91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08

Analysis

max time kernel
46s
max time network
99s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 23:14 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe
Size

512KB
MD5

fda1dc5e8f4e40efec507a9f55e8adec
SHA1

2cc06112f8f338dc0f3684af44f02abc5b6a8e10
SHA256

91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08
SHA512

5a42443ac1719941219a8ef810128251f314dda7ae8e7b4d24dcf86b74a51d62dd09ab44be425aa7c0c795a85185b29415e4a68a72d39b9f6e8b55a1fcfc550d
SSDEEP

12288:0+h9St2Ma70zIIc91Dwws4zruXic2O/3E49:0+h9OY70z+warul3E49

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe

Executes dropped EXE 1 IoCs

pid	Process
308	s7385.exe

Loads dropped DLL 4 IoCs

pid	Process
1308	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe
1308	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe
1308	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe
1308	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	s7385.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s7385.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s7385.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s7385.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1308	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe
308	s7385.exe
308	s7385.exe
308	s7385.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	308	s7385.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
308	s7385.exe
308	s7385.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 308	1308	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe	27
PID 1308 wrote to memory of 308	1308	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe	27
PID 1308 wrote to memory of 308	1308	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe	27
PID 1308 wrote to memory of 308	1308	91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe	27

C:\Users\Admin\AppData\Local\Temp\91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe
"C:\Users\Admin\AppData\Local\Temp\91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\n7385\s7385.exe
  "C:\Users\Admin\AppData\Local\Temp\n7385\s7385.exe" 3bf59e10a7ea6222772cf88fyCuC2vGaI5uHmeNYJdPf99Xklrgj96Kvr7CnrEH9CHec2BtvT9xwKPtj4Px6zJRwXjgK3j85JGKRpvF1sjRw2lfxpDraUfU1TR75y7bF4XmvLofLrkEJtufHbEG+hUnFyAlkwPQHZmPuyd75f6lW61AO /v "C:\Users\Admin\AppData\Local\Temp\91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:308

Network

DNS

ocsp.thawte.com

s7385.exe

Remote address:

8.8.8.8:53

Request

ocsp.thawte.com

IN A

Response

ocsp.thawte.com

IN CNAME

ocsp-ds.ws.symantec.com.edgekey.net

ocsp-ds.ws.symantec.com.edgekey.net

IN CNAME

e8218.dscb1.akamaiedge.net

e8218.dscb1.akamaiedge.net

IN A

23.51.123.27
GET

http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

s7385.exe

Remote address:

23.51.123.27:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 5
Cache-Control: public, max-age=300
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Date: Tue, 29 Nov 2022 00:46:48 GMT
Connection: keep-alive
GET

http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

s7385.exe

Remote address:

23.51.123.27:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 5
Cache-Control: public, max-age=300
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Date: Tue, 29 Nov 2022 00:46:49 GMT
Connection: keep-alive
DNS

crl.thawte.com

s7385.exe

Remote address:

8.8.8.8:53

Request

crl.thawte.com

IN A

Response

crl.thawte.com

IN CNAME

crl-symcprod.digicert.com

crl-symcprod.digicert.com

IN CNAME

cs9.wac.phicdn.net

cs9.wac.phicdn.net

IN A

72.21.91.29
GET

http://crl.thawte.com/ThawtePCA.crl

s7385.exe

Remote address:

72.21.91.29:80

Request

GET /ThawtePCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.thawte.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 3523
Cache-Control: public, max-age=3600
Content-Type: application/pkix-crl
Date: Tue, 29 Nov 2022 00:46:49 GMT
Last-Modified: Mon, 28 Nov 2022 23:48:06 GMT
Server: ECS (bsa/EB21)
X-Cache: HIT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 604
DNS

th.symcd.com

s7385.exe

Remote address:

8.8.8.8:53

Request

th.symcd.com

IN A

Response

th.symcd.com

IN CNAME

ocsp-ds.ws.symantec.com.edgekey.net

ocsp-ds.ws.symantec.com.edgekey.net

IN CNAME

e8218.dscb1.akamaiedge.net

e8218.dscb1.akamaiedge.net

IN A

23.51.123.27
GET

http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D

s7385.exe

Remote address:

23.51.123.27:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: th.symcd.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 1441
Cache-Control: public, max-age=86400
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Date: Tue, 29 Nov 2022 00:46:49 GMT
Connection: keep-alive
DNS

e0fac.northstar.api.socdn.com

s7385.exe

Remote address:

8.8.8.8:53

Request

e0fac.northstar.api.socdn.com

IN A

Response

e0fac.northstar.api.socdn.com

IN CNAME

615321.parkingcrew.net

615321.parkingcrew.net

IN A

76.223.26.96

615321.parkingcrew.net

IN A

13.248.148.254
GET

http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/config

s7385.exe

Remote address:

76.223.26.96:80

Request

GET /installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/config HTTP/1.1
User-Agent: DownloadMR/3.1.37 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;DB IE11;m=System Product Name;u=Admin;northstar;ecc5fae7-ff07-a8a9-c1c2-259a79fe0a76)
Accept-Language: en-US
Host: e0fac.northstar.api.socdn.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 29 Nov 2022 00:46:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Redirect: zeropark_yahoo
X-Template: tpl_CleanPeppermintBlack_twoclick
X-Language: english
Accept-CH: viewport-width
Accept-CH: dpr
Accept-CH: device-memory
Accept-CH: rtt
Accept-CH: downlink
Accept-CH: ect
Accept-CH: ua
Accept-CH: ua-full-version
Accept-CH: ua-platform
Accept-CH: ua-platform-version
Accept-CH: ua-arch
Accept-CH: ua-model
Accept-CH: ua-mobile
Accept-CH-Lifetime: 30
POST

http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/event

s7385.exe

Remote address:

76.223.26.96:80

Request

POST /installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/event HTTP/1.1
User-Agent: DownloadMR/3.1.37 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;DB IE11;m=System Product Name;u=Admin;northstar;ecc5fae7-ff07-a8a9-c1c2-259a79fe0a76)
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
Host: e0fac.northstar.api.socdn.com
Content-Length: 12683
Expect: 100-continue

Response

HTTP/1.1 403 Forbidden

Date: Tue, 29 Nov 2022 00:46:57 GMT
Content-Type: text/html
Content-Length: 548
Connection: keep-alive
Server: nginx
Vary: Accept-Encoding

23.51.123.27:80

http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

http

s7385.exe

789 B
1.1kB
6
6

HTTP Request

GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

HTTP Response

200

HTTP Request

GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

HTTP Response

200
72.21.91.29:80

http://crl.thawte.com/ThawtePCA.crl

http

s7385.exe

409 B
2.1kB
6
4

HTTP Request

GET http://crl.thawte.com/ThawtePCA.crl

HTTP Response

200
23.51.123.27:80

http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D

http

s7385.exe

462 B
1.9kB
5
4

HTTP Request

GET http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D

HTTP Response

200
76.223.26.96:80

http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/event

http

s7385.exe

14.4kB
11.0kB
19
23

HTTP Request

GET http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/config

HTTP Response

200

HTTP Request

POST http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/event

HTTP Response

403

8.8.8.8:53

ocsp.thawte.com

dns

s7385.exe

61 B
163 B
1
1

DNS Request

ocsp.thawte.com

DNS Response

23.51.123.27
8.8.8.8:53

crl.thawte.com

dns

s7385.exe

60 B
144 B
1
1

DNS Request

crl.thawte.com

DNS Response

72.21.91.29
8.8.8.8:53

th.symcd.com

dns

s7385.exe

58 B
160 B
1
1

DNS Request

th.symcd.com

DNS Response

23.51.123.27
8.8.8.8:53

e0fac.northstar.api.socdn.com

dns

s7385.exe

75 B
143 B
1
1

DNS Request

e0fac.northstar.api.socdn.com

DNS Response

76.223.26.96

13.248.148.254

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n7385\s7385.exe

Filesize
230KB

MD5
abaf13cb23de482dc944ab5b51ca3aac

SHA1
76837356db96dd56b647aba60f1adbbdc7b200fe

SHA256
b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

SHA512
cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7385\s7385.exe

Filesize
230KB

MD5
abaf13cb23de482dc944ab5b51ca3aac

SHA1
76837356db96dd56b647aba60f1adbbdc7b200fe

SHA256
b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

SHA512
cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

Download Submit
\Users\Admin\AppData\Local\Temp\n7385\s7385.exe

Filesize
230KB

MD5
abaf13cb23de482dc944ab5b51ca3aac

SHA1
76837356db96dd56b647aba60f1adbbdc7b200fe

SHA256
b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

SHA512
cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

Download Submit
\Users\Admin\AppData\Local\Temp\n7385\s7385.exe

Filesize
230KB

MD5
abaf13cb23de482dc944ab5b51ca3aac

SHA1
76837356db96dd56b647aba60f1adbbdc7b200fe

SHA256
b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

SHA512
cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

Download Submit
\Users\Admin\AppData\Local\Temp\n7385\s7385.exe

Filesize
230KB

MD5
abaf13cb23de482dc944ab5b51ca3aac

SHA1
76837356db96dd56b647aba60f1adbbdc7b200fe

SHA256
b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

SHA512
cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

Download Submit
\Users\Admin\AppData\Local\Temp\n7385\s7385.exe

Filesize
230KB

MD5
abaf13cb23de482dc944ab5b51ca3aac

SHA1
76837356db96dd56b647aba60f1adbbdc7b200fe

SHA256
b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

SHA512
cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

Download Submit
memory/308-62-0x000007FEF3C00000-0x000007FEF4623000-memory.dmp

Filesize
10.1MB

Download
memory/308-63-0x000007FEF2B60000-0x000007FEF3BF6000-memory.dmp

Filesize
16.6MB

Download
memory/308-64-0x0000000000A86000-0x0000000000AA5000-memory.dmp

Filesize
124KB

Download
memory/308-65-0x000007FEED510000-0x000007FEEE39F000-memory.dmp

Filesize
14.6MB

Download
memory/308-66-0x000007FEF2080000-0x000007FEF236A000-memory.dmp

Filesize
2.9MB

Download
memory/308-67-0x0000000000A86000-0x0000000000AA5000-memory.dmp

Filesize
124KB

Download
memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.