Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2023 14:29
Static task
static1
Behavioral task
behavioral1
Sample
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe
Resource
win7-20221111-en
General
-
Target
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe
-
Size
156KB
-
MD5
e62582236c24973720e092adec05f8c5
-
SHA1
dc865394a456b89282bf248eeff3509ec0116911
-
SHA256
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23
-
SHA512
702960c841eec4c16d4b686c1cafe42d1568e3cde1aebca4c2feaef275dc9efd5dea8e6260d4a18f92d63640bd530ccb071de42a6511a7719fbbe7ee2b9bda2a
-
SSDEEP
3072:SXiOd5A7ENBKYEm9/1fUQcl7XcOOILUJC2PsrZLILNNOmr:SXiEA7EfKYE6RU1AnvspsP
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
shumf.exepid process 4416 shumf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 api.ipify.org 26 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exedescription ioc process File created C:\Windows\Tasks\shumf.job fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe File opened for modification C:\Windows\Tasks\shumf.job fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1144 2232 WerFault.exe fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exepid process 2232 fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe 2232 fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe"C:\Users\Admin\AppData\Local\Temp\fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 4842⤵
- Program crash
-
C:\ProgramData\vnicwql\shumf.exeC:\ProgramData\vnicwql\shumf.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2232 -ip 22321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vnicwql\shumf.exeFilesize
156KB
MD5e62582236c24973720e092adec05f8c5
SHA1dc865394a456b89282bf248eeff3509ec0116911
SHA256fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23
SHA512702960c841eec4c16d4b686c1cafe42d1568e3cde1aebca4c2feaef275dc9efd5dea8e6260d4a18f92d63640bd530ccb071de42a6511a7719fbbe7ee2b9bda2a
-
C:\ProgramData\vnicwql\shumf.exeFilesize
156KB
MD5e62582236c24973720e092adec05f8c5
SHA1dc865394a456b89282bf248eeff3509ec0116911
SHA256fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23
SHA512702960c841eec4c16d4b686c1cafe42d1568e3cde1aebca4c2feaef275dc9efd5dea8e6260d4a18f92d63640bd530ccb071de42a6511a7719fbbe7ee2b9bda2a
-
memory/2232-132-0x0000000000928000-0x000000000092F000-memory.dmpFilesize
28KB
-
memory/2232-133-0x00000000024C0000-0x00000000024C9000-memory.dmpFilesize
36KB
-
memory/2232-134-0x0000000000400000-0x00000000008C6000-memory.dmpFilesize
4.8MB
-
memory/2232-139-0x0000000000928000-0x000000000092F000-memory.dmpFilesize
28KB
-
memory/2232-140-0x0000000000400000-0x00000000008C6000-memory.dmpFilesize
4.8MB
-
memory/4416-137-0x0000000000A82000-0x0000000000A89000-memory.dmpFilesize
28KB
-
memory/4416-138-0x0000000000400000-0x00000000008C6000-memory.dmpFilesize
4.8MB