Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 20:15
Static task
static1
Behavioral task
behavioral1
Sample
90cfe0ef71e872618262229519f6a6c7.exe
Resource
win7-20231129-en
General
-
Target
90cfe0ef71e872618262229519f6a6c7.exe
-
Size
139KB
-
MD5
90cfe0ef71e872618262229519f6a6c7
-
SHA1
245565b890c9f721f91a994575b993f712ad72ed
-
SHA256
aee9d6522dc07d7e4454fb98190fdbe1befecd8dfc1ed0cec07dc59509100d9a
-
SHA512
60fcfe7f4232b9a7200539b6724de659460ee0231c0fc090db691e3735fd03b976b7e76687b0c7e6e2aba36ebe450ee1ed06f1c06171b3d8e371b610ccbd1ad8
-
SSDEEP
3072:8MshuDzxveNuCRcoMSJ+yQ/wZcBMETlee:8GINirI+FYc9xee
Malware Config
Extracted
systembc
pzlkxadvert475.xyz:4044
pzfdmserv275.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
qxtqjcw.exepid process 1668 qxtqjcw.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip4.seeip.org 4 api.ipify.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
90cfe0ef71e872618262229519f6a6c7.exedescription ioc process File created C:\Windows\Tasks\qxtqjcw.job 90cfe0ef71e872618262229519f6a6c7.exe File opened for modification C:\Windows\Tasks\qxtqjcw.job 90cfe0ef71e872618262229519f6a6c7.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
90cfe0ef71e872618262229519f6a6c7.exepid process 2544 90cfe0ef71e872618262229519f6a6c7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2652 wrote to memory of 1668 2652 taskeng.exe qxtqjcw.exe PID 2652 wrote to memory of 1668 2652 taskeng.exe qxtqjcw.exe PID 2652 wrote to memory of 1668 2652 taskeng.exe qxtqjcw.exe PID 2652 wrote to memory of 1668 2652 taskeng.exe qxtqjcw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90cfe0ef71e872618262229519f6a6c7.exe"C:\Users\Admin\AppData\Local\Temp\90cfe0ef71e872618262229519f6a6c7.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
C:\Windows\system32\taskeng.exetaskeng.exe {165CE59E-F756-4250-B8B5-E2824BAC0DB4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\ProgramData\lmbnb\qxtqjcw.exeC:\ProgramData\lmbnb\qxtqjcw.exe start2⤵
- Executes dropped EXE
PID:1668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD590cfe0ef71e872618262229519f6a6c7
SHA1245565b890c9f721f91a994575b993f712ad72ed
SHA256aee9d6522dc07d7e4454fb98190fdbe1befecd8dfc1ed0cec07dc59509100d9a
SHA51260fcfe7f4232b9a7200539b6724de659460ee0231c0fc090db691e3735fd03b976b7e76687b0c7e6e2aba36ebe450ee1ed06f1c06171b3d8e371b610ccbd1ad8