Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 03:13
Static task
static1
Behavioral task
behavioral1
Sample
29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe
Resource
win7-20220414-en
General
-
Target
29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe
-
Size
478KB
-
MD5
a6c3d82792c4ce7dc0695b3c013a27d3
-
SHA1
ee4319f916330ff685b2d4ccd458a1baacf71dcf
-
SHA256
29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674
-
SHA512
8584e0a1420ccb9b16fa4b983629d9920576b1f40268c8479fbecd00470b0bcd1c6a850b76684dc20fa3afe75d4693b968d3a45843e18f550e026468382241a9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 1984 GetX64BTIT.exe -
Loads dropped DLL 1 IoCs
Processes:
29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exepid process 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 2 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exepid process 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exepid process 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exedescription pid process target process PID 388 wrote to memory of 1984 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe GetX64BTIT.exe PID 388 wrote to memory of 1984 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe GetX64BTIT.exe PID 388 wrote to memory of 1984 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe GetX64BTIT.exe PID 388 wrote to memory of 1984 388 29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe"C:\Users\Admin\AppData\Local\Temp\29c9272012b3b7ec9d72f112fe1eae5a119441f3da03d6870458176525485674.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeFilesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtFilesize
28B
MD56876fc44eaeef1e2e5547e4aada16097
SHA12c38c53a30d19dd65f732a1820ec8d3420e73966
SHA256535378e7757baf53e1a6db3679e9f8fe3d00d7a917fea3564f82e7cf8d7761b1
SHA512161fc69ed3402fb37459b8ee44818bccf6f75d4649707119ba4f8242072b7700e3b33f35346d25ba4844528b2a62e322c055b70fbb214ec559592332f974cfb6
-
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeFilesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/388-56-0x0000000000250000-0x00000000002A4000-memory.dmpFilesize
336KB
-
memory/388-55-0x00000000050AB000-0x00000000050FF000-memory.dmpFilesize
336KB
-
memory/388-57-0x0000000000400000-0x0000000004ED3000-memory.dmpFilesize
74.8MB
-
memory/388-58-0x00000000002B0000-0x000000000034F000-memory.dmpFilesize
636KB
-
memory/388-63-0x0000000010000000-0x0000000010015000-memory.dmpFilesize
84KB
-
memory/388-64-0x0000000000220000-0x000000000023E000-memory.dmpFilesize
120KB
-
memory/1984-60-0x0000000000000000-mapping.dmp