Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-12-2023 21:00
Behavioral task
behavioral1
Sample
08c751edec7a3ae530ac34bd90e31445.exe
Resource
win7-20231215-en
General
-
Target
08c751edec7a3ae530ac34bd90e31445.exe
-
Size
32KB
-
MD5
08c751edec7a3ae530ac34bd90e31445
-
SHA1
13dace12ba3b0c2733fd9a5c041e469627b4cffc
-
SHA256
d7d2a183cb22b8327d1a46c2c5d13f45a488234fd51fa4b355b6b53144495db8
-
SHA512
44e5d2f1bf28ce7fb21dff8ce92e34e34c74c7edb4ba8e6c809c2fe1d5134c97ecc84291367ce496dd4047d78a26bb70007c3be4b61a1b24ce966807d46bfd67
-
SSDEEP
768:uZ+k6/WHzIyee1F0dPiXpwJo8eyhoJD3u3L3GG9:kG4zIyeGuIGC8eyhoB+b
Malware Config
Extracted
systembc
80.85.84.79:4001
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lfecwv.exepid process 1324 lfecwv.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip4.seeip.org 9 ip4.seeip.org 19 api.ipify.org 20 ip4.seeip.org 6 api.ipify.org 7 api.ipify.org -
Drops file in Windows directory 2 IoCs
Processes:
08c751edec7a3ae530ac34bd90e31445.exedescription ioc process File created C:\Windows\Tasks\lfecwv.job 08c751edec7a3ae530ac34bd90e31445.exe File opened for modification C:\Windows\Tasks\lfecwv.job 08c751edec7a3ae530ac34bd90e31445.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
08c751edec7a3ae530ac34bd90e31445.exepid process 2904 08c751edec7a3ae530ac34bd90e31445.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2536 wrote to memory of 1324 2536 taskeng.exe lfecwv.exe PID 2536 wrote to memory of 1324 2536 taskeng.exe lfecwv.exe PID 2536 wrote to memory of 1324 2536 taskeng.exe lfecwv.exe PID 2536 wrote to memory of 1324 2536 taskeng.exe lfecwv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08c751edec7a3ae530ac34bd90e31445.exe"C:\Users\Admin\AppData\Local\Temp\08c751edec7a3ae530ac34bd90e31445.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
C:\Windows\system32\taskeng.exetaskeng.exe {CF2CBA41-A38F-427B-9C6A-93E0409A4ED3} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\ProgramData\noodpe\lfecwv.exeC:\ProgramData\noodpe\lfecwv.exe start2⤵
- Executes dropped EXE
PID:1324
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD508c751edec7a3ae530ac34bd90e31445
SHA113dace12ba3b0c2733fd9a5c041e469627b4cffc
SHA256d7d2a183cb22b8327d1a46c2c5d13f45a488234fd51fa4b355b6b53144495db8
SHA51244e5d2f1bf28ce7fb21dff8ce92e34e34c74c7edb4ba8e6c809c2fe1d5134c97ecc84291367ce496dd4047d78a26bb70007c3be4b61a1b24ce966807d46bfd67