Analysis
-
max time kernel
115s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-05-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1.exe
Resource
win7-20220414-en
General
-
Target
a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1.exe
-
Size
190KB
-
MD5
18bf71b4b6017218464aa69ece567f98
-
SHA1
5eab7974b0636568d2b96cf9eef6b6bacb8adb1b
-
SHA256
a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1
-
SHA512
5efff60513e55b0961602b2ecdadd04fb8e524e5e4f5dac34bde6a6504a94c6cc8b326a7b947022a9bfea334b67a32aed6282ea4d698da598bc54cf6635a8f74
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
ajxto.exepid process 1308 ajxto.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Drops file in Windows directory 2 IoCs
Processes:
a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1.exedescription ioc process File opened for modification C:\Windows\Tasks\ajxto.job a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1.exe File created C:\Windows\Tasks\ajxto.job a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1.exepid process 916 a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1304 wrote to memory of 1308 1304 taskeng.exe ajxto.exe PID 1304 wrote to memory of 1308 1304 taskeng.exe ajxto.exe PID 1304 wrote to memory of 1308 1304 taskeng.exe ajxto.exe PID 1304 wrote to memory of 1308 1304 taskeng.exe ajxto.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1.exe"C:\Users\Admin\AppData\Local\Temp\a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {BF5D225C-087D-4604-851F-43FDAC6B4977} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\cadjeb\ajxto.exeC:\ProgramData\cadjeb\ajxto.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cadjeb\ajxto.exeFilesize
190KB
MD518bf71b4b6017218464aa69ece567f98
SHA15eab7974b0636568d2b96cf9eef6b6bacb8adb1b
SHA256a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1
SHA5125efff60513e55b0961602b2ecdadd04fb8e524e5e4f5dac34bde6a6504a94c6cc8b326a7b947022a9bfea334b67a32aed6282ea4d698da598bc54cf6635a8f74
-
C:\ProgramData\cadjeb\ajxto.exeFilesize
190KB
MD518bf71b4b6017218464aa69ece567f98
SHA15eab7974b0636568d2b96cf9eef6b6bacb8adb1b
SHA256a1d22e1aff7b55b24228a8da8851a8a0ee40449941123cccc59b50d8c58215a1
SHA5125efff60513e55b0961602b2ecdadd04fb8e524e5e4f5dac34bde6a6504a94c6cc8b326a7b947022a9bfea334b67a32aed6282ea4d698da598bc54cf6635a8f74
-
memory/916-54-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/916-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/916-55-0x0000000004E8B000-0x0000000004E92000-memory.dmpFilesize
28KB
-
memory/916-57-0x0000000000400000-0x0000000004DAC000-memory.dmpFilesize
73.7MB
-
memory/1308-59-0x0000000000000000-mapping.dmp
-
memory/1308-62-0x0000000004EAB000-0x0000000004EB2000-memory.dmpFilesize
28KB
-
memory/1308-63-0x0000000000400000-0x0000000004DAC000-memory.dmpFilesize
73.7MB