Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-09-2022 21:20
Static task
static1
Behavioral task
behavioral1
Sample
5e6764534b3a1e4d3abacc4810b6985d.exe
Resource
win7-20220812-en
General
-
Target
5e6764534b3a1e4d3abacc4810b6985d.exe
-
Size
740KB
-
MD5
5e6764534b3a1e4d3abacc4810b6985d
-
SHA1
f10ad287f126f577f197070453812a7e88c2cc52
-
SHA256
e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0
-
SHA512
532d2855e1b21433dbcc9c803f0538d99f6c3bddf0dd8321f552c7d16914dce4c2d2d3abd8028f45a4cf18109d430251d8fe8c63d30627e6fcc27d54cb42a188
-
SSDEEP
12288:az1bWgRkItsxHeYfpGcix2wytmyKsqVwoiFNoQEN5:+RkItsl7fofyKsqVwoiFNoQE3
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wermgr.exepid process 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe 1732 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5e6764534b3a1e4d3abacc4810b6985d.exewermgr.exepid process 360 5e6764534b3a1e4d3abacc4810b6985d.exe 1732 wermgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5e6764534b3a1e4d3abacc4810b6985d.exedescription pid process target process PID 360 wrote to memory of 1732 360 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe PID 360 wrote to memory of 1732 360 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe PID 360 wrote to memory of 1732 360 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe PID 360 wrote to memory of 1732 360 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe PID 360 wrote to memory of 1732 360 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe PID 360 wrote to memory of 1732 360 5e6764534b3a1e4d3abacc4810b6985d.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e6764534b3a1e4d3abacc4810b6985d.exe"C:\Users\Admin\AppData\Local\Temp\5e6764534b3a1e4d3abacc4810b6985d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/360-54-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/1732-55-0x0000000000000000-mapping.dmp
-
memory/1732-56-0x0000000075771000-0x0000000075773000-memory.dmpFilesize
8KB
-
memory/1732-57-0x0000000010000000-0x0000000010015000-memory.dmpFilesize
84KB
-
memory/1732-58-0x0000000000220000-0x000000000023D000-memory.dmpFilesize
116KB
-
memory/1732-59-0x0000000000130000-0x00000000001CA000-memory.dmpFilesize
616KB
-
memory/1732-60-0x00000000001D0000-0x00000000001D5000-memory.dmpFilesize
20KB
-
memory/1732-61-0x0000000000130000-0x00000000001CA000-memory.dmpFilesize
616KB