Resubmissions
09-04-2024 15:25
240409-stwazaeb2v 1009-04-2024 15:25
240409-stvpfaeb2s 1009-04-2024 15:25
240409-stvdnsaf77 1009-04-2024 15:25
240409-stryjsea9x 1013-01-2023 16:48
230113-va4jcaae56 10Analysis
-
max time kernel
298s -
max time network
302s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 15:25
Behavioral task
behavioral1
Sample
a95c29de8321dd4dc8b9676ec640e7b3.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
a95c29de8321dd4dc8b9676ec640e7b3.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
a95c29de8321dd4dc8b9676ec640e7b3.exe
Resource
win10v2004-20240226-en
General
-
Target
a95c29de8321dd4dc8b9676ec640e7b3.exe
-
Size
32KB
-
MD5
a95c29de8321dd4dc8b9676ec640e7b3
-
SHA1
d9ef0d8e14ddba29ab8e39779e616344440d8f75
-
SHA256
7616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b
-
SHA512
d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf
-
SSDEEP
768:3Ta1PsXQ0yVmQvcs27NOJtyuv09gnoJCvcror:SsXQ0yVN2gV0Gno
Malware Config
Extracted
systembc
dec15coma.com:4039
dec15coma.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
esrong.exepid process 2740 esrong.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
a95c29de8321dd4dc8b9676ec640e7b3.exedescription ioc process File created C:\Windows\Tasks\esrong.job a95c29de8321dd4dc8b9676ec640e7b3.exe File opened for modification C:\Windows\Tasks\esrong.job a95c29de8321dd4dc8b9676ec640e7b3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a95c29de8321dd4dc8b9676ec640e7b3.exepid process 2924 a95c29de8321dd4dc8b9676ec640e7b3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2804 wrote to memory of 2740 2804 taskeng.exe esrong.exe PID 2804 wrote to memory of 2740 2804 taskeng.exe esrong.exe PID 2804 wrote to memory of 2740 2804 taskeng.exe esrong.exe PID 2804 wrote to memory of 2740 2804 taskeng.exe esrong.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a95c29de8321dd4dc8b9676ec640e7b3.exe"C:\Users\Admin\AppData\Local\Temp\a95c29de8321dd4dc8b9676ec640e7b3.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {FE638032-309A-4FC9-A92E-59917AB60402} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ppqq\esrong.exeC:\ProgramData\ppqq\esrong.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ppqq\esrong.exeFilesize
32KB
MD5a95c29de8321dd4dc8b9676ec640e7b3
SHA1d9ef0d8e14ddba29ab8e39779e616344440d8f75
SHA2567616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b
SHA512d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf