Resubmissions
09-04-2024 15:25
240409-stwazaeb2v 1009-04-2024 15:25
240409-stvpfaeb2s 1009-04-2024 15:25
240409-stvdnsaf77 1009-04-2024 15:25
240409-stryjsea9x 1013-01-2023 16:48
230113-va4jcaae56 10Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-01-2023 16:48
Behavioral task
behavioral1
Sample
a95c29de8321dd4dc8b9676ec640e7b3.exe
Resource
win7-20220812-en
General
-
Target
a95c29de8321dd4dc8b9676ec640e7b3.exe
-
Size
32KB
-
MD5
a95c29de8321dd4dc8b9676ec640e7b3
-
SHA1
d9ef0d8e14ddba29ab8e39779e616344440d8f75
-
SHA256
7616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b
-
SHA512
d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf
-
SSDEEP
768:3Ta1PsXQ0yVmQvcs27NOJtyuv09gnoJCvcror:SsXQ0yVN2gV0Gno
Malware Config
Extracted
systembc
dec15coma.com:4039
dec15coma.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
itju.exepid process 968 itju.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
a95c29de8321dd4dc8b9676ec640e7b3.exedescription ioc process File opened for modification C:\Windows\Tasks\itju.job a95c29de8321dd4dc8b9676ec640e7b3.exe File created C:\Windows\Tasks\itju.job a95c29de8321dd4dc8b9676ec640e7b3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a95c29de8321dd4dc8b9676ec640e7b3.exepid process 1532 a95c29de8321dd4dc8b9676ec640e7b3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 732 wrote to memory of 968 732 taskeng.exe itju.exe PID 732 wrote to memory of 968 732 taskeng.exe itju.exe PID 732 wrote to memory of 968 732 taskeng.exe itju.exe PID 732 wrote to memory of 968 732 taskeng.exe itju.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a95c29de8321dd4dc8b9676ec640e7b3.exe"C:\Users\Admin\AppData\Local\Temp\a95c29de8321dd4dc8b9676ec640e7b3.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {5C2039F5-D15A-4A96-8258-A76983A205BD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\cgjc\itju.exeC:\ProgramData\cgjc\itju.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cgjc\itju.exeFilesize
32KB
MD5a95c29de8321dd4dc8b9676ec640e7b3
SHA1d9ef0d8e14ddba29ab8e39779e616344440d8f75
SHA2567616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b
SHA512d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf
-
C:\ProgramData\cgjc\itju.exeFilesize
32KB
MD5a95c29de8321dd4dc8b9676ec640e7b3
SHA1d9ef0d8e14ddba29ab8e39779e616344440d8f75
SHA2567616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b
SHA512d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf
-
memory/968-56-0x0000000000000000-mapping.dmp
-
memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB