3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759

Analysis

max time kernel
28s
max time network
91s
platform
windows7_x64
resource
win7-20220414-en
submitted
25/06/2022, 17:21 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe
Size

1.8MB
MD5

b826bb2b62dab956a48a12d4e27ea3a5
SHA1

b3dfdb88640cfad86d42d7f65bc70fb7831076c0
SHA256

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759
SHA512

c15233dedf2fc24de8d8f5f01c63e98a2844c18303dc3b10528e1441067c1b1f85a32f417027ea90a7f4c82764cf2a53482300e8af54a4055c0cfa4c713c2c03

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Legion Loader Activity Observed (suspira)
suricata: ET MALWARE Legion Loader Activity Observed (suspira)
suricata
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
580	1796	WerFault.exe	24

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe
1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 580	1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe	30
PID 1796 wrote to memory of 580	1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe	30
PID 1796 wrote to memory of 580	1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe	30
PID 1796 wrote to memory of 580	1796	3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe	30

C:\Users\Admin\AppData\Local\Temp\3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe
"C:\Users\Admin\AppData\Local\Temp\3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 872
  2⤵
  - Program crash
  PID:580

Network

DNS

fastupdate1.top

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Remote address:

8.8.8.8:53

Request

fastupdate1.top

IN A

Response
DNS

iplogger.org

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

148.251.234.83
GET

http://iplogger.org/1lGui

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Remote address:

148.251.234.83:80

Request

GET /1lGui HTTP/1.1
Accept: text/*
User-Agent: suspiria
Host: iplogger.org

Response

HTTP/1.1 301 Moved Permanently

Server: nginx
Date: Sat, 25 Jun 2022 17:21:51 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://iplogger.org/1lGui
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
DNS

fastupdate2.top

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Remote address:

8.8.8.8:53

Request

fastupdate2.top

IN A

Response
DNS

fastupdate2.top

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Remote address:

8.8.8.8:53

Request

fastupdate2.top

IN A

Response
DNS

fastupdate2.top

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Remote address:

8.8.8.8:53

Request

fastupdate2.top

IN A

Response
DNS

fastupdate2.top

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Remote address:

8.8.8.8:53

Request

fastupdate2.top

IN A

Response
DNS

fastupdate2.top

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Remote address:

8.8.8.8:53

Request

fastupdate2.top

IN A

Response
DNS

fastupdate2.top

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

Remote address:

8.8.8.8:53

Request

fastupdate2.top

IN A

Response

148.251.234.83:80

http://iplogger.org/1lGui

http

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

317 B
1.0kB
5
5

HTTP Request

GET http://iplogger.org/1lGui

HTTP Response

301
148.251.234.83:443

iplogger.org

tls

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

393 B
219 B
5
5
148.251.234.83:443

iplogger.org

tls

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

355 B
219 B
5
5
148.251.234.83:443

iplogger.org

tls

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

288 B
219 B
5
5
148.251.234.83:443

iplogger.org

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

190 B
92 B
4
2

8.8.8.8:53

fastupdate1.top

dns

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

61 B
131 B
1
1

DNS Request

fastupdate1.top
8.8.8.8:53

iplogger.org

dns

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

58 B
74 B
1
1

DNS Request

iplogger.org

DNS Response

148.251.234.83
8.8.8.8:53

fastupdate2.top

dns

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

183 B
183 B
3
3

DNS Request

fastupdate2.top

DNS Request

fastupdate2.top

DNS Request

fastupdate2.top
8.8.8.8:53

fastupdate2.top

dns

3933da33446b776c22ea0e84b7cc3e93a122be7960985231027a3be80a068759.exe

183 B
183 B
3
3

DNS Request

fastupdate2.top

DNS Request

fastupdate2.top

DNS Request

fastupdate2.top

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.