Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2023 19:06
Static task
static1
Behavioral task
behavioral1
Sample
40753d4f4ba5863be3aaaa38cd50995a.exe
Resource
win7-20221111-en
General
-
Target
40753d4f4ba5863be3aaaa38cd50995a.exe
-
Size
114KB
-
MD5
40753d4f4ba5863be3aaaa38cd50995a
-
SHA1
cb58f6a57ecd27e7380e0f38dedb621d7d161e19
-
SHA256
23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
-
SHA512
7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad
-
SSDEEP
1536:hGFLBB4S2zN22dyPPVHbPa3bjCY0X+9hGUhW5jSVM3JdT4AFuxbUS:hGFLBb2o+3CXXE1W520JdMAFuxbU
Malware Config
Extracted
systembc
winstationsocks.com:4124
winstationsocks.xyz:4124
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
gqrmwp.exepid process 2356 gqrmwp.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 api.ipify.org 26 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
40753d4f4ba5863be3aaaa38cd50995a.exedescription ioc process File created C:\Windows\Tasks\gqrmwp.job 40753d4f4ba5863be3aaaa38cd50995a.exe File opened for modification C:\Windows\Tasks\gqrmwp.job 40753d4f4ba5863be3aaaa38cd50995a.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3448 2148 WerFault.exe 40753d4f4ba5863be3aaaa38cd50995a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
40753d4f4ba5863be3aaaa38cd50995a.exepid process 2148 40753d4f4ba5863be3aaaa38cd50995a.exe 2148 40753d4f4ba5863be3aaaa38cd50995a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 4842⤵
- Program crash
-
C:\ProgramData\vxvsqoo\gqrmwp.exeC:\ProgramData\vxvsqoo\gqrmwp.exe start1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2148 -ip 21481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vxvsqoo\gqrmwp.exeFilesize
114KB
MD540753d4f4ba5863be3aaaa38cd50995a
SHA1cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA25623f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA5127a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad
-
C:\ProgramData\vxvsqoo\gqrmwp.exeFilesize
114KB
MD540753d4f4ba5863be3aaaa38cd50995a
SHA1cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA25623f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA5127a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad
-
memory/2148-133-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2148-132-0x00000000008E2000-0x00000000008E8000-memory.dmpFilesize
24KB
-
memory/2148-134-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/2148-135-0x00000000008E2000-0x00000000008E8000-memory.dmpFilesize
24KB
-
memory/2148-141-0x00000000008E2000-0x00000000008E8000-memory.dmpFilesize
24KB
-
memory/2356-138-0x00000000009BD000-0x00000000009C4000-memory.dmpFilesize
28KB
-
memory/2356-139-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/2356-140-0x00000000009BD000-0x00000000009C4000-memory.dmpFilesize
28KB