Analysis Overview
SHA256
1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
Threat Level: Known bad
The file cc4f80bbbd81cf14599c74e9f8e970ac.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Executes dropped EXE
Looks up external IP address via web service
Uses Tor communications
Drops file in Windows directory
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-02 07:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-02 07:48
Reported
2023-04-02 07:50
Platform
win7-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\raawsd\egwokjj.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
Uses Tor communications
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\egwokjj.job | C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe | N/A |
| File opened for modification | C:\Windows\Tasks\egwokjj.job | C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 1728 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\raawsd\egwokjj.exe |
| PID 1196 wrote to memory of 1728 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\raawsd\egwokjj.exe |
| PID 1196 wrote to memory of 1728 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\raawsd\egwokjj.exe |
| PID 1196 wrote to memory of 1728 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\raawsd\egwokjj.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe
"C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {DEE23502-ADA1-4D62-8FAC-EE2E0806EDB9} S-1-5-18:NT AUTHORITY\System:Service:
C:\ProgramData\raawsd\egwokjj.exe
C:\ProgramData\raawsd\egwokjj.exe start
Network
| Country | Destination | Domain | Proto |
| CZ | 89.203.249.203:4035 | tcp | |
| US | 8.8.8.8:53 | gamelom20.com | udp |
| US | 34.171.171.32:4035 | gamelom20.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.155:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| RO | 5.183.170.183:9001 | tcp | |
| PT | 94.46.171.151:9001 | tcp | |
| US | 184.187.107.50:443 | tcp | |
| DE | 144.76.75.137:9030 | 144.76.75.137 | tcp |
| US | 98.111.239.210:9001 | tcp | |
| CA | 138.197.166.92:9030 | 138.197.166.92 | tcp |
| DE | 81.7.18.96:6133 | tcp | |
| CA | 208.92.194.252:995 | 208.92.194.252 | tcp |
| US | 45.79.109.55:9001 | tcp | |
| NL | 95.211.136.23:443 | tcp | |
| DE | 85.214.149.151:9092 | 85.214.149.151 | tcp |
| AU | 159.196.34.95:9001 | tcp | |
| NL | 5.255.100.112:443 | tcp | |
| DE | 91.132.145.129:443 | tcp | |
| NL | 185.167.96.248:9001 | tcp | |
| MX | 190.103.179.98:443 | tcp | |
| CY | 85.239.40.27:80 | tcp | |
| JP | 160.251.82.247:10080 | 160.251.82.247 | tcp |
| NL | 212.32.240.165:9001 | tcp | |
| DE | 84.165.104.173:9030 | 84.165.104.173 | tcp |
| US | 75.75.102.102:9001 | tcp | |
| DE | 62.72.82.232:9001 | tcp | |
| FR | 163.172.182.26:444 | tcp | |
| DE | 91.132.145.129:443 | tcp | |
| MX | 187.207.11.185:9001 | tcp | |
| US | 108.2.201.206:9001 | tcp | |
| US | 216.210.83.180:9030 | 216.210.83.180 | tcp |
| IT | 80.211.130.241:443 | tcp | |
| US | 65.49.20.11:9001 | tcp | |
| DE | 5.45.104.89:9676 | tcp | |
| NL | 51.15.113.85:9001 | tcp | |
| NL | 178.128.247.50:9001 | tcp | |
| DE | 37.114.40.104:8081 | 37.114.40.104 | tcp |
| SE | 193.11.164.243:9001 | tcp | |
| DE | 167.71.33.11:9030 | 167.71.33.11 | tcp |
| US | 69.197.160.206:8272 | tcp | |
| SG | 172.104.170.82:9030 | 172.104.170.82 | tcp |
| MD | 91.208.197.31:443 | tcp | |
| GR | 185.4.132.148:443 | tcp | |
| DE | 202.61.225.95:9001 | tcp | |
| SG | 194.233.85.109:443 | tcp |
Files
memory/1676-55-0x0000000000020000-0x0000000000029000-memory.dmp
memory/1676-56-0x0000000000400000-0x0000000003314000-memory.dmp
C:\ProgramData\raawsd\egwokjj.exe
| MD5 | cc4f80bbbd81cf14599c74e9f8e970ac |
| SHA1 | c73b8e764bd16cc885143dee674a18ac98a1199c |
| SHA256 | 1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3 |
| SHA512 | 74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a |
C:\ProgramData\raawsd\egwokjj.exe
| MD5 | cc4f80bbbd81cf14599c74e9f8e970ac |
| SHA1 | c73b8e764bd16cc885143dee674a18ac98a1199c |
| SHA256 | 1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3 |
| SHA512 | 74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a |
memory/1728-70-0x0000000000400000-0x0000000003314000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-02 07:48
Reported
2023-04-02 07:50
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\cpij\bntfgfs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Uses Tor communications
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\bntfgfs.job | C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe | N/A |
| File opened for modification | C:\Windows\Tasks\bntfgfs.job | C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe
"C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4236 -ip 4236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 944
C:\ProgramData\cpij\bntfgfs.exe
C:\ProgramData\cpij\bntfgfs.exe start
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 20.42.73.25:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| CZ | 89.203.249.203:4035 | tcp | |
| US | 8.8.8.8:53 | gamelom20.com | udp |
| US | 34.171.171.32:4035 | gamelom20.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.155:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 32.171.171.34.in-addr.arpa | udp |
| AT | 86.59.21.38:80 | 86.59.21.38 | tcp |
| US | 8.8.8.8:53 | 155.227.185.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.21.59.86.in-addr.arpa | udp |
| US | 204.13.164.118:80 | 204.13.164.118 | tcp |
| US | 8.8.8.8:53 | 118.164.13.204.in-addr.arpa | udp |
| DE | 89.58.32.236:8443 | tcp | |
| DE | 93.127.254.11:35288 | 93.127.254.11 | tcp |
| US | 45.56.107.49:9001 | tcp | |
| DE | 164.40.200.1:440 | 164.40.200.1 | tcp |
| DE | 45.10.24.189:9001 | tcp | |
| DE | 79.201.245.40:22154 | 79.201.245.40 | tcp |
| US | 8.8.8.8:53 | 236.32.58.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.254.127.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.107.56.45.in-addr.arpa | udp |
| DE | 178.215.228.78:9001 | tcp | |
| SE | 193.11.166.196:80 | 193.11.166.196 | tcp |
| LT | 78.60.180.159:9002 | tcp | |
| SE | 85.228.47.180:9030 | 85.228.47.180 | tcp |
| US | 8.8.8.8:53 | 1.200.40.164.in-addr.arpa | udp |
| CA | 181.41.202.249:34913 | tcp | |
| US | 8.8.8.8:53 | 189.24.10.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.245.201.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.228.215.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.166.11.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.180.60.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.47.228.85.in-addr.arpa | udp |
| RO | 89.34.27.237:9030 | 89.34.27.237 | tcp |
| CA | 68.67.32.31:9001 | tcp | |
| SE | 85.228.47.180:9030 | 85.228.47.180 | tcp |
| RE | 154.67.217.229:443 | tcp | |
| US | 8.8.8.8:53 | 249.202.41.181.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.27.34.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.32.67.68.in-addr.arpa | udp |
| N/A | 65.50.203.5:9030 | tcp | |
| N/A | 103.26.221.164:2323 | tcp |
Files
memory/4236-134-0x0000000000030000-0x0000000000039000-memory.dmp
memory/4236-135-0x0000000000400000-0x0000000003314000-memory.dmp
C:\ProgramData\cpij\bntfgfs.exe
| MD5 | cc4f80bbbd81cf14599c74e9f8e970ac |
| SHA1 | c73b8e764bd16cc885143dee674a18ac98a1199c |
| SHA256 | 1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3 |
| SHA512 | 74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a |
C:\ProgramData\cpij\bntfgfs.exe
| MD5 | cc4f80bbbd81cf14599c74e9f8e970ac |
| SHA1 | c73b8e764bd16cc885143dee674a18ac98a1199c |
| SHA256 | 1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3 |
| SHA512 | 74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a |
memory/3132-149-0x0000000000400000-0x0000000003314000-memory.dmp