Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 07:48
Static task
static1
Behavioral task
behavioral1
Sample
cc4f80bbbd81cf14599c74e9f8e970ac.exe
Resource
win7-20230220-en
General
-
Target
cc4f80bbbd81cf14599c74e9f8e970ac.exe
-
Size
150KB
-
MD5
cc4f80bbbd81cf14599c74e9f8e970ac
-
SHA1
c73b8e764bd16cc885143dee674a18ac98a1199c
-
SHA256
1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
-
SHA512
74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a
-
SSDEEP
3072:v/0zSzwIPgTY2nTnIKAlrym0jzGtnOfLn6bdVsPH6:HJXPPAIKPmIgOzn6bkf6
Malware Config
Extracted
systembc
89.203.249.203:4035
gamelom20.com:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
egwokjj.exepid process 1728 egwokjj.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
cc4f80bbbd81cf14599c74e9f8e970ac.exedescription ioc process File created C:\Windows\Tasks\egwokjj.job cc4f80bbbd81cf14599c74e9f8e970ac.exe File opened for modification C:\Windows\Tasks\egwokjj.job cc4f80bbbd81cf14599c74e9f8e970ac.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
cc4f80bbbd81cf14599c74e9f8e970ac.exepid process 1676 cc4f80bbbd81cf14599c74e9f8e970ac.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1196 wrote to memory of 1728 1196 taskeng.exe egwokjj.exe PID 1196 wrote to memory of 1728 1196 taskeng.exe egwokjj.exe PID 1196 wrote to memory of 1728 1196 taskeng.exe egwokjj.exe PID 1196 wrote to memory of 1728 1196 taskeng.exe egwokjj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {DEE23502-ADA1-4D62-8FAC-EE2E0806EDB9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\raawsd\egwokjj.exeC:\ProgramData\raawsd\egwokjj.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\raawsd\egwokjj.exeFilesize
150KB
MD5cc4f80bbbd81cf14599c74e9f8e970ac
SHA1c73b8e764bd16cc885143dee674a18ac98a1199c
SHA2561dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
SHA51274beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a
-
C:\ProgramData\raawsd\egwokjj.exeFilesize
150KB
MD5cc4f80bbbd81cf14599c74e9f8e970ac
SHA1c73b8e764bd16cc885143dee674a18ac98a1199c
SHA2561dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
SHA51274beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a
-
memory/1676-55-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1676-56-0x0000000000400000-0x0000000003314000-memory.dmpFilesize
47.1MB
-
memory/1728-70-0x0000000000400000-0x0000000003314000-memory.dmpFilesize
47.1MB