Resubmissions
09-04-2024 15:25
240409-stwazaeb2v 1009-04-2024 15:25
240409-stvpfaeb2s 1009-04-2024 15:25
240409-stvdnsaf77 1009-04-2024 15:25
240409-stryjsea9x 1013-01-2023 16:48
230113-va4jcaae56 10Analysis
-
max time kernel
299s -
max time network
302s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-04-2024 15:25
Behavioral task
behavioral1
Sample
a95c29de8321dd4dc8b9676ec640e7b3.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
a95c29de8321dd4dc8b9676ec640e7b3.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
a95c29de8321dd4dc8b9676ec640e7b3.exe
Resource
win10v2004-20240226-en
General
-
Target
a95c29de8321dd4dc8b9676ec640e7b3.exe
-
Size
32KB
-
MD5
a95c29de8321dd4dc8b9676ec640e7b3
-
SHA1
d9ef0d8e14ddba29ab8e39779e616344440d8f75
-
SHA256
7616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b
-
SHA512
d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf
-
SSDEEP
768:3Ta1PsXQ0yVmQvcs27NOJtyuv09gnoJCvcror:SsXQ0yVN2gV0Gno
Malware Config
Extracted
systembc
dec15coma.com:4039
dec15coma.xyz:4039
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mptai.exepid process 2092 mptai.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org 2 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
a95c29de8321dd4dc8b9676ec640e7b3.exedescription ioc process File opened for modification C:\Windows\Tasks\mptai.job a95c29de8321dd4dc8b9676ec640e7b3.exe File created C:\Windows\Tasks\mptai.job a95c29de8321dd4dc8b9676ec640e7b3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a95c29de8321dd4dc8b9676ec640e7b3.exepid process 3004 a95c29de8321dd4dc8b9676ec640e7b3.exe 3004 a95c29de8321dd4dc8b9676ec640e7b3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a95c29de8321dd4dc8b9676ec640e7b3.exe"C:\Users\Admin\AppData\Local\Temp\a95c29de8321dd4dc8b9676ec640e7b3.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\gxqnj\mptai.exeC:\ProgramData\gxqnj\mptai.exe start1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\gxqnj\mptai.exeFilesize
32KB
MD5a95c29de8321dd4dc8b9676ec640e7b3
SHA1d9ef0d8e14ddba29ab8e39779e616344440d8f75
SHA2567616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b
SHA512d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf