Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 08:54
Static task
static1
Behavioral task
behavioral1
Sample
4b8b7e4c7b2aed6c3c67b3d5678f6440.exe
Resource
win7-20221111-en
General
-
Target
4b8b7e4c7b2aed6c3c67b3d5678f6440.exe
-
Size
106KB
-
MD5
4b8b7e4c7b2aed6c3c67b3d5678f6440
-
SHA1
33097d2c883f7e8248c70876cfd6c77b36a1622a
-
SHA256
dc23e92b35cd9ceb3e8adc91a4492facfd66d65f72967ba69c57f17470f9b66f
-
SHA512
51d09f79f1d3fbff711bcb99df119f625bbe2d28be99de2555dc374074b64218be8b536da96047b60449a0a7f67932e27894fa1b3ce0fb6efeadd0234e7203e6
-
SSDEEP
1536:8++5Uk52zLQTDgoYjylkKKPv9AmIBIZigwp6OGWVVpOJV1U5uHk0UgYc5:8zqk5ELAD4yuK52ZEp6OGA+bU5DJc5
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jhbwlr.exepid process 1712 jhbwlr.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org 8 ip4.seeip.org 9 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
4b8b7e4c7b2aed6c3c67b3d5678f6440.exedescription ioc process File created C:\Windows\Tasks\jhbwlr.job 4b8b7e4c7b2aed6c3c67b3d5678f6440.exe File opened for modification C:\Windows\Tasks\jhbwlr.job 4b8b7e4c7b2aed6c3c67b3d5678f6440.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4b8b7e4c7b2aed6c3c67b3d5678f6440.exepid process 1476 4b8b7e4c7b2aed6c3c67b3d5678f6440.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1232 wrote to memory of 1712 1232 taskeng.exe jhbwlr.exe PID 1232 wrote to memory of 1712 1232 taskeng.exe jhbwlr.exe PID 1232 wrote to memory of 1712 1232 taskeng.exe jhbwlr.exe PID 1232 wrote to memory of 1712 1232 taskeng.exe jhbwlr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b8b7e4c7b2aed6c3c67b3d5678f6440.exe"C:\Users\Admin\AppData\Local\Temp\4b8b7e4c7b2aed6c3c67b3d5678f6440.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {DA545D45-DBF5-46E7-BED5-4CB62A623A2C} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ajaw\jhbwlr.exeC:\ProgramData\ajaw\jhbwlr.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ajaw\jhbwlr.exeFilesize
106KB
MD54b8b7e4c7b2aed6c3c67b3d5678f6440
SHA133097d2c883f7e8248c70876cfd6c77b36a1622a
SHA256dc23e92b35cd9ceb3e8adc91a4492facfd66d65f72967ba69c57f17470f9b66f
SHA51251d09f79f1d3fbff711bcb99df119f625bbe2d28be99de2555dc374074b64218be8b536da96047b60449a0a7f67932e27894fa1b3ce0fb6efeadd0234e7203e6
-
C:\ProgramData\ajaw\jhbwlr.exeFilesize
106KB
MD54b8b7e4c7b2aed6c3c67b3d5678f6440
SHA133097d2c883f7e8248c70876cfd6c77b36a1622a
SHA256dc23e92b35cd9ceb3e8adc91a4492facfd66d65f72967ba69c57f17470f9b66f
SHA51251d09f79f1d3fbff711bcb99df119f625bbe2d28be99de2555dc374074b64218be8b536da96047b60449a0a7f67932e27894fa1b3ce0fb6efeadd0234e7203e6
-
memory/1476-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1476-56-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/1476-55-0x000000000028B000-0x0000000000292000-memory.dmpFilesize
28KB
-
memory/1476-57-0x0000000000400000-0x000000000050F000-memory.dmpFilesize
1.1MB
-
memory/1476-64-0x000000000028B000-0x0000000000292000-memory.dmpFilesize
28KB
-
memory/1712-59-0x0000000000000000-mapping.dmp
-
memory/1712-62-0x000000000059B000-0x00000000005A2000-memory.dmpFilesize
28KB
-
memory/1712-63-0x0000000000400000-0x000000000050F000-memory.dmpFilesize
1.1MB
-
memory/1712-65-0x000000000059B000-0x00000000005A2000-memory.dmpFilesize
28KB