Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
08/02/2023, 19:06
Static task
static1
Behavioral task
behavioral1
Sample
40753d4f4ba5863be3aaaa38cd50995a.exe
Resource
win7-20221111-en
General
-
Target
40753d4f4ba5863be3aaaa38cd50995a.exe
-
Size
114KB
-
MD5
40753d4f4ba5863be3aaaa38cd50995a
-
SHA1
cb58f6a57ecd27e7380e0f38dedb621d7d161e19
-
SHA256
23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
-
SHA512
7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad
-
SSDEEP
1536:hGFLBB4S2zN22dyPPVHbPa3bjCY0X+9hGUhW5jSVM3JdT4AFuxbUS:hGFLBb2o+3CXXE1W520JdMAFuxbU
Malware Config
Extracted
systembc
winstationsocks.com:4124
winstationsocks.xyz:4124
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1492 nnigtj.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org 5 ip4.seeip.org 6 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\nnigtj.job 40753d4f4ba5863be3aaaa38cd50995a.exe File opened for modification C:\Windows\Tasks\nnigtj.job 40753d4f4ba5863be3aaaa38cd50995a.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2040 40753d4f4ba5863be3aaaa38cd50995a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1056 wrote to memory of 1492 1056 taskeng.exe 28 PID 1056 wrote to memory of 1492 1056 taskeng.exe 28 PID 1056 wrote to memory of 1492 1056 taskeng.exe 28 PID 1056 wrote to memory of 1492 1056 taskeng.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2040
-
C:\Windows\system32\taskeng.exetaskeng.exe {979C1381-9E32-4842-BF1D-152D40824640} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\ProgramData\xwfbubo\nnigtj.exeC:\ProgramData\xwfbubo\nnigtj.exe start2⤵
- Executes dropped EXE
PID:1492
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD540753d4f4ba5863be3aaaa38cd50995a
SHA1cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA25623f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA5127a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad
-
Filesize
114KB
MD540753d4f4ba5863be3aaaa38cd50995a
SHA1cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA25623f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA5127a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad