Analysis

  • max time kernel
    69s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2023 13:17

General

  • Target

    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe

  • Size

    1.6MB

  • MD5

    bece6c03048ee5838b463ad1adc6c2bf

  • SHA1

    83ab5e1baaeea4c3ac192e426de1e23363379e3d

  • SHA256

    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b

  • SHA512

    a602ed6db2321b20a1e5a43d062ca0b82ed2ca9254b899c9f7614edf68d6926c38a5d9b02e023ca5b6b6d089d78f1f6106fdd376278299f26c63b09ca089042b

  • SSDEEP

    24576:hdI35zgoLuABUWWlTDdGIn8EpNf2FfWl8KuqGavkg3NyNIbbbIoIBAUZLYB:ha54AB9WlT3X+s8KuqGaX0ToIBAUZLYB

Score
1/10

Malware Config

Signatures

  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    "C:\Users\Admin\AppData\Local\Temp\525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:976

Network

  • flag-us
    DNS
    www.baidu.com
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    Remote address:
    8.8.8.8:53
    Request
    www.baidu.com
    IN A
    Response
    www.baidu.com
    IN CNAME
    www.a.shifen.com
    www.a.shifen.com
    IN CNAME
    www.wshifen.com
    www.wshifen.com
    IN A
    104.193.88.77
    www.wshifen.com
    IN A
    104.193.88.123
  • flag-us
    GET
    http://www.baidu.com/
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    Remote address:
    104.193.88.77:80
    Request
    GET / HTTP/1.1
    User-Agent: test
    Host: www.baidu.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 9508
    Content-Type: text/html
    Date: Tue, 07 Feb 2023 13:17:38 GMT
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    Pragma: no-cache
    Server: BWS/1.1
    Set-Cookie: BAIDUID=4AEB069A958B5C1FC7535783CCCF63B1:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BIDUPSID=4AEB069A958B5C1FC7535783CCCF63B1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: PSTM=1675775858; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BAIDUID=4AEB069A958B5C1F220588D58962B5E5:FG=1; max-age=31536000; expires=Wed, 07-Feb-24 13:17:38 GMT; domain=.baidu.com; path=/; version=1; comment=bd
    Traceid: 167577585802379271787393139351182101796
    Vary: Accept-Encoding
    X-Frame-Options: sameorigin
    X-Ua-Compatible: IE=Edge,chrome=1
  • flag-us
    DNS
    y.qq.com
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    Remote address:
    8.8.8.8:53
    Request
    y.qq.com
    IN A
    Response
    y.qq.com
    IN CNAME
    y.qq.com.tc.qq.com
    y.qq.com.tc.qq.com
    IN CNAME
    y.qq.com.mid.tdnsv6.com
    y.qq.com.mid.tdnsv6.com
    IN CNAME
    y.qq.com.sched.legopic1-dk.tdnsv6.com
    y.qq.com.sched.legopic1-dk.tdnsv6.com
    IN A
    203.205.136.82
    y.qq.com.sched.legopic1-dk.tdnsv6.com
    IN A
    203.205.136.80
    y.qq.com.sched.legopic1-dk.tdnsv6.com
    IN A
    203.205.136.81
    y.qq.com.sched.legopic1-dk.tdnsv6.com
    IN A
    203.205.137.58
  • flag-hk
    GET
    https://y.qq.com/favicon.ico
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    Remote address:
    203.205.136.82:443
    Request
    GET /favicon.ico HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: y.qq.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nws_static_mid
    Date: Mon, 06 Feb 2023 01:12:41 GMT
    Expires: Wed, 08 Mar 2023 01:12:41 GMT
    Content-Type: image/x-icon
    X-Verify-Code: 3e71393de0161cc3ca978db6924ca885
    X-Daa-Tunnel: hop_count=1
    Accept-Ranges: bytes
    X-Cache-Lookup: Cache Hit
    Last-Modified: Tue, 30 Oct 2018 02:01:59 GMT
    Age: 0
    Content-Length: 4286
    X-NWS-LOG-UUID: 5713051299140644364
    Connection: keep-alive
    X-Cache-Lookup: Hit From Inner Cluster
    alt-svc: quic=":443";ma=86400;v="46,43,42"
    Cache-Control: max-age=600
    X-Server-Ip: 203.205.136.82_eth0
    Access-Control-Expose-Headers: X-Server-Ip, x-server-ip
    Content-Security-Policy: script-src https://*.myqcloud.com http://*.myqcloud.com https://*.cdn-go.cn https://qqhb-2022.cdn-go.cn http://qqhb-2022.cdn-go.cn https://*.xverse.cn http://*.xverse.cn http://*.kugou.com https://*.kugou.com http://*.kuwo.cn https://*.kuwo.cn https://m.12530.com http://m.12530.com https://*.qq.com http://*.qq.com https://*.gtimg.cn http://*.gtimg.cn https://*.url.cn http://*.url.cn https://*.tenpay.com http://*.tenpay.com https://*.qpic.cn http://*.qpic.cn https://*.idqqimg.com http://*.idqqimg.com https://*.gtimg.com http://*.gtimg.com https://*.soso.com http://*.soso.com https://*.jd.com http://*.jd.com http://*.tencent.com https://*.tencent.com 'unsafe-inline' 'unsafe-eval' blob:; worker-src https://*.qq.com http://*.qq.com https://*.gtimg.cn http://*.gtimg.cn blob:; report-uri https://stat.y.qq.com/monitor/report_csp
  • flag-us
    DNS
    ocsp.digicert.cn
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.cn
    IN A
    Response
    ocsp.digicert.cn
    IN CNAME
    ocsp.digicert.cn.w.cdngslb.com
    ocsp.digicert.cn.w.cdngslb.com
    IN A
    47.246.48.205
  • flag-nl
    GET
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    Remote address:
    47.246.48.205:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.digicert.cn
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: application/ocsp-response
    Content-Length: 471
    Connection: keep-alive
    Cache-Control: 'max-age=158059'
    Date: Tue, 07 Feb 2023 12:42:35 GMT
    Ali-Swift-Global-Savetime: 1675773755
    Via: cache2.l2de2[292,91,200-0,C], cache6.l2de2[92,0], cache5.nl2[0,0,200-0,H], cache8.nl2[3,0]
    Age: 2105
    X-Cache: HIT TCP_MEM_HIT dirn:5:154932698
    X-Swift-SaveTime: Tue, 07 Feb 2023 12:42:35 GMT
    X-Swift-CacheTime: 3600
    Timing-Allow-Origin: *
    EagleId: 2ff6309c16757758602386009e
  • flag-nl
    GET
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEARVXzS%2FmtUZSzRfPT3pVwM%3D
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    Remote address:
    47.246.48.205:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEARVXzS%2FmtUZSzRfPT3pVwM%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: ocsp.digicert.cn
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: application/ocsp-response
    Content-Length: 471
    Connection: keep-alive
    Date: Tue, 07 Feb 2023 12:31:52 GMT
    Last-Modified: Tue, 07 Feb 2023 12:18:42 GMT
    ETag: "63e241a2-1d7"
    Expires: Thu, 09 Feb 2023 12:18:42 GMT
    Cache-Control: max-age=172010
    Accept-Ranges: bytes
    Ali-Swift-Global-Savetime: 1675773112
    Via: cache23.l2de2[306,306,200-0,M], cache16.l2de2[307,0], cache4.nl2[0,0,200-0,H], cache8.nl2[1,0]
    Age: 2748
    X-Cache: HIT TCP_MEM_HIT dirn:11:148656186
    X-Swift-SaveTime: Tue, 07 Feb 2023 12:31:52 GMT
    X-Swift-CacheTime: 3600
    Timing-Allow-Origin: *
    EagleId: 2ff6309c16757758602836169e
  • 104.80.225.205:443
    322 B
    7
  • 104.193.88.77:80
    http://www.baidu.com/
    http
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    818 B
    11.0kB
    16
    13

    HTTP Request

    GET http://www.baidu.com/

    HTTP Response

    200
  • 203.205.136.82:443
    https://y.qq.com/favicon.ico
    tls, http
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    1.4kB
    11.1kB
    20
    18

    HTTP Request

    GET https://y.qq.com/favicon.ico

    HTTP Response

    200
  • 47.246.48.205:80
    http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEARVXzS%2FmtUZSzRfPT3pVwM%3D
    http
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    784 B
    2.3kB
    7
    5

    HTTP Request

    GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEARVXzS%2FmtUZSzRfPT3pVwM%3D

    HTTP Response

    200
  • 13.69.109.130:443
    322 B
    7
  • 178.79.208.1:80
    322 B
    7
  • 178.79.208.1:80
    322 B
    7
  • 178.79.208.1:80
    322 B
    7
  • 8.8.8.8:53
    www.baidu.com
    dns
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    59 B
    144 B
    1
    1

    DNS Request

    www.baidu.com

    DNS Response

    104.193.88.77
    104.193.88.123

  • 8.8.8.8:53
    y.qq.com
    dns
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    54 B
    219 B
    1
    1

    DNS Request

    y.qq.com

    DNS Response

    203.205.136.82
    203.205.136.80
    203.205.136.81
    203.205.137.58

  • 8.8.8.8:53
    ocsp.digicert.cn
    dns
    525687dfaf902d9f5b36a6405b70c20a6fc8186d68d343ab1c6bd33b8e953c6b.exe
    62 B
    122 B
    1
    1

    DNS Request

    ocsp.digicert.cn

    DNS Response

    47.246.48.205

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.