Analysis
-
max time kernel
69s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 13:17
Static task
static1
Behavioral task
behavioral1
Sample
525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
Resource
win10v2004-20220812-en
General
-
Target
525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
-
Size
1.6MB
-
MD5
bece6c03048ee5838b463ad1adc6c2bf
-
SHA1
83ab5e1baaeea4c3ac192e426de1e23363379e3d
-
SHA256
525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b
-
SHA512
a602ed6db2321b20a1e5a43d062ca0b82ed2ca9254b899c9f7614edf68d6926c38a5d9b02e023ca5b6b6d089d78f1f6106fdd376278299f26c63b09ca089042b
-
SSDEEP
24576:hdI35zgoLuABUWWlTDdGIn8EpNf2FfWl8KuqGavkg3NyNIbbbIoIBAUZLYB:ha54AB9WlT3X+s8KuqGaX0ToIBAUZLYB
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 976 525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe 976 525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestwww.baidu.comIN AResponsewww.baidu.comIN CNAMEwww.a.shifen.comwww.a.shifen.comIN CNAMEwww.wshifen.comwww.wshifen.comIN A104.193.88.77www.wshifen.comIN A104.193.88.123
-
Remote address:104.193.88.77:80RequestGET / HTTP/1.1
User-Agent: test
Host: www.baidu.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 9508
Content-Type: text/html
Date: Tue, 07 Feb 2023 13:17:38 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Pragma: no-cache
Server: BWS/1.1
Set-Cookie: BAIDUID=4AEB069A958B5C1FC7535783CCCF63B1:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=4AEB069A958B5C1FC7535783CCCF63B1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1675775858; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BAIDUID=4AEB069A958B5C1F220588D58962B5E5:FG=1; max-age=31536000; expires=Wed, 07-Feb-24 13:17:38 GMT; domain=.baidu.com; path=/; version=1; comment=bd
Traceid: 167577585802379271787393139351182101796
Vary: Accept-Encoding
X-Frame-Options: sameorigin
X-Ua-Compatible: IE=Edge,chrome=1
-
Remote address:8.8.8.8:53Requesty.qq.comIN AResponsey.qq.comIN CNAMEy.qq.com.tc.qq.comy.qq.com.tc.qq.comIN CNAMEy.qq.com.mid.tdnsv6.comy.qq.com.mid.tdnsv6.comIN CNAMEy.qq.com.sched.legopic1-dk.tdnsv6.comy.qq.com.sched.legopic1-dk.tdnsv6.comIN A203.205.136.82y.qq.com.sched.legopic1-dk.tdnsv6.comIN A203.205.136.80y.qq.com.sched.legopic1-dk.tdnsv6.comIN A203.205.136.81y.qq.com.sched.legopic1-dk.tdnsv6.comIN A203.205.137.58
-
GEThttps://y.qq.com/favicon.ico525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exeRemote address:203.205.136.82:443RequestGET /favicon.ico HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: y.qq.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 06 Feb 2023 01:12:41 GMT
Expires: Wed, 08 Mar 2023 01:12:41 GMT
Content-Type: image/x-icon
X-Verify-Code: 3e71393de0161cc3ca978db6924ca885
X-Daa-Tunnel: hop_count=1
Accept-Ranges: bytes
X-Cache-Lookup: Cache Hit
Last-Modified: Tue, 30 Oct 2018 02:01:59 GMT
Age: 0
Content-Length: 4286
X-NWS-LOG-UUID: 5713051299140644364
Connection: keep-alive
X-Cache-Lookup: Hit From Inner Cluster
alt-svc: quic=":443";ma=86400;v="46,43,42"
Cache-Control: max-age=600
X-Server-Ip: 203.205.136.82_eth0
Access-Control-Expose-Headers: X-Server-Ip, x-server-ip
Content-Security-Policy: script-src https://*.myqcloud.com http://*.myqcloud.com https://*.cdn-go.cn https://qqhb-2022.cdn-go.cn http://qqhb-2022.cdn-go.cn https://*.xverse.cn http://*.xverse.cn http://*.kugou.com https://*.kugou.com http://*.kuwo.cn https://*.kuwo.cn https://m.12530.com http://m.12530.com https://*.qq.com http://*.qq.com https://*.gtimg.cn http://*.gtimg.cn https://*.url.cn http://*.url.cn https://*.tenpay.com http://*.tenpay.com https://*.qpic.cn http://*.qpic.cn https://*.idqqimg.com http://*.idqqimg.com https://*.gtimg.com http://*.gtimg.com https://*.soso.com http://*.soso.com https://*.jd.com http://*.jd.com http://*.tencent.com https://*.tencent.com 'unsafe-inline' 'unsafe-eval' blob:; worker-src https://*.qq.com http://*.qq.com https://*.gtimg.cn http://*.gtimg.cn blob:; report-uri https://stat.y.qq.com/monitor/report_csp
-
Remote address:8.8.8.8:53Requestocsp.digicert.cnIN AResponseocsp.digicert.cnIN CNAMEocsp.digicert.cn.w.cdngslb.comocsp.digicert.cn.w.cdngslb.comIN A47.246.48.205
-
GEThttp://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exeRemote address:47.246.48.205:80RequestGET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.digicert.cn
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 471
Connection: keep-alive
Cache-Control: 'max-age=158059'
Date: Tue, 07 Feb 2023 12:42:35 GMT
Ali-Swift-Global-Savetime: 1675773755
Via: cache2.l2de2[292,91,200-0,C], cache6.l2de2[92,0], cache5.nl2[0,0,200-0,H], cache8.nl2[3,0]
Age: 2105
X-Cache: HIT TCP_MEM_HIT dirn:5:154932698
X-Swift-SaveTime: Tue, 07 Feb 2023 12:42:35 GMT
X-Swift-CacheTime: 3600
Timing-Allow-Origin: *
EagleId: 2ff6309c16757758602386009e
-
GEThttp://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEARVXzS%2FmtUZSzRfPT3pVwM%3D525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exeRemote address:47.246.48.205:80RequestGET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEARVXzS%2FmtUZSzRfPT3pVwM%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.digicert.cn
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 471
Connection: keep-alive
Date: Tue, 07 Feb 2023 12:31:52 GMT
Last-Modified: Tue, 07 Feb 2023 12:18:42 GMT
ETag: "63e241a2-1d7"
Expires: Thu, 09 Feb 2023 12:18:42 GMT
Cache-Control: max-age=172010
Accept-Ranges: bytes
Ali-Swift-Global-Savetime: 1675773112
Via: cache23.l2de2[306,306,200-0,M], cache16.l2de2[307,0], cache4.nl2[0,0,200-0,H], cache8.nl2[1,0]
Age: 2748
X-Cache: HIT TCP_MEM_HIT dirn:11:148656186
X-Swift-SaveTime: Tue, 07 Feb 2023 12:31:52 GMT
X-Swift-CacheTime: 3600
Timing-Allow-Origin: *
EagleId: 2ff6309c16757758602836169e
-
322 B 7
-
104.193.88.77:80http://www.baidu.com/http525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe818 B 11.0kB 16 13
HTTP Request
GET http://www.baidu.com/HTTP Response
200 -
203.205.136.82:443https://y.qq.com/favicon.icotls, http525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe1.4kB 11.1kB 20 18
HTTP Request
GET https://y.qq.com/favicon.icoHTTP Response
200 -
47.246.48.205:80http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEARVXzS%2FmtUZSzRfPT3pVwM%3Dhttp525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe784 B 2.3kB 7 5
HTTP Request
GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3DHTTP Response
200HTTP Request
GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEARVXzS%2FmtUZSzRfPT3pVwM%3DHTTP Response
200 -
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
59 B 144 B 1 1
DNS Request
www.baidu.com
DNS Response
104.193.88.77104.193.88.123
-
54 B 219 B 1 1
DNS Request
y.qq.com
DNS Response
203.205.136.82203.205.136.80203.205.136.81203.205.137.58
-
8.8.8.8:53ocsp.digicert.cndns525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe62 B 122 B 1 1
DNS Request
ocsp.digicert.cn
DNS Response
47.246.48.205