Analysis
-
max time kernel
157s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-05-2022 11:41
Static task
static1
Behavioral task
behavioral1
Sample
67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4.exe
Resource
win7-20220414-en
General
-
Target
67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4.exe
-
Size
90KB
-
MD5
92dbe3d237c0b38a6feaece08bf7a1f6
-
SHA1
5eeda1c31858de743f8afa7ce6c24c8c0e816c7d
-
SHA256
67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4
-
SHA512
fe5f35f485dc2a675374c2581ea8a0bb92f88ef43d225e0f53d57bed6587fd73a8554cd946af252f1557e3e8573c00c43929c31e9e32258aae2b49e538c6494d
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
phveh.exepid process 2028 phveh.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4.exedescription ioc process File created C:\Windows\Tasks\phveh.job 67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4.exe File opened for modification C:\Windows\Tasks\phveh.job 67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4.exepid process 1832 67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1424 wrote to memory of 2028 1424 taskeng.exe phveh.exe PID 1424 wrote to memory of 2028 1424 taskeng.exe phveh.exe PID 1424 wrote to memory of 2028 1424 taskeng.exe phveh.exe PID 1424 wrote to memory of 2028 1424 taskeng.exe phveh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4.exe"C:\Users\Admin\AppData\Local\Temp\67713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {B4AA296E-686F-4C7F-9D8F-93C3BA6E7EB4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\umsci\phveh.exeC:\ProgramData\umsci\phveh.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\umsci\phveh.exeFilesize
90KB
MD592dbe3d237c0b38a6feaece08bf7a1f6
SHA15eeda1c31858de743f8afa7ce6c24c8c0e816c7d
SHA25667713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4
SHA512fe5f35f485dc2a675374c2581ea8a0bb92f88ef43d225e0f53d57bed6587fd73a8554cd946af252f1557e3e8573c00c43929c31e9e32258aae2b49e538c6494d
-
C:\ProgramData\umsci\phveh.exeFilesize
90KB
MD592dbe3d237c0b38a6feaece08bf7a1f6
SHA15eeda1c31858de743f8afa7ce6c24c8c0e816c7d
SHA25667713ae5aac48a69c97bcb8dbc6db59518a3b7c60ce57ab48c1883bd995bf7d4
SHA512fe5f35f485dc2a675374c2581ea8a0bb92f88ef43d225e0f53d57bed6587fd73a8554cd946af252f1557e3e8573c00c43929c31e9e32258aae2b49e538c6494d
-
memory/1832-54-0x00000000002E8000-0x00000000002EF000-memory.dmpFilesize
28KB
-
memory/1832-55-0x00000000002E8000-0x00000000002EF000-memory.dmpFilesize
28KB
-
memory/1832-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1832-57-0x0000000074F91000-0x0000000074F93000-memory.dmpFilesize
8KB
-
memory/1832-58-0x0000000000400000-0x0000000000F74000-memory.dmpFilesize
11.5MB
-
memory/2028-60-0x0000000000000000-mapping.dmp
-
memory/2028-62-0x0000000001008000-0x000000000100F000-memory.dmpFilesize
28KB
-
memory/2028-65-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/2028-64-0x0000000001008000-0x000000000100F000-memory.dmpFilesize
28KB
-
memory/2028-66-0x0000000000400000-0x0000000000F74000-memory.dmpFilesize
11.5MB