Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-12-2023 21:53
Behavioral task
behavioral1
Sample
08c751edec7a3ae530ac34bd90e31445.exe
Resource
win7-20231215-en
General
-
Target
08c751edec7a3ae530ac34bd90e31445.exe
-
Size
32KB
-
MD5
08c751edec7a3ae530ac34bd90e31445
-
SHA1
13dace12ba3b0c2733fd9a5c041e469627b4cffc
-
SHA256
d7d2a183cb22b8327d1a46c2c5d13f45a488234fd51fa4b355b6b53144495db8
-
SHA512
44e5d2f1bf28ce7fb21dff8ce92e34e34c74c7edb4ba8e6c809c2fe1d5134c97ecc84291367ce496dd4047d78a26bb70007c3be4b61a1b24ce966807d46bfd67
-
SSDEEP
768:uZ+k6/WHzIyee1F0dPiXpwJo8eyhoJD3u3L3GG9:kG4zIyeGuIGC8eyhoB+b
Malware Config
Extracted
systembc
80.85.84.79:4001
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
anmnn.exepid process 2812 anmnn.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 ip4.seeip.org 9 ip4.seeip.org 4 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
08c751edec7a3ae530ac34bd90e31445.exedescription ioc process File created C:\Windows\Tasks\anmnn.job 08c751edec7a3ae530ac34bd90e31445.exe File opened for modification C:\Windows\Tasks\anmnn.job 08c751edec7a3ae530ac34bd90e31445.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
08c751edec7a3ae530ac34bd90e31445.exepid process 2420 08c751edec7a3ae530ac34bd90e31445.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2680 wrote to memory of 2812 2680 taskeng.exe anmnn.exe PID 2680 wrote to memory of 2812 2680 taskeng.exe anmnn.exe PID 2680 wrote to memory of 2812 2680 taskeng.exe anmnn.exe PID 2680 wrote to memory of 2812 2680 taskeng.exe anmnn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08c751edec7a3ae530ac34bd90e31445.exe"C:\Users\Admin\AppData\Local\Temp\08c751edec7a3ae530ac34bd90e31445.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
C:\Windows\system32\taskeng.exetaskeng.exe {4652472E-3F3C-4625-BB4F-835600F569C8} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\ProgramData\exgnh\anmnn.exeC:\ProgramData\exgnh\anmnn.exe start2⤵
- Executes dropped EXE
PID:2812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD508c751edec7a3ae530ac34bd90e31445
SHA113dace12ba3b0c2733fd9a5c041e469627b4cffc
SHA256d7d2a183cb22b8327d1a46c2c5d13f45a488234fd51fa4b355b6b53144495db8
SHA51244e5d2f1bf28ce7fb21dff8ce92e34e34c74c7edb4ba8e6c809c2fe1d5134c97ecc84291367ce496dd4047d78a26bb70007c3be4b61a1b24ce966807d46bfd67