Analysis
-
max time kernel
134s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
28/08/2023, 12:38 UTC
General
-
Target
4b503e651c42aa2212d4e923b3b35c7dcecfc5e4a47e40657ac5d7260a0b178f.exe
-
Size
2.5MB
-
MD5
6044815a509bd93d9138a53703c3c67f
-
SHA1
f6514efcbec925ed96eec3b38b7b8d465f639952
-
SHA256
4b503e651c42aa2212d4e923b3b35c7dcecfc5e4a47e40657ac5d7260a0b178f
-
SHA512
37ec3f9f11bf5c0ba31d030f8c2e1c9809ac0f144a8a8f20bb82e3c73993052da474cdfeb49a9a7861a0ffc53006aff7852dae36f67893f5fe7dbc5f764afb24
-
SSDEEP
49152:0BtkSsGmCzv0MGxhST+YcITKSYeibmmYvJR/DvAQwDWY3xqOrAlk:0BLO4FUeiCmYvAQw73cXlk
Score
7/10
Malware Config
Signatures
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b503e651c42aa2212d4e923b3b35c7dcecfc5e4a47e40657ac5d7260a0b178f.exe"C:\Users\Admin\AppData\Local\Temp\4b503e651c42aa2212d4e923b3b35c7dcecfc5e4a47e40657ac5d7260a0b178f.exe"1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
-
DNSsp.kulove123.comRemote address:8.8.8.8:53Requestsp.kulove123.comIN AResponsesp.kulove123.comIN CNAMEiduxxob.qiniudns.comiduxxob.qiniudns.comIN CNAMEtinyglobalcdnweb.qiniu.com.w.kunlunar.comtinyglobalcdnweb.qiniu.com.w.kunlunar.comIN A47.246.48.211 -
GEThttp://sp.kulove123.com/NIP.datRemote address:47.246.48.211:80RequestGET /NIP.dat HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: sp.kulove123.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Tengine
Content-Type: application/x-ns-proxy-autoconfig
Content-Length: 170
Connection: keep-alive
Date: Tue, 01 Aug 2023 05:24:41 GMT
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Log, X-Reqid
Access-Control-Max-Age: 2592000
Cache-Control: public, max-age=31536000
Content-Disposition: inline; filename="NIP.dat"; filename*=utf-8''NIP.dat
Content-Md5: ADX5KYeMWmIU80NS8O1BOw==
Content-Transfer-Encoding: binary
Etag: "FsVKpzoq4CAm1gg1Bz2UUF2Y2Auf"
Last-Modified: Tue, 24 Mar 2020 16:29:59 GMT
X-Log: X-Log
X-M-Log: QNM:xs444;QNM3
X-M-Reqid: 4C0AACywYvMDK3cX
X-Qiniu-Zone: 0
X-Qnm-Cache: Hit
X-Reqid: 9R8AAADx_C9VJHYX
X-Svr: IO
Ali-Swift-Global-Savetime: 1690867481
Via: cache2.l2de2[0,46,206-0,H], cache12.l2de2[49,0], cache8.nl2[0,0,200-0,H], cache5.nl2[15,0]
Age: 2358871
X-Cache: HIT TCP_MEM_HIT dirn:11:327592090
X-Swift-SaveTime: Mon, 21 Aug 2023 23:39:17 GMT
X-Swift-CacheTime: 798324
Timing-Allow-Origin: *
EagleId: 2ff6309916932263523957991e
-
GEThttp://sp.kulove123.com/yzxy.txtRemote address:47.246.48.211:80RequestGET /yzxy.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: sp.kulove123.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Tengine
Content-Type: text/plain
Content-Length: 1
Connection: keep-alive
Date: Sat, 19 Aug 2023 06:59:09 GMT
Cache-Control: public, max-age=31536000
Etag: "FrZYn8arDcgs8SCZ0cLUCrmU6EEM"
X-M-Log: QNM:xs1186;QNM3/304
X-M-Reqid: rm4AAHwpnAaetnwX
X-Qnm-Cache: Hit
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Log, X-Reqid
Access-Control-Max-Age: 2592000
Content-Disposition: inline; filename="yzxy.txt"; filename*=utf-8''yzxy.txt
Content-Transfer-Encoding: binary
Last-Modified: Thu, 02 Feb 2017 07:30:37 GMT
Vary: Accept-Encoding
X-Log: X-Log
X-Qiniu-Zone: 0
X-Reqid: XXEAAAC5Mvbwt2UX
X-Svr: IO
Ali-Swift-Global-Savetime: 1692428349
Via: cache4.l2de2[0,0,206-0,H], cache20.l2de2[2,0], cache8.nl2[0,0,200-0,H], cache5.nl2[3,0]
Age: 798004
X-Cache: HIT TCP_MEM_HIT dirn:1:208352007
X-Swift-SaveTime: Mon, 21 Aug 2023 23:39:20 GMT
X-Swift-CacheTime: 2359189
Timing-Allow-Origin: *
EagleId: 2ff6309916932263537775497e
-
DNScs.kulove123.comRemote address:8.8.8.8:53Requestcs.kulove123.comIN AResponsecs.kulove123.comIN A47.93.205.92
-
DNScs.kulove123.comRemote address:8.8.8.8:53Requestcs.kulove123.comIN AResponsecs.kulove123.comIN A47.93.205.92
-
POSThttp://cs.kulove123.com/mtmd-v5.phpRemote address:47.93.205.92:80RequestPOST /mtmd-v5.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us)
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
Host: cs.kulove123.com
Content-Length: 23
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Mon, 28 Aug 2023 12:39:26 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=9fv9bcraaeqmkjiqd4b5u5b070; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
-
47.246.48.211:80http://sp.kulove123.com/yzxy.txthttp
HTTP Request
GET http://sp.kulove123.com/NIP.datHTTP Response
200HTTP Request
GET http://sp.kulove123.com/yzxy.txtHTTP Response
200 -
47.93.205.92:80http://cs.kulove123.com/mtmd-v5.phphttp
HTTP Request
POST http://cs.kulove123.com/mtmd-v5.phpHTTP Response
200
-
8.8.8.8:53sp.kulove123.comdns
DNS Request
sp.kulove123.com
DNS Response
47.246.48.211
-
8.8.8.8:53cs.kulove123.comdns
DNS Request
cs.kulove123.com
DNS Response
47.93.205.92
-
8.8.8.8:53cs.kulove123.comdns
DNS Request
cs.kulove123.com
DNS Response
47.93.205.92
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
5.2MB
-
Filesize
4KB