Overview

overview

10

Static

static

1

7686d6c953...JC.exe

windows7-x64

10

7686d6c953...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2023, 19:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe

  • Size

    3.0MB

  • MD5

    7686d6c953fd167bebe5d9939b2d79ef

  • SHA1

    95b390c5d27851ecd480a8b6cafec21cd7230e74

  • SHA256

    4881b8c4dd7041d5aa6a684be5fed8657408fed2ec0a3390ae0cdcec56da8f42

  • SHA512

    1795162faf69574fefa0a0cdd301b354e81c5b38894315d0defacb54d579faae3f4c14e74ee88dae806572767e046bda9579a23970b86f3fb98a147afaba14fe

  • SSDEEP

    49152:NhGVclIdwupANq1PpJ/zCYCnhEpHL2JjUgOsXF0ZEz5bWAN3XpIN:ccOdw27dpJ/zNChE5e/z

Score
10/10
aresloaderloader

Malware Config

Extracted

Family

aresloader

C2

http://193.233.134.57

Signatures

  • AresLoader

    AresLoader is a loader and downloader written in C++.

    loaderaresloader
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tzutil /g
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\SysWOW64\tzutil.exe
        tzutil /g
        3⤵
          PID:764

    Network

    • flag-us
      DNS
      ipinfo.io
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      Remote address:
      8.8.8.8:53
      Request
      ipinfo.io
      IN A
      Response
      ipinfo.io
      IN A
      34.117.59.81
    • flag-us
      GET
      https://ipinfo.io/ip
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      Remote address:
      34.117.59.81:443
      Request
      GET /ip HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.
      Host: ipinfo.io
      Response
      HTTP/1.1 200 OK
      access-control-allow-origin: *
      content-type: text/html; charset=utf-8
      content-length: 12
      date: Sat, 05 Aug 2023 19:39:03 GMT
      x-envoy-upstream-service-time: 1
      strict-transport-security: max-age=2592000; includeSubDomains
      Via: 1.1 google
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-us
      DNS
      apps.identrust.com
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      Remote address:
      8.8.8.8:53
      Request
      apps.identrust.com
      IN A
      Response
      apps.identrust.com
      IN CNAME
      identrust.edgesuite.net
      identrust.edgesuite.net
      IN CNAME
      a1952.dscq.akamai.net
      a1952.dscq.akamai.net
      IN A
      23.72.252.171
      a1952.dscq.akamai.net
      IN A
      23.72.252.163
    • flag-nl
      GET
      http://apps.identrust.com/roots/dstrootcax3.p7c
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      Remote address:
      23.72.252.171:80
      Request
      GET /roots/dstrootcax3.p7c HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: apps.identrust.com
      Response
      HTTP/1.1 200 OK
      X-XSS-Protection: 1; mode=block
      Strict-Transport-Security: max-age=15768000
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      Content-Security-Policy: default-src 'self' *.identrust.com
      Last-Modified: Wed, 08 Feb 2023 16:52:56 GMT
      ETag: "37d-5f433188daa00"
      Accept-Ranges: bytes
      Content-Length: 893
      X-Content-Type-Options: nosniff
      X-Frame-Options: sameorigin
      Content-Type: application/pkcs7-mime
      Cache-Control: max-age=3600
      Expires: Sat, 05 Aug 2023 20:39:02 GMT
      Date: Sat, 05 Aug 2023 19:39:02 GMT
      Connection: keep-alive
    • 34.117.59.81:443
      https://ipinfo.io/ip
      tls, http
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      1.0kB
       5.9kB
       12
      12

      HTTP Request

      GET https://ipinfo.io/ip

      HTTP Response

      200
    • 23.72.252.171:80
      http://apps.identrust.com/roots/dstrootcax3.p7c
      http
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      421 B
       1.7kB
       6
      5

      HTTP Request

      GET http://apps.identrust.com/roots/dstrootcax3.p7c

      HTTP Response

      200
    • 193.233.134.57:80
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      152 B
       80 B
       3
      2
    • 193.233.134.57:80
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      152 B
       120 B
       3
      3
    • 193.233.134.57:80
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      152 B
       120 B
       3
      3
    • 193.233.134.57:80
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      152 B
       80 B
       3
      2
    • 193.233.134.57:80
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      152 B
       120 B
       3
      3
    • 193.233.134.57:80
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      152 B
       3
    • 8.8.8.8:53
      ipinfo.io
      dns
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      55 B
       71 B
       1
      1

      DNS Request

      ipinfo.io

      DNS Response

      34.117.59.81

    • 8.8.8.8:53
      apps.identrust.com
      dns
      7686d6c953fd167bebe5d9939b2d79ef_magniber_JC.exe
      64 B
       165 B
       1
      1

      DNS Request

      apps.identrust.com

      DNS Response

      23.72.252.171
      23.72.252.163

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      73db3d7982255c07dafd85fb15ef9773

      SHA1

      7f05a565660c3d885db969db507f405276b464e6

      SHA256

      09f3b69e3d9c6c137e350eb6da6e36c378e181b305d9e5302bf2ac810538bc3a

      SHA512

      a32b7d7f4a3214643cd7c4cb1ad999f53fe7e0cb4bda2b52a2e6a6fe494c89b70ee550644d77d3cfe44777161f3591c1defb9f3ef136f5e98e2f8835900e8089

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab7B0B.tmp
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar7BAA.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

      Download Submit

    • memory/2076-54-0x00000000009E0000-0x0000000000CD3000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2076-56-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2076-55-0x00000000022F0000-0x0000000002437000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2076-151-0x00000000009E0000-0x0000000000CD3000-memory.dmp

      Filesize

      2.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.