Analysis
-
max time kernel
161s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-05-2022 11:41
Static task
static1
Behavioral task
behavioral1
Sample
d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045.exe
Resource
win7-20220414-en
General
-
Target
d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045.exe
-
Size
178KB
-
MD5
8a53ca14784db0d61dee57dbd1c38e54
-
SHA1
a60f41f04529432ae8e4577ba9f13bca904ab4e9
-
SHA256
d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045
-
SHA512
3947f8df002b02e7d5ee9df07d1fd93e7f8bf322d91f99a4069480498d61b3f42718790d7ec93100a29257339d1f9e2d61e0a98740b5a05fa5e994c280b868d8
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
Processes:
tjxwqlc.exepid process 1968 tjxwqlc.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045.exedescription ioc process File opened for modification C:\Windows\Tasks\tjxwqlc.job d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045.exe File created C:\Windows\Tasks\tjxwqlc.job d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045.exepid process 2028 d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2024 wrote to memory of 1968 2024 taskeng.exe tjxwqlc.exe PID 2024 wrote to memory of 1968 2024 taskeng.exe tjxwqlc.exe PID 2024 wrote to memory of 1968 2024 taskeng.exe tjxwqlc.exe PID 2024 wrote to memory of 1968 2024 taskeng.exe tjxwqlc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045.exe"C:\Users\Admin\AppData\Local\Temp\d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {52F86EB3-8051-4938-9171-6A4FB54AE957} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\wpsdq\tjxwqlc.exeC:\ProgramData\wpsdq\tjxwqlc.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\wpsdq\tjxwqlc.exeFilesize
178KB
MD58a53ca14784db0d61dee57dbd1c38e54
SHA1a60f41f04529432ae8e4577ba9f13bca904ab4e9
SHA256d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045
SHA5123947f8df002b02e7d5ee9df07d1fd93e7f8bf322d91f99a4069480498d61b3f42718790d7ec93100a29257339d1f9e2d61e0a98740b5a05fa5e994c280b868d8
-
C:\ProgramData\wpsdq\tjxwqlc.exeFilesize
178KB
MD58a53ca14784db0d61dee57dbd1c38e54
SHA1a60f41f04529432ae8e4577ba9f13bca904ab4e9
SHA256d7588ed746eb3b1ef4b5ac9507d8e432174eba3b4638df6e1497ed45caecd045
SHA5123947f8df002b02e7d5ee9df07d1fd93e7f8bf322d91f99a4069480498d61b3f42718790d7ec93100a29257339d1f9e2d61e0a98740b5a05fa5e994c280b868d8
-
memory/1968-59-0x0000000000000000-mapping.dmp
-
memory/1968-62-0x0000000004E5B000-0x0000000004E61000-memory.dmpFilesize
24KB
-
memory/1968-63-0x0000000000400000-0x0000000004DA8000-memory.dmpFilesize
73.7MB
-
memory/2028-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/2028-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/2028-55-0x0000000004F5B000-0x0000000004F62000-memory.dmpFilesize
28KB
-
memory/2028-57-0x0000000000400000-0x0000000004DA8000-memory.dmpFilesize
73.7MB