Analysis
-
max time kernel
39s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 02:56
Static task
static1
Behavioral task
behavioral1
Sample
edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
Resource
win10v2004-20220901-en
General
-
Target
edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
-
Size
316KB
-
MD5
09089172c0350f30f728122541cd4b90
-
SHA1
e11b53fe7b34b6c8a16269fdba939fcd397143b8
-
SHA256
edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744
-
SHA512
4bc9e61322ff2b6fed298cf9ca911d35ae9cefa394a62dcf2058a414d3768b8263aead2ee6be31118d0a71cac4bd4079e6d530ac01a315e72a4e537c59153a65
-
SSDEEP
6144:7r/bUzkuvcBYC47l2xij4YTfpczmap8spMPed0VdtM9BdjhYd:7r0kuveY3cY1cia66MGd0Vs9BdNy
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2036 edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe 2036 edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe 2036 edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2036 edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe"C:\Users\Admin\AppData\Local\Temp\edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2036
Network
-
Remote address:8.8.8.8:53Requestc1.downlloaddatamy.infoIN AResponse
-
Remote address:8.8.8.8:53Requestr1.getapplicationmy.infoIN AResponser1.getapplicationmy.infoIN A94.229.72.119
-
Remote address:8.8.8.8:53Requestc2.downlloaddatamy.infoIN AResponse
-
POSThttp://r1.getapplicationmy.info/?report_version=5&edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exeRemote address:94.229.72.119:80RequestPOST /?report_version=5& HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: TixDll
Host: r1.getapplicationmy.info
Content-Length: 1926
Cache-Control: no-cache
ResponseHTTP/1.1 302 Found
connection: close
content-length: 11
date: Mon, 07 Nov 2022 12:54:59 GMT
location: http://survey-smiles.com
server: nginx
set-cookie: sid=637690ac-5e9b-11ed-b312-8788f50be7d8; path=/; domain=.getapplicationmy.info; expires=Sat, 25 Nov 2090 16:09:07 GMT; max-age=2147483647; HttpOnly
-
Remote address:8.8.8.8:53Requestsurvey-smiles.comIN AResponsesurvey-smiles.comIN A199.59.243.222
-
Remote address:199.59.243.222:80RequestGET / HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: survey-smiles.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 07 Nov 2022 12:55:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: parking_session=cc580f18-c41b-1a4e-f317-801efb7a8b47; expires=Mon, 07-Nov-2022 13:10:00 GMT; Max-Age=900; path=/; HttpOnly
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TNA+5zAcuC8zFDIUlgADyF1DJLNUMdO2R648/pkg9lhWgcvsI62wu/JHrI4Qs5t09aOJmgUcGqHz7s3DHsuGGg==
Cache-Control: no-cache
Accept-CH: sec-ch-prefers-color-scheme
Critical-CH: sec-ch-prefers-color-scheme
Vary: sec-ch-prefers-color-scheme
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
-
94.229.72.119:80http://r1.getapplicationmy.info/?report_version=5&httpedb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe2.4kB 658 B 7 7
HTTP Request
POST http://r1.getapplicationmy.info/?report_version=5&HTTP Response
302 -
199.59.243.222:80http://survey-smiles.com/httpedb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe447 B 2.1kB 7 5
HTTP Request
GET http://survey-smiles.com/HTTP Response
200
-
8.8.8.8:53c1.downlloaddatamy.infodnsedb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe69 B 148 B 1 1
DNS Request
c1.downlloaddatamy.info
-
8.8.8.8:53r1.getapplicationmy.infodnsedb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe70 B 86 B 1 1
DNS Request
r1.getapplicationmy.info
DNS Response
94.229.72.119
-
8.8.8.8:53c2.downlloaddatamy.infodnsedb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe69 B 148 B 1 1
DNS Request
c2.downlloaddatamy.info
-
8.8.8.8:53survey-smiles.comdnsedb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe63 B 79 B 1 1
DNS Request
survey-smiles.com
DNS Response
199.59.243.222
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269KB
MD5af7ce801c8471c5cd19b366333c153c4
SHA14267749d020a362edbd25434ad65f98b073581f1
SHA256cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e
SHA51288655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c
-
Filesize
91KB
MD552ffb9f31fcf351bed204ed2fa781954
SHA17acb17bc45cf6edc71726e59fb8a1d37eca51a55
SHA256eb99eb74c3736102b174d6d7ff9afaa43bab8ad4bccfac53bb4dbb80392aa1d4
SHA512841c2683068522077d6f347c17d59815bf5f94015d6b539f6a3248c00bfb8a56360c2c7b3c8960dbda497e76fb88f8859bb5c1a7f80b24fe03dbf00db187f4b9
-
Filesize
173KB
MD5b040c43d630d3740abefba186f46883b
SHA1c3c498b0cc6d34423780e8285cb3dc998ce1c4a3
SHA256dd6dd4df86f215bea1c5b68cb7677dee75cda6cbbbf39ac040d67c992f6146df
SHA512a3e3305ce4925aee378b1a3ed3e58daa743990fe809ac1b3c90640a2fa53736133a8f16c6e8314b5f243ed1109d24e683142d45f1d502cf3714edd748b3c9f5c