Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 08:54
Static task
static1
Behavioral task
behavioral1
Sample
4b8b7e4c7b2aed6c3c67b3d5678f6440.exe
Resource
win7-20221111-en
General
-
Target
4b8b7e4c7b2aed6c3c67b3d5678f6440.exe
-
Size
106KB
-
MD5
4b8b7e4c7b2aed6c3c67b3d5678f6440
-
SHA1
33097d2c883f7e8248c70876cfd6c77b36a1622a
-
SHA256
dc23e92b35cd9ceb3e8adc91a4492facfd66d65f72967ba69c57f17470f9b66f
-
SHA512
51d09f79f1d3fbff711bcb99df119f625bbe2d28be99de2555dc374074b64218be8b536da96047b60449a0a7f67932e27894fa1b3ce0fb6efeadd0234e7203e6
-
SSDEEP
1536:8++5Uk52zLQTDgoYjylkKKPv9AmIBIZigwp6OGWVVpOJV1U5uHk0UgYc5:8zqk5ELAD4yuK52ZEp6OGA+bU5DJc5
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
uemfnj.exepid process 2344 uemfnj.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 api.ipify.org 33 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
4b8b7e4c7b2aed6c3c67b3d5678f6440.exedescription ioc process File created C:\Windows\Tasks\uemfnj.job 4b8b7e4c7b2aed6c3c67b3d5678f6440.exe File opened for modification C:\Windows\Tasks\uemfnj.job 4b8b7e4c7b2aed6c3c67b3d5678f6440.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3172 1620 WerFault.exe 4b8b7e4c7b2aed6c3c67b3d5678f6440.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4b8b7e4c7b2aed6c3c67b3d5678f6440.exepid process 1620 4b8b7e4c7b2aed6c3c67b3d5678f6440.exe 1620 4b8b7e4c7b2aed6c3c67b3d5678f6440.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b8b7e4c7b2aed6c3c67b3d5678f6440.exe"C:\Users\Admin\AppData\Local\Temp\4b8b7e4c7b2aed6c3c67b3d5678f6440.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 9362⤵
- Program crash
-
C:\ProgramData\jvji\uemfnj.exeC:\ProgramData\jvji\uemfnj.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1620 -ip 16201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\jvji\uemfnj.exeFilesize
106KB
MD54b8b7e4c7b2aed6c3c67b3d5678f6440
SHA133097d2c883f7e8248c70876cfd6c77b36a1622a
SHA256dc23e92b35cd9ceb3e8adc91a4492facfd66d65f72967ba69c57f17470f9b66f
SHA51251d09f79f1d3fbff711bcb99df119f625bbe2d28be99de2555dc374074b64218be8b536da96047b60449a0a7f67932e27894fa1b3ce0fb6efeadd0234e7203e6
-
C:\ProgramData\jvji\uemfnj.exeFilesize
106KB
MD54b8b7e4c7b2aed6c3c67b3d5678f6440
SHA133097d2c883f7e8248c70876cfd6c77b36a1622a
SHA256dc23e92b35cd9ceb3e8adc91a4492facfd66d65f72967ba69c57f17470f9b66f
SHA51251d09f79f1d3fbff711bcb99df119f625bbe2d28be99de2555dc374074b64218be8b536da96047b60449a0a7f67932e27894fa1b3ce0fb6efeadd0234e7203e6
-
memory/1620-133-0x0000000000590000-0x0000000000690000-memory.dmpFilesize
1024KB
-
memory/1620-134-0x0000000002100000-0x0000000002109000-memory.dmpFilesize
36KB
-
memory/1620-135-0x0000000000400000-0x000000000050F000-memory.dmpFilesize
1.1MB
-
memory/1620-136-0x0000000000590000-0x0000000000690000-memory.dmpFilesize
1024KB
-
memory/1620-137-0x0000000002100000-0x0000000002109000-memory.dmpFilesize
36KB
-
memory/1620-142-0x0000000000400000-0x000000000050F000-memory.dmpFilesize
1.1MB
-
memory/2344-140-0x0000000000633000-0x0000000000639000-memory.dmpFilesize
24KB
-
memory/2344-141-0x0000000000400000-0x000000000050F000-memory.dmpFilesize
1.1MB