Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 20:15
Static task
static1
Behavioral task
behavioral1
Sample
90cfe0ef71e872618262229519f6a6c7.exe
Resource
win7-20231129-en
General
-
Target
90cfe0ef71e872618262229519f6a6c7.exe
-
Size
139KB
-
MD5
90cfe0ef71e872618262229519f6a6c7
-
SHA1
245565b890c9f721f91a994575b993f712ad72ed
-
SHA256
aee9d6522dc07d7e4454fb98190fdbe1befecd8dfc1ed0cec07dc59509100d9a
-
SHA512
60fcfe7f4232b9a7200539b6724de659460ee0231c0fc090db691e3735fd03b976b7e76687b0c7e6e2aba36ebe450ee1ed06f1c06171b3d8e371b610ccbd1ad8
-
SSDEEP
3072:8MshuDzxveNuCRcoMSJ+yQ/wZcBMETlee:8GINirI+FYc9xee
Malware Config
Extracted
systembc
pzlkxadvert475.xyz:4044
pzfdmserv275.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
llul.exepid process 1436 llul.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 api.ipify.org 48 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
90cfe0ef71e872618262229519f6a6c7.exedescription ioc process File created C:\Windows\Tasks\llul.job 90cfe0ef71e872618262229519f6a6c7.exe File opened for modification C:\Windows\Tasks\llul.job 90cfe0ef71e872618262229519f6a6c7.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 232 2688 WerFault.exe 90cfe0ef71e872618262229519f6a6c7.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
90cfe0ef71e872618262229519f6a6c7.exepid process 2688 90cfe0ef71e872618262229519f6a6c7.exe 2688 90cfe0ef71e872618262229519f6a6c7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90cfe0ef71e872618262229519f6a6c7.exe"C:\Users\Admin\AppData\Local\Temp\90cfe0ef71e872618262229519f6a6c7.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 4802⤵
- Program crash
PID:232
-
C:\ProgramData\ibwtn\llul.exeC:\ProgramData\ibwtn\llul.exe start1⤵
- Executes dropped EXE
PID:1436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2688 -ip 26881⤵PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD590cfe0ef71e872618262229519f6a6c7
SHA1245565b890c9f721f91a994575b993f712ad72ed
SHA256aee9d6522dc07d7e4454fb98190fdbe1befecd8dfc1ed0cec07dc59509100d9a
SHA51260fcfe7f4232b9a7200539b6724de659460ee0231c0fc090db691e3735fd03b976b7e76687b0c7e6e2aba36ebe450ee1ed06f1c06171b3d8e371b610ccbd1ad8