Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-02-2023 07:45
Static task
static1
Behavioral task
behavioral1
Sample
d87be573a26e97c5b4b8959aab27d931.exe
Resource
win7-20220812-en
General
-
Target
d87be573a26e97c5b4b8959aab27d931.exe
-
Size
167KB
-
MD5
d87be573a26e97c5b4b8959aab27d931
-
SHA1
0953751d891c051e74bbbb974edc89a29fa88e7e
-
SHA256
a809d7c791aa2a091554cae7ec1ef8321a2a818c134ec81fb2b53ca2cff7aa34
-
SHA512
1fa16cbc837b18dce29113ba13301ba48352120e3e16ce660d52bc3bb9fb79c204772e1b31eccd4d684f33aaee22a9a5d68df8682838660bb5a88030b09ac307
-
SSDEEP
3072:O0O9ibCRpHnL972hGbVl2nES48tezHem:XwlRpHLl2vESMim
Malware Config
Extracted
systembc
advert127ds.xyz:4044
adxspace147.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ftcw.exepid process 1800 ftcw.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
d87be573a26e97c5b4b8959aab27d931.exedescription ioc process File created C:\Windows\Tasks\ftcw.job d87be573a26e97c5b4b8959aab27d931.exe File opened for modification C:\Windows\Tasks\ftcw.job d87be573a26e97c5b4b8959aab27d931.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d87be573a26e97c5b4b8959aab27d931.exepid process 604 d87be573a26e97c5b4b8959aab27d931.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 280 wrote to memory of 1800 280 taskeng.exe ftcw.exe PID 280 wrote to memory of 1800 280 taskeng.exe ftcw.exe PID 280 wrote to memory of 1800 280 taskeng.exe ftcw.exe PID 280 wrote to memory of 1800 280 taskeng.exe ftcw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d87be573a26e97c5b4b8959aab27d931.exe"C:\Users\Admin\AppData\Local\Temp\d87be573a26e97c5b4b8959aab27d931.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {9685EBEC-032D-470F-926A-56C7AA1F31AB} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\uhwiwt\ftcw.exeC:\ProgramData\uhwiwt\ftcw.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uhwiwt\ftcw.exeFilesize
167KB
MD5d87be573a26e97c5b4b8959aab27d931
SHA10953751d891c051e74bbbb974edc89a29fa88e7e
SHA256a809d7c791aa2a091554cae7ec1ef8321a2a818c134ec81fb2b53ca2cff7aa34
SHA5121fa16cbc837b18dce29113ba13301ba48352120e3e16ce660d52bc3bb9fb79c204772e1b31eccd4d684f33aaee22a9a5d68df8682838660bb5a88030b09ac307
-
C:\ProgramData\uhwiwt\ftcw.exeFilesize
167KB
MD5d87be573a26e97c5b4b8959aab27d931
SHA10953751d891c051e74bbbb974edc89a29fa88e7e
SHA256a809d7c791aa2a091554cae7ec1ef8321a2a818c134ec81fb2b53ca2cff7aa34
SHA5121fa16cbc837b18dce29113ba13301ba48352120e3e16ce660d52bc3bb9fb79c204772e1b31eccd4d684f33aaee22a9a5d68df8682838660bb5a88030b09ac307
-
memory/604-54-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/604-55-0x00000000002CA000-0x00000000002D0000-memory.dmpFilesize
24KB
-
memory/604-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/604-57-0x0000000000400000-0x0000000000C6F000-memory.dmpFilesize
8.4MB
-
memory/604-61-0x00000000002CA000-0x00000000002D0000-memory.dmpFilesize
24KB
-
memory/604-62-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1800-59-0x0000000000000000-mapping.dmp
-
memory/1800-64-0x0000000000D89000-0x0000000000D90000-memory.dmpFilesize
28KB
-
memory/1800-65-0x0000000000400000-0x0000000000C6F000-memory.dmpFilesize
8.4MB
-
memory/1800-66-0x0000000000D89000-0x0000000000D90000-memory.dmpFilesize
28KB