Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2023 07:48
Static task
static1
Behavioral task
behavioral1
Sample
cc4f80bbbd81cf14599c74e9f8e970ac.exe
Resource
win7-20230220-en
General
-
Target
cc4f80bbbd81cf14599c74e9f8e970ac.exe
-
Size
150KB
-
MD5
cc4f80bbbd81cf14599c74e9f8e970ac
-
SHA1
c73b8e764bd16cc885143dee674a18ac98a1199c
-
SHA256
1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
-
SHA512
74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a
-
SSDEEP
3072:v/0zSzwIPgTY2nTnIKAlrym0jzGtnOfLn6bdVsPH6:HJXPPAIKPmIgOzn6bkf6
Malware Config
Extracted
systembc
89.203.249.203:4035
gamelom20.com:4035
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bntfgfs.exepid process 3132 bntfgfs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 api.ipify.org 39 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
cc4f80bbbd81cf14599c74e9f8e970ac.exedescription ioc process File created C:\Windows\Tasks\bntfgfs.job cc4f80bbbd81cf14599c74e9f8e970ac.exe File opened for modification C:\Windows\Tasks\bntfgfs.job cc4f80bbbd81cf14599c74e9f8e970ac.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3772 4236 WerFault.exe cc4f80bbbd81cf14599c74e9f8e970ac.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cc4f80bbbd81cf14599c74e9f8e970ac.exepid process 4236 cc4f80bbbd81cf14599c74e9f8e970ac.exe 4236 cc4f80bbbd81cf14599c74e9f8e970ac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 9442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4236 -ip 42361⤵
-
C:\ProgramData\cpij\bntfgfs.exeC:\ProgramData\cpij\bntfgfs.exe start1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cpij\bntfgfs.exeFilesize
150KB
MD5cc4f80bbbd81cf14599c74e9f8e970ac
SHA1c73b8e764bd16cc885143dee674a18ac98a1199c
SHA2561dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
SHA51274beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a
-
C:\ProgramData\cpij\bntfgfs.exeFilesize
150KB
MD5cc4f80bbbd81cf14599c74e9f8e970ac
SHA1c73b8e764bd16cc885143dee674a18ac98a1199c
SHA2561dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
SHA51274beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a
-
memory/3132-149-0x0000000000400000-0x0000000003314000-memory.dmpFilesize
47.1MB
-
memory/4236-134-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4236-135-0x0000000000400000-0x0000000003314000-memory.dmpFilesize
47.1MB