bb8905b7964ae90f61342b7cef9740f68a24ed426fba3586ca499fe201ab9bd7

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2023, 03:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78f000c1901081a2b7f43e55843ba89b3ed2be2cab2c3c36f04c768800863940.exe
Size

12KB
MD5

44ad16455efc3051fd00fe73e3bb7e40
SHA1

198bd41511981e7307cc2513ce7030aa5b8e0c0d
SHA256

78f000c1901081a2b7f43e55843ba89b3ed2be2cab2c3c36f04c768800863940
SHA512

09125cf385d4c0cbdf540d05114b1e7b018c950ff44b6cebe8d4e3ed3103bf08b41045a45597d84b63a2c3746ea21a8a15724017b61c02b0f9b116a9f277238d
SSDEEP

192:5rfqZdzEvo1K2hhT4l1f3wyziSv3CIZcsDGl1Hh6FehNuyyCcxjJaAEJBjt:lyd4g1Kbl+2SIZcsDo1squy6xj4bb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3980	services.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4140	3980	WerFault.exe	85

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 4168	3980	services.exe	86
PID 3980 wrote to memory of 4168	3980	services.exe	86
PID 3980 wrote to memory of 4168	3980	services.exe	86

C:\Users\Admin\AppData\Local\Temp\78f000c1901081a2b7f43e55843ba89b3ed2be2cab2c3c36f04c768800863940.exe
"C:\Users\Admin\AppData\Local\Temp\78f000c1901081a2b7f43e55843ba89b3ed2be2cab2c3c36f04c768800863940.exe"
1⤵
PID:3248

C:\Users\Admin\AppData\Local\services.exe
C:\Users\Admin\AppData\Local\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  PID:4168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 584
  2⤵
  - Program crash
  PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3980 -ip 3980
1⤵
PID:4500

Network

DNS

google.com

services.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

100.109.107.42
GET

http://www.google.com/

services.exe

Remote address:

100.109.107.42:80

Request

GET / HTTP/1.0
User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.10
Host: www.google.com
Connection: Close

Response

HTTP/1.0 200 OK
DNS

xlamzju-lrychj.info

services.exe

Remote address:

8.8.8.8:53

Request

xlamzju-lrychj.info

IN A

Response

xlamzju-lrychj.info

IN A

100.110.175.114
POST

http://xlamzju-lrychj.info/telnet_cmd.php

services.exe

Remote address:

100.110.175.114:80

Request

POST /telnet_cmd.php HTTP/1.0
User-Agent: Opera/9.61
Host: xlamzju-lrychj.info
Referer: http://xlamzju-lrychj.info
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 90

Response

HTTP/1.0 200 OK
POST

http://xlamzju-lrychj.info/telnet_cmd.php

services.exe

Remote address:

100.110.175.114:80

Request

POST /telnet_cmd.php HTTP/1.0
User-Agent: Opera/9.61
Host: xlamzju-lrychj.info
Referer: http://xlamzju-lrychj.info
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 134

Response

HTTP/1.0 200 OK
DNS

110.86.109.100.in-addr.arpa

Remote address:

8.8.8.8:53

Request

110.86.109.100.in-addr.arpa

IN PTR

Response

110.86.109.100.in-addr.arpa

IN A

100.79.5.209
DNS

4.211.107.100.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.211.107.100.in-addr.arpa

IN PTR

Response

4.211.107.100.in-addr.arpa

IN A

100.119.217.146
DNS

169.102.105.100.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.102.105.100.in-addr.arpa

IN PTR

Response

169.102.105.100.in-addr.arpa

IN A

100.96.141.155
DNS

42.107.109.100.in-addr.arpa

Remote address:

8.8.8.8:53

Request

42.107.109.100.in-addr.arpa

IN PTR

Response

42.107.109.100.in-addr.arpa

IN A

100.87.157.49
DNS

114.175.110.100.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.175.110.100.in-addr.arpa

IN PTR

Response

114.175.110.100.in-addr.arpa

IN A

100.69.30.250
DNS

135.121.66.100.in-addr.arpa

Remote address:

8.8.8.8:53

Request

135.121.66.100.in-addr.arpa

IN PTR

Response

135.121.66.100.in-addr.arpa

IN A

100.74.186.115
DNS

75.122.75.100.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.122.75.100.in-addr.arpa

IN PTR

Response

75.122.75.100.in-addr.arpa

IN A

100.92.3.35
DNS

123.107.94.100.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.107.94.100.in-addr.arpa

IN PTR

Response

123.107.94.100.in-addr.arpa

IN A

100.103.63.152

100.109.107.42:80

http://www.google.com/

http

services.exe

458 B
354 B
7
8

HTTP Request

GET http://www.google.com/

HTTP Response

200
100.110.175.114:80

http://xlamzju-lrychj.info/telnet_cmd.php

http

services.exe

823 B
354 B
7
8

HTTP Request

POST http://xlamzju-lrychj.info/telnet_cmd.php

HTTP Response

200
100.110.175.114:80

http://xlamzju-lrychj.info/telnet_cmd.php

http

services.exe

868 B
354 B
7
8

HTTP Request

POST http://xlamzju-lrychj.info/telnet_cmd.php

HTTP Response

200

8.8.8.8:53

google.com

dns

services.exe

56 B
82 B
1
1

DNS Request

google.com

DNS Response

100.109.107.42
8.8.8.8:53

xlamzju-lrychj.info

dns

services.exe

65 B
100 B
1
1

DNS Request

xlamzju-lrychj.info

DNS Response

100.110.175.114
8.8.8.8:53

110.86.109.100.in-addr.arpa

dns

73 B
116 B
1
1

DNS Request

110.86.109.100.in-addr.arpa

DNS Response

100.79.5.209
8.8.8.8:53

4.211.107.100.in-addr.arpa

dns

72 B
114 B
1
1

DNS Request

4.211.107.100.in-addr.arpa

DNS Response

100.119.217.146
8.8.8.8:53

169.102.105.100.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

169.102.105.100.in-addr.arpa

DNS Response

100.96.141.155
8.8.8.8:53

42.107.109.100.in-addr.arpa

dns

73 B
116 B
1
1

DNS Request

42.107.109.100.in-addr.arpa

DNS Response

100.87.157.49
8.8.8.8:53

114.175.110.100.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

114.175.110.100.in-addr.arpa

DNS Response

100.69.30.250
8.8.8.8:53

135.121.66.100.in-addr.arpa

dns

73 B
116 B
1
1

DNS Request

135.121.66.100.in-addr.arpa

DNS Response

100.74.186.115
8.8.8.8:53

75.122.75.100.in-addr.arpa

dns

72 B
114 B
1
1

DNS Request

75.122.75.100.in-addr.arpa

DNS Response

100.92.3.35
8.8.8.8:53

123.107.94.100.in-addr.arpa

dns

73 B
116 B
1
1

DNS Request

123.107.94.100.in-addr.arpa

DNS Response

100.103.63.152

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
12KB

MD5
44ad16455efc3051fd00fe73e3bb7e40

SHA1
198bd41511981e7307cc2513ce7030aa5b8e0c0d

SHA256
78f000c1901081a2b7f43e55843ba89b3ed2be2cab2c3c36f04c768800863940

SHA512
09125cf385d4c0cbdf540d05114b1e7b018c950ff44b6cebe8d4e3ed3103bf08b41045a45597d84b63a2c3746ea21a8a15724017b61c02b0f9b116a9f277238d

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
12KB

MD5
44ad16455efc3051fd00fe73e3bb7e40

SHA1
198bd41511981e7307cc2513ce7030aa5b8e0c0d

SHA256
78f000c1901081a2b7f43e55843ba89b3ed2be2cab2c3c36f04c768800863940

SHA512
09125cf385d4c0cbdf540d05114b1e7b018c950ff44b6cebe8d4e3ed3103bf08b41045a45597d84b63a2c3746ea21a8a15724017b61c02b0f9b116a9f277238d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.