2020-54-0x000000000108B000-0x0000000001092000-memory.dmpFilesize
28KB
-
memory/2020-55-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/2020-56-0x0000000074DD1000-0x0000000074DD3000-memory.dmpFilesize
8KB
-
memory/2020-57-0x0000000000400000-0x0000000000F75000-memory.dmpFilesize
11.5MB