Analysis

  • max time kernel
    43s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2022, 22:06 UTC

General

  • Target

    peachjars - Linkvertise Downloader_kT33-41.exe

  • Size

    4.3MB

  • MD5

    bf244845092d9973e7a5a93635080267

  • SHA1

    3e5d24552e8b5881a794479faa9cd7e48f09d219

  • SHA256

    f71fbe54ec60dc2c19ca7a7d1ee06a2b134c216e32228ddb76217a64b452011c

  • SHA512

    fc81d20d8d24ca997c5cd1a3f171934a022aa318ecd978c7ede01a4e1cd3d3fa5384d3edc9c4dd3e6cb88cf82a6d66d3db7fd5b96a4af5aad83f2c393a3eea49

  • SSDEEP

    98304:xSie6hoXOWZ3lsuUxqxgWph7NLx137O5z:/oXOM1ughx7Sz

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\peachjars - Linkvertise Downloader_kT33-41.exe
    "C:\Users\Admin\AppData\Local\Temp\peachjars - Linkvertise Downloader_kT33-41.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\is-0R8TM.tmp\peachjars - Linkvertise Downloader_kT33-41.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0R8TM.tmp\peachjars - Linkvertise Downloader_kT33-41.tmp" /SL5="$60124,3525439,1235456,C:\Users\Admin\AppData\Local\Temp\peachjars - Linkvertise Downloader_kT33-41.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Modifies system certificate store
      PID:1732

Network

  • flag-us
    DNS
    d2khbwcectqqex.cloudfront.net
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    8.8.8.8:53
    Request
    d2khbwcectqqex.cloudfront.net
    IN A
    Response
    d2khbwcectqqex.cloudfront.net
    IN A
    65.9.84.190
    d2khbwcectqqex.cloudfront.net
    IN A
    65.9.84.131
    d2khbwcectqqex.cloudfront.net
    IN A
    65.9.84.165
    d2khbwcectqqex.cloudfront.net
    IN A
    65.9.84.8
  • flag-nl
    POST
    https://d2khbwcectqqex.cloudfront.net/o
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    POST /o HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/json; Charset=UTF-8
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 139
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 11662
    Connection: keep-alive
    Server: awselb/2.0
    Date: Sat, 24 Sep 2022 22:06:40 GMT
    x-true-request-id: 4597865c-7836-40bc-a522-c2fba72a05d5
    x-robots-tag: none
    expires: Thu, 01 Jan 1970 00:00:00 GMT
    cache-control: no-cache
    X-Cache: Miss from cloudfront
    Via: 1.1 fb8f21b90b0483bdc64e7c79b3e007e0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: sFxg26IEpC6tO6Jq8lqXeFDHV7v5ZGf47lLC0ZWuFwmapEpF4D64ag==
  • flag-nl
    POST
    https://d2khbwcectqqex.cloudfront.net/zbd
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    POST /zbd HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/json; Charset=UTF-8
    Accept: */*
    Authorization: Signature=6c57cdee636d7c9c2ef91ced9ad775c512d4b4512ee455cb3e9137e329e1d4d3
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 282
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Content-Length: 15
    Connection: keep-alive
    Date: Sat, 24 Sep 2022 22:06:40 GMT
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
    X-Cache: Miss from cloudfront
    Via: 1.1 fb8f21b90b0483bdc64e7c79b3e007e0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: rJ-EC91mrgMnLh4kowlPw6Af68pCTF7Jb3wX9Pqyrs2h2_I39SprJA==
  • flag-nl
    POST
    https://d2khbwcectqqex.cloudfront.net/zbd
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    POST /zbd HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/json; Charset=UTF-8
    Accept: */*
    Authorization: Signature=6c57cdee636d7c9c2ef91ced9ad775c512d4b4512ee455cb3e9137e329e1d4d3
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 437
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Content-Length: 15
    Connection: keep-alive
    Date: Sat, 24 Sep 2022 22:06:40 GMT
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
    X-Cache: Miss from cloudfront
    Via: 1.1 fb8f21b90b0483bdc64e7c79b3e007e0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: yRPa-fgvk2n_U5Iz522_oFm63X0r-fElhcsHkVH3xpPeSvkMxZJ4mg==
  • flag-nl
    POST
    https://d2khbwcectqqex.cloudfront.net/zbd
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    POST /zbd HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/json; Charset=UTF-8
    Accept: */*
    Authorization: Signature=6c57cdee636d7c9c2ef91ced9ad775c512d4b4512ee455cb3e9137e329e1d4d3
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 437
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Content-Length: 15
    Connection: keep-alive
    Date: Sat, 24 Sep 2022 22:06:41 GMT
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
    X-Cache: Miss from cloudfront
    Via: 1.1 fb8f21b90b0483bdc64e7c79b3e007e0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: lXByHDepr0xkQN5IFLMN35Z2qDo8DGQANeM3FOq0ZBHA_hejVhb30A==
  • flag-nl
    POST
    https://d2khbwcectqqex.cloudfront.net/zbd
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    POST /zbd HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/json; Charset=UTF-8
    Accept: */*
    Authorization: Signature=6c57cdee636d7c9c2ef91ced9ad775c512d4b4512ee455cb3e9137e329e1d4d3
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 382
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Content-Length: 15
    Connection: keep-alive
    Date: Sat, 24 Sep 2022 22:06:41 GMT
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
    X-Cache: Miss from cloudfront
    Via: 1.1 fb8f21b90b0483bdc64e7c79b3e007e0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: DVdjPIW_rNBW4_a3ZdBtPgedrOyIvMyVK8DjyZVNuZYWteqa2fKEPA==
  • flag-nl
    POST
    https://d2khbwcectqqex.cloudfront.net/zbd
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    POST /zbd HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/json; Charset=UTF-8
    Accept: */*
    Authorization: Signature=6c57cdee636d7c9c2ef91ced9ad775c512d4b4512ee455cb3e9137e329e1d4d3
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 351
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Content-Length: 15
    Connection: keep-alive
    Date: Sat, 24 Sep 2022 22:06:41 GMT
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
    X-Cache: Miss from cloudfront
    Via: 1.1 fb8f21b90b0483bdc64e7c79b3e007e0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: 7p2fXmGlVwl9FqnxOyRncaoU0ruzQ4ciY9Ohy7jwMDDPmsR0t2bF1Q==
  • flag-nl
    POST
    https://d2khbwcectqqex.cloudfront.net/zbd
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    POST /zbd HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/json; Charset=UTF-8
    Accept: */*
    Authorization: Signature=6c57cdee636d7c9c2ef91ced9ad775c512d4b4512ee455cb3e9137e329e1d4d3
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 348
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Content-Length: 15
    Connection: keep-alive
    Date: Sat, 24 Sep 2022 22:06:42 GMT
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
    X-Cache: Miss from cloudfront
    Via: 1.1 fb8f21b90b0483bdc64e7c79b3e007e0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: jTU9MKT48ePnjKNqirYamGKSu5_N9jkuAA0GWIoHhv8wvGOLyIGY8g==
  • flag-nl
    POST
    https://d2khbwcectqqex.cloudfront.net/zbd
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    POST /zbd HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/json; Charset=UTF-8
    Accept: */*
    Authorization: Signature=6c57cdee636d7c9c2ef91ced9ad775c512d4b4512ee455cb3e9137e329e1d4d3
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 353
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Content-Length: 15
    Connection: keep-alive
    Date: Sat, 24 Sep 2022 22:06:42 GMT
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
    X-Cache: Miss from cloudfront
    Via: 1.1 fb8f21b90b0483bdc64e7c79b3e007e0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: qgxlkKVVr0wV9AVhZA5b2oChz7Tjidng8-Vag9H_UbRkiTwB10J-Fg==
  • flag-nl
    POST
    https://d2khbwcectqqex.cloudfront.net/zbd
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    POST /zbd HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/json; Charset=UTF-8
    Accept: */*
    Authorization: Signature=6c57cdee636d7c9c2ef91ced9ad775c512d4b4512ee455cb3e9137e329e1d4d3
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Content-Length: 349
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Content-Length: 15
    Connection: keep-alive
    Date: Sat, 24 Sep 2022 22:06:42 GMT
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
    X-Cache: Miss from cloudfront
    Via: 1.1 fb8f21b90b0483bdc64e7c79b3e007e0.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: AEJt6g3g49NgpNMIOsI6ubZTwrOlVfVS80ougvGzFWkFR-Eb2TLRfA==
  • flag-nl
    GET
    https://d2khbwcectqqex.cloudfront.net/f/WebAdvisor/images/NEW/EN.png
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    GET /f/WebAdvisor/images/NEW/EN.png HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Inno Setup 6.2.0
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: image/png
    Content-Length: 34091
    Connection: keep-alive
    Last-Modified: Mon, 04 Oct 2021 18:37:20 GMT
    x-amz-meta-cb-modifiedtime: Sun, 28 Feb 2021 10:28:54 GMT
    x-amz-version-id: 0wcFm3oHOEGgejlJkci8yjkuXqWWWr7E
    Accept-Ranges: bytes
    Server: AmazonS3
    Date: Sat, 24 Sep 2022 07:12:51 GMT
    ETag: "db6c259cd7b58f2f7a3cca0c38834d0e"
    X-Cache: Hit from cloudfront
    Via: 1.1 6d424430e2badcd8859fea1f1185697a.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: OXxHVdltNMiSZyUE3ti5k8m4T20bC3Qt4zqVaNhhuT-IJNWMw9vvdw==
    Age: 53631
  • flag-nl
    GET
    https://d2khbwcectqqex.cloudfront.net/f/AVG_BRW/images/DOTPS-512/EN.png
    peachjars - Linkvertise Downloader_kT33-41.tmp
    Remote address:
    65.9.84.190:443
    Request
    GET /f/AVG_BRW/images/DOTPS-512/EN.png HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Inno Setup 6.2.0
    Host: d2khbwcectqqex.cloudfront.net
    Response
    HTTP/1.1 200 OK
    Content-Type: image/png
    Content-Length: 30199
    Connection: keep-alive
    Date: Sat, 24 Sep 2022 02:28:51 GMT
    Last-Modified: Thu, 16 Dec 2021 14:48:37 GMT
    ETag: "0b4fa89d69051df475b75ca654752ef6"
    x-amz-meta-cb-modifiedtime: Wed, 15 Dec 2021 11:49:13 GMT
    x-amz-version-id: UBoSf_rKROKlVp8wzCLDCJmkW2.tCJMi
    Accept-Ranges: bytes
    Server: AmazonS3
    X-Cache: Hit from cloudfront
    Via: 1.1 6d424430e2badcd8859fea1f1185697a.cloudfront.net (CloudFront)
    X-Amz-Cf-Pop: AMS1-C1
    X-Amz-Cf-Id: jEUzbl-T0SWbs2PGnwVGW6GZ0hi_ITry5qzU4NpEOLMQatesuK5k-Q==
    Age: 70672
  • 65.9.84.190:443
    https://d2khbwcectqqex.cloudfront.net/zbd
    tls, http
    peachjars - Linkvertise Downloader_kT33-41.tmp
    8.1kB
    24.4kB
    32
    46

    HTTP Request

    POST https://d2khbwcectqqex.cloudfront.net/o

    HTTP Response

    200

    HTTP Request

    POST https://d2khbwcectqqex.cloudfront.net/zbd

    HTTP Response

    200

    HTTP Request

    POST https://d2khbwcectqqex.cloudfront.net/zbd

    HTTP Response

    200

    HTTP Request

    POST https://d2khbwcectqqex.cloudfront.net/zbd

    HTTP Response

    200

    HTTP Request

    POST https://d2khbwcectqqex.cloudfront.net/zbd

    HTTP Response

    200

    HTTP Request

    POST https://d2khbwcectqqex.cloudfront.net/zbd

    HTTP Response

    200

    HTTP Request

    POST https://d2khbwcectqqex.cloudfront.net/zbd

    HTTP Response

    200

    HTTP Request

    POST https://d2khbwcectqqex.cloudfront.net/zbd

    HTTP Response

    200

    HTTP Request

    POST https://d2khbwcectqqex.cloudfront.net/zbd

    HTTP Response

    200
  • 65.9.84.190:443
    https://d2khbwcectqqex.cloudfront.net/f/AVG_BRW/images/DOTPS-512/EN.png
    tls, http
    peachjars - Linkvertise Downloader_kT33-41.tmp
    2.4kB
    74.2kB
    36
    63

    HTTP Request

    GET https://d2khbwcectqqex.cloudfront.net/f/WebAdvisor/images/NEW/EN.png

    HTTP Response

    200

    HTTP Request

    GET https://d2khbwcectqqex.cloudfront.net/f/AVG_BRW/images/DOTPS-512/EN.png

    HTTP Response

    200
  • 8.8.8.8:53
    d2khbwcectqqex.cloudfront.net
    dns
    peachjars - Linkvertise Downloader_kT33-41.tmp
    75 B
    139 B
    1
    1

    DNS Request

    d2khbwcectqqex.cloudfront.net

    DNS Response

    65.9.84.190
    65.9.84.131
    65.9.84.165
    65.9.84.8

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-0R8TM.tmp\peachjars - Linkvertise Downloader_kT33-41.tmp

    Filesize

    3.4MB

    MD5

    06e087e48e6d73efd7f353855aacb570

    SHA1

    679e2a92aa2c8a09fa3b615d56e48667ff8bb4f8

    SHA256

    9a0815e309db4d6feebf90ce5e91cc78892b2016dcbe07fd436afd655477320d

    SHA512

    05e4fe70aa104a4edbbdddf5e7396446d67123e2865c3a02c414a39c1ee6dc34aba6fa6f587435755a9a90ade1b7eccefe0e76244563689e0971a024049086c2

  • \Users\Admin\AppData\Local\Temp\is-0R8TM.tmp\peachjars - Linkvertise Downloader_kT33-41.tmp

    Filesize

    3.4MB

    MD5

    06e087e48e6d73efd7f353855aacb570

    SHA1

    679e2a92aa2c8a09fa3b615d56e48667ff8bb4f8

    SHA256

    9a0815e309db4d6feebf90ce5e91cc78892b2016dcbe07fd436afd655477320d

    SHA512

    05e4fe70aa104a4edbbdddf5e7396446d67123e2865c3a02c414a39c1ee6dc34aba6fa6f587435755a9a90ade1b7eccefe0e76244563689e0971a024049086c2

  • \Users\Admin\AppData\Local\Temp\is-BAU2A.tmp\AppUtils.dll

    Filesize

    1.8MB

    MD5

    43ce6d593abd5141a3139603f352ae05

    SHA1

    a97c75e23d275dddfde15ef5fdf3ff3253c0992c

    SHA256

    94e874f2702ea6be50e7d74864b66e7f763449c3db237803f3fad6adfd64ed3d

    SHA512

    bfc527529e5f73ba190dfc5bd043175c7e2ae963b665d6d39421c29e025020f1d593dc88b7bee33d86ef6b4f7a4c5e1a0339df4e99cab6849a275d1dda9f439f

  • \Users\Admin\AppData\Local\Temp\is-BAU2A.tmp\botva2.dll

    Filesize

    37KB

    MD5

    67965a5957a61867d661f05ae1f4773e

    SHA1

    f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

    SHA256

    450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

    SHA512

    c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

  • memory/1208-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

    Filesize

    8KB

  • memory/1208-55-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

  • memory/1208-62-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

  • memory/1732-64-0x0000000007720000-0x000000000772F000-memory.dmp

    Filesize

    60KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.