Analysis

  • max time kernel
    39s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2022 02:56

General

  • Target

    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe

  • Size

    316KB

  • MD5

    09089172c0350f30f728122541cd4b90

  • SHA1

    e11b53fe7b34b6c8a16269fdba939fcd397143b8

  • SHA256

    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744

  • SHA512

    4bc9e61322ff2b6fed298cf9ca911d35ae9cefa394a62dcf2058a414d3768b8263aead2ee6be31118d0a71cac4bd4079e6d530ac01a315e72a4e537c59153a65

  • SSDEEP

    6144:7r/bUzkuvcBYC47l2xij4YTfpczmap8spMPed0VdtM9BdjhYd:7r0kuveY3cY1cia66MGd0Vs9BdNy

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    "C:\Users\Admin\AppData\Local\Temp\edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe"
    1⤵
    • Loads dropped DLL
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2036

Network

  • flag-us
    DNS
    c1.downlloaddatamy.info
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    Remote address:
    8.8.8.8:53
    Request
    c1.downlloaddatamy.info
    IN A
    Response
  • flag-us
    DNS
    r1.getapplicationmy.info
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    Remote address:
    8.8.8.8:53
    Request
    r1.getapplicationmy.info
    IN A
    Response
    r1.getapplicationmy.info
    IN A
    94.229.72.119
  • flag-us
    DNS
    c2.downlloaddatamy.info
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    Remote address:
    8.8.8.8:53
    Request
    c2.downlloaddatamy.info
    IN A
    Response
  • flag-gb
    POST
    http://r1.getapplicationmy.info/?report_version=5&
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    Remote address:
    94.229.72.119:80
    Request
    POST /?report_version=5& HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    User-Agent: TixDll
    Host: r1.getapplicationmy.info
    Content-Length: 1926
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    cache-control: max-age=0, private, must-revalidate
    connection: close
    content-length: 11
    date: Mon, 07 Nov 2022 12:54:59 GMT
    location: http://survey-smiles.com
    server: nginx
    set-cookie: sid=637690ac-5e9b-11ed-b312-8788f50be7d8; path=/; domain=.getapplicationmy.info; expires=Sat, 25 Nov 2090 16:09:07 GMT; max-age=2147483647; HttpOnly
  • flag-us
    DNS
    survey-smiles.com
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    Remote address:
    8.8.8.8:53
    Request
    survey-smiles.com
    IN A
    Response
    survey-smiles.com
    IN A
    199.59.243.222
  • flag-us
    GET
    http://survey-smiles.com/
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    Remote address:
    199.59.243.222:80
    Request
    GET / HTTP/1.1
    Accept: */*
    User-Agent: TixDll
    Host: survey-smiles.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Mon, 07 Nov 2022 12:55:00 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: parking_session=cc580f18-c41b-1a4e-f317-801efb7a8b47; expires=Mon, 07-Nov-2022 13:10:00 GMT; Max-Age=900; path=/; HttpOnly
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_TNA+5zAcuC8zFDIUlgADyF1DJLNUMdO2R648/pkg9lhWgcvsI62wu/JHrI4Qs5t09aOJmgUcGqHz7s3DHsuGGg==
    Cache-Control: no-cache
    Accept-CH: sec-ch-prefers-color-scheme
    Critical-CH: sec-ch-prefers-color-scheme
    Vary: sec-ch-prefers-color-scheme
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store, must-revalidate
    Cache-Control: post-check=0, pre-check=0
    Pragma: no-cache
  • 94.229.72.119:80
    http://r1.getapplicationmy.info/?report_version=5&
    http
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    2.4kB
    658 B
    7
    7

    HTTP Request

    POST http://r1.getapplicationmy.info/?report_version=5&

    HTTP Response

    302
  • 199.59.243.222:80
    http://survey-smiles.com/
    http
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    447 B
    2.1kB
    7
    5

    HTTP Request

    GET http://survey-smiles.com/

    HTTP Response

    200
  • 8.8.8.8:53
    c1.downlloaddatamy.info
    dns
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    69 B
    148 B
    1
    1

    DNS Request

    c1.downlloaddatamy.info

  • 8.8.8.8:53
    r1.getapplicationmy.info
    dns
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    70 B
    86 B
    1
    1

    DNS Request

    r1.getapplicationmy.info

    DNS Response

    94.229.72.119

  • 8.8.8.8:53
    c2.downlloaddatamy.info
    dns
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    69 B
    148 B
    1
    1

    DNS Request

    c2.downlloaddatamy.info

  • 8.8.8.8:53
    survey-smiles.com
    dns
    edb504b46afdab008a0df0f48680a284e23a202a624a219564cab7b46fdc7744.exe
    63 B
    79 B
    1
    1

    DNS Request

    survey-smiles.com

    DNS Response

    199.59.243.222

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Tsu83E5A1CB.dll

    Filesize

    269KB

    MD5

    af7ce801c8471c5cd19b366333c153c4

    SHA1

    4267749d020a362edbd25434ad65f98b073581f1

    SHA256

    cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

    SHA512

    88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

  • \Users\Admin\AppData\Local\Temp\{9ECDE1DA-1D8D-48FA-AA11-55AF452EC32C}\Custom.dll

    Filesize

    91KB

    MD5

    52ffb9f31fcf351bed204ed2fa781954

    SHA1

    7acb17bc45cf6edc71726e59fb8a1d37eca51a55

    SHA256

    eb99eb74c3736102b174d6d7ff9afaa43bab8ad4bccfac53bb4dbb80392aa1d4

    SHA512

    841c2683068522077d6f347c17d59815bf5f94015d6b539f6a3248c00bfb8a56360c2c7b3c8960dbda497e76fb88f8859bb5c1a7f80b24fe03dbf00db187f4b9

  • \Users\Admin\AppData\Local\Temp\{9ECDE1DA-1D8D-48FA-AA11-55AF452EC32C}\_Setup.dll

    Filesize

    173KB

    MD5

    b040c43d630d3740abefba186f46883b

    SHA1

    c3c498b0cc6d34423780e8285cb3dc998ce1c4a3

    SHA256

    dd6dd4df86f215bea1c5b68cb7677dee75cda6cbbbf39ac040d67c992f6146df

    SHA512

    a3e3305ce4925aee378b1a3ed3e58daa743990fe809ac1b3c90640a2fa53736133a8f16c6e8314b5f243ed1109d24e683142d45f1d502cf3714edd748b3c9f5c

  • memory/2036-55-0x0000000076151000-0x0000000076153000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.