Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2023, 19:06
Static task
static1
Behavioral task
behavioral1
Sample
40753d4f4ba5863be3aaaa38cd50995a.exe
Resource
win7-20221111-en
General
-
Target
40753d4f4ba5863be3aaaa38cd50995a.exe
-
Size
114KB
-
MD5
40753d4f4ba5863be3aaaa38cd50995a
-
SHA1
cb58f6a57ecd27e7380e0f38dedb621d7d161e19
-
SHA256
23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
-
SHA512
7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad
-
SSDEEP
1536:hGFLBB4S2zN22dyPPVHbPa3bjCY0X+9hGUhW5jSVM3JdT4AFuxbUS:hGFLBb2o+3CXXE1W520JdMAFuxbU
Malware Config
Extracted
systembc
winstationsocks.com:4124
winstationsocks.xyz:4124
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2356 gqrmwp.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 api.ipify.org 26 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\gqrmwp.job 40753d4f4ba5863be3aaaa38cd50995a.exe File opened for modification C:\Windows\Tasks\gqrmwp.job 40753d4f4ba5863be3aaaa38cd50995a.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3448 2148 WerFault.exe 21 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2148 40753d4f4ba5863be3aaaa38cd50995a.exe 2148 40753d4f4ba5863be3aaaa38cd50995a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 4842⤵
- Program crash
PID:3448
-
-
C:\ProgramData\vxvsqoo\gqrmwp.exeC:\ProgramData\vxvsqoo\gqrmwp.exe start1⤵
- Executes dropped EXE
PID:2356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2148 -ip 21481⤵PID:2204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD540753d4f4ba5863be3aaaa38cd50995a
SHA1cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA25623f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA5127a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad
-
Filesize
114KB
MD540753d4f4ba5863be3aaaa38cd50995a
SHA1cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA25623f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA5127a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad