Analysis Overview
SHA256
23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
Threat Level: Known bad
The file 40753d4f4ba5863be3aaaa38cd50995a.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Executes dropped EXE
Looks up external IP address via web service
Uses Tor communications
Drops file in Windows directory
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-08 19:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-08 19:06
Reported
2023-02-08 19:08
Platform
win7-20221111-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\xwfbubo\nnigtj.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
Uses Tor communications
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\nnigtj.job | C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe | N/A |
| File opened for modification | C:\Windows\Tasks\nnigtj.job | C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1056 wrote to memory of 1492 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\xwfbubo\nnigtj.exe |
| PID 1056 wrote to memory of 1492 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\xwfbubo\nnigtj.exe |
| PID 1056 wrote to memory of 1492 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\xwfbubo\nnigtj.exe |
| PID 1056 wrote to memory of 1492 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\xwfbubo\nnigtj.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe
"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {979C1381-9E32-4842-BF1D-152D40824640} S-1-5-18:NT AUTHORITY\System:Service:
C:\ProgramData\xwfbubo\nnigtj.exe
C:\ProgramData\xwfbubo\nnigtj.exe start
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | winstationsocks.com | udp |
| US | 8.8.8.8:53 | winstationsocks.xyz | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.76:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| NL | 194.109.206.212:80 | tcp | |
| US | 128.31.0.34:9131 | tcp | |
| CA | 199.58.81.140:80 | 199.58.81.140 | tcp |
| DE | 178.200.169.85:19003 | tcp | |
| DE | 138.201.55.70:8443 | tcp | |
| TW | 123.194.142.123:9030 | 123.194.142.123 | tcp |
| CH | 81.221.195.173:9001 | tcp | |
| NO | 88.89.120.37:9001 | tcp | |
| DE | 49.12.100.45:9001 | tcp | |
| DE | 95.223.32.66:9002 | 95.223.32.66 | tcp |
| CH | 213.196.191.96:9080 | tcp | |
| IN | 65.20.73.136:9001 | tcp | |
| GB | 51.38.81.39:443 | tcp | |
| US | 45.32.66.7:9001 | tcp | |
| AT | 140.78.100.23:5443 | tcp | |
| DE | 91.54.134.80:80 | tcp | |
| DE | 78.46.202.212:9030 | 78.46.202.212 | tcp |
| AT | 140.78.100.26:5443 | tcp | |
| DE | 164.68.113.187:34023 | tcp | |
| DE | 91.89.221.166:9001 | tcp | |
| FR | 45.145.166.104:9000 | tcp | |
| PL | 173.232.194.19:443 | tcp | |
| DE | 46.228.199.128:9001 | tcp | |
| RS | 109.93.92.153:9030 | 109.93.92.153 | tcp |
| DE | 217.79.181.38:9001 | tcp | |
| SE | 185.239.222.243:443 | tcp | |
| US | 45.32.80.44:9001 | tcp | |
| LU | 213.135.244.242:24071 | tcp | |
| FR | 51.91.73.194:9030 | 51.91.73.194 | tcp |
| NL | 5.255.104.207:443 | tcp | |
| CZ | 91.224.90.35:993 | tcp | |
| DE | 194.36.144.87:9001 | tcp | |
| FR | 51.77.245.88:9060 | tcp | |
| DE | 89.163.128.25:443 | tcp | |
| US | 23.239.22.248:9030 | 23.239.22.248 | tcp |
| CA | 144.217.87.28:9001 | tcp | |
| NL | 51.15.120.162:9001 | tcp | |
| DE | 212.227.206.135:443 | tcp | |
| DE | 185.220.101.139:11139 | tcp | |
| FR | 93.7.140.202:9002 | tcp | |
| US | 45.79.70.219:9090 | tcp | |
| FI | 185.193.126.10:443 | tcp | |
| NL | 192.42.113.101:9002 | tcp | |
| US | 209.141.36.65:9030 | 209.141.36.65 | tcp |
| FR | 82.65.165.202:9443 | tcp | |
| US | 50.116.47.139:9030 | 50.116.47.139 | tcp |
| CA | 192.99.43.171:9001 | tcp | |
| DE | 116.202.97.46:9001 | tcp | |
| GB | 77.68.29.65:443 | tcp | |
| IT | 95.230.122.163:443 | tcp | |
| FR | 2.56.247.40:9100 | tcp | |
| FR | 163.172.94.144:443 | tcp | |
| US | 69.164.211.18:9090 | tcp | |
| US | 45.61.185.38:55555 | tcp | |
| DE | 88.130.23.141:9030 | tcp | |
| US | 144.202.57.230:443 | tcp | |
| IS | 93.95.231.124:9030 | 93.95.231.124 | tcp |
| DE | 173.212.239.78:9001 | tcp | |
| DE | 217.160.13.173:6547 | 217.160.13.173 | tcp |
| JP | 14.9.101.224:8351 | tcp | |
| DE | 81.169.255.125:9001 | tcp | |
| HU | 91.219.237.160:9001 | tcp | |
| JP | 150.43.248.29:443 | tcp | |
| MX | 187.207.27.50:9130 | 187.207.27.50 | tcp |
| RU | 94.242.59.47:443 | tcp | |
| IT | 158.58.173.209:8443 | tcp | |
| LU | 107.189.30.210:7777 | tcp | |
| JP | 172.104.79.222:80 | tcp |
Files
memory/2040-54-0x00000000002C8000-0x00000000002CF000-memory.dmp
memory/2040-55-0x0000000075D61000-0x0000000075D63000-memory.dmp
memory/2040-57-0x0000000000020000-0x0000000000029000-memory.dmp
memory/2040-56-0x00000000002C8000-0x00000000002CF000-memory.dmp
memory/2040-58-0x0000000000400000-0x0000000000854000-memory.dmp
C:\ProgramData\xwfbubo\nnigtj.exe
| MD5 | 40753d4f4ba5863be3aaaa38cd50995a |
| SHA1 | cb58f6a57ecd27e7380e0f38dedb621d7d161e19 |
| SHA256 | 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02 |
| SHA512 | 7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad |
memory/1492-60-0x0000000000000000-mapping.dmp
C:\ProgramData\xwfbubo\nnigtj.exe
| MD5 | 40753d4f4ba5863be3aaaa38cd50995a |
| SHA1 | cb58f6a57ecd27e7380e0f38dedb621d7d161e19 |
| SHA256 | 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02 |
| SHA512 | 7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad |
memory/1492-62-0x00000000009A8000-0x00000000009AF000-memory.dmp
memory/1492-64-0x00000000009A8000-0x00000000009AF000-memory.dmp
memory/1492-65-0x0000000000400000-0x0000000000854000-memory.dmp
memory/2040-66-0x00000000002C8000-0x00000000002CF000-memory.dmp
memory/1492-67-0x00000000009A8000-0x00000000009AF000-memory.dmp
memory/2040-68-0x00000000002C8000-0x00000000002CF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-08 19:06
Reported
2023-02-08 19:08
Platform
win10v2004-20220901-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vxvsqoo\gqrmwp.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\gqrmwp.job | C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe | N/A |
| File opened for modification | C:\Windows\Tasks\gqrmwp.job | C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe
"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"
C:\ProgramData\vxvsqoo\gqrmwp.exe
C:\ProgramData\vxvsqoo\gqrmwp.exe start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2148 -ip 2148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 484
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 20.42.73.25:443 | tcp | |
| US | 8.8.8.8:53 | winstationsocks.com | udp |
| US | 8.8.8.8:53 | winstationsocks.xyz | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.76:443 | api.ipify.org | tcp |
| US | 204.13.164.118:80 | 204.13.164.118 | tcp |
| DE | 195.201.147.230:9001 | tcp | |
| RU | 85.143.214.143:21 | 85.143.214.143 | tcp |
| FI | 95.216.159.94:443 | tcp | |
| NL | 82.197.215.30:9030 | 82.197.215.30 | tcp |
| DE | 185.220.101.139:11139 | tcp | |
| IN | 206.189.132.95:9030 | 206.189.132.95 | tcp |
| CH | 213.144.142.24:9001 | tcp | |
| IT | 95.238.36.233:9001 | tcp | |
| DE | 116.203.195.42:9030 | 116.203.195.42 | tcp |
| FI | 65.21.251.26:443 | tcp | |
| DE | 79.197.231.189:22154 | 79.197.231.189 | tcp |
| KG | 176.126.164.93:443 | tcp | |
| DE | 37.120.177.211:9030 | 37.120.177.211 | tcp |
| GB | 89.191.217.1:9001 | tcp | |
| BG | 85.91.153.163:9030 | 85.91.153.163 | tcp |
| US | 45.79.159.52:9001 | tcp | |
| US | 209.141.61.36:9030 | 209.141.61.36 | tcp |
| MD | 37.221.65.168:8360 | tcp | |
| US | 45.79.197.155:9030 | 45.79.197.155 | tcp |
| IT | 79.35.138.70:9001 | tcp | |
| UA | 176.36.117.185:9030 | 176.36.117.185 | tcp |
| DE | 92.117.23.50:9001 | tcp | |
| US | 64.98.231.29:9030 | 64.98.231.29 | tcp |
| FI | 65.21.50.48:443 | tcp | |
| CZ | 89.203.249.226:9030 | 89.203.249.226 | tcp |
| DE | 193.26.156.87:9001 | tcp | |
| CA | 208.92.194.252:995 | 208.92.194.252 | tcp |
| SE | 185.139.228.158:443 | tcp | |
| DE | 213.139.243.21:9030 | 213.139.243.21 | tcp |
| NL | 178.62.222.199:9001 | tcp | |
| DE | 149.233.248.147:9030 | 149.233.248.147 | tcp |
| DE | 93.177.67.43:9001 | tcp | |
| CA | 192.160.102.170:80 | 192.160.102.170 | tcp |
| DE | 212.83.43.94:80 | tcp | |
| GB | 176.58.110.66:9030 | 176.58.110.66 | tcp |
| SE | 92.34.148.151:9001 | tcp | |
| JP | 219.100.161.101:9030 | 219.100.161.101 | tcp |
| DE | 91.5.160.178:9001 | tcp | |
| KR | 13.124.18.130:9030 | 13.124.18.130 | tcp |
| ES | 88.6.186.252:9210 | tcp | |
| DE | 24.134.234.17:9030 | 24.134.234.17 | tcp |
| NL | 213.108.108.136:443 | tcp | |
| US | 23.126.9.217:9030 | 23.126.9.217 | tcp |
| SE | 185.239.222.243:443 | tcp | |
| DE | 116.203.195.42:9030 | 116.203.195.42 | tcp |
| IT | 93.55.235.232:443 | tcp | |
| US | 147.135.114.98:9001 | tcp | |
| NZ | 131.203.32.146:9030 | 131.203.32.146 | tcp |
| FR | 137.74.119.109:9001 | tcp | |
| FI | 65.21.246.132:9030 | 65.21.246.132 | tcp |
| DE | 75.119.156.62:9003 | tcp | |
| DE | 84.158.122.230:9030 | 84.158.122.230 | tcp |
| US | 198.98.62.52:7777 | tcp | |
| US | 108.51.27.74:9031 | 108.51.27.74 | tcp |
| DE | 130.61.220.149:2839 | tcp | |
| NL | 193.178.169.149:9030 | 193.178.169.149 | tcp |
| US | 45.61.185.178:55555 | tcp | |
| DE | 149.233.248.147:9030 | 149.233.248.147 | tcp |
| FR | 82.66.10.17:9001 | tcp | |
| FR | 163.172.151.206:9030 | 163.172.151.206 | tcp |
| FR | 92.243.6.46:443 | tcp | |
| JP | 116.80.46.130:10080 | tcp | |
| DE | 85.10.240.250:443 | tcp | |
| DE | 159.89.106.80:9030 | 159.89.106.80 | tcp |
Files
memory/2148-133-0x0000000000030000-0x0000000000039000-memory.dmp
memory/2148-132-0x00000000008E2000-0x00000000008E8000-memory.dmp
memory/2148-134-0x0000000000400000-0x0000000000854000-memory.dmp
memory/2148-135-0x00000000008E2000-0x00000000008E8000-memory.dmp
C:\ProgramData\vxvsqoo\gqrmwp.exe
| MD5 | 40753d4f4ba5863be3aaaa38cd50995a |
| SHA1 | cb58f6a57ecd27e7380e0f38dedb621d7d161e19 |
| SHA256 | 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02 |
| SHA512 | 7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad |
C:\ProgramData\vxvsqoo\gqrmwp.exe
| MD5 | 40753d4f4ba5863be3aaaa38cd50995a |
| SHA1 | cb58f6a57ecd27e7380e0f38dedb621d7d161e19 |
| SHA256 | 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02 |
| SHA512 | 7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad |
memory/2356-138-0x00000000009BD000-0x00000000009C4000-memory.dmp
memory/2356-139-0x0000000000400000-0x0000000000854000-memory.dmp
memory/2356-140-0x00000000009BD000-0x00000000009C4000-memory.dmp
memory/2148-141-0x00000000008E2000-0x00000000008E8000-memory.dmp