Analysis

  • max time kernel
    122s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2023 04:59

General

  • Target

    f8d48f85213d887e26593cbf8289bbea.exe

  • Size

    338KB

  • MD5

    f8d48f85213d887e26593cbf8289bbea

  • SHA1

    033a2268f2d5c0cfe36b0b349c625755e1df54d4

  • SHA256

    a82cff6bab731179fbc7be78fccab6bbf690aef5978b0ea489840b2e10fc3df5

  • SHA512

    c88bbde4590383932485dc1fa1d09302d58138c58baeed858fee54fd978184921ae65ef822f4781dd52f44716b3715705f3778bfca03fe1d7b577b790bd5d2ed

  • SSDEEP

    6144:iew5vMsL1OLtun0ZB6rs71LH1i9DZ0yt5:iR1LUd6rw1LHSDq4

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8d48f85213d887e26593cbf8289bbea.exe
    "C:\Users\Admin\AppData\Local\Temp\f8d48f85213d887e26593cbf8289bbea.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "f8d48f85213d887e26593cbf8289bbea.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f8d48f85213d887e26593cbf8289bbea.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4464
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "f8d48f85213d887e26593cbf8289bbea.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3652
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1880
      2⤵
      • Program crash
      PID:3608
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3416 -ip 3416
    1⤵
      PID:4444

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      2.136.104.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.136.104.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.3.197.209.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.3.197.209.in-addr.arpa
      IN PTR
      Response
      8.3.197.209.in-addr.arpa
      IN PTR
      vip0x008map2sslhwcdnnet
    • flag-us
      DNS
      72.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      108.211.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      108.211.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      254.7.248.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      254.7.248.8.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      script.google.com
      f8d48f85213d887e26593cbf8289bbea.exe
      Remote address:
      8.8.8.8:53
      Request
      script.google.com
      IN A
      Response
      script.google.com
      IN A
      172.217.23.206
    • flag-de
      GET
      http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222&param=empty
      f8d48f85213d887e26593cbf8289bbea.exe
      Remote address:
      172.217.23.206:80
      Request
      GET /macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222&param=empty HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Host: script.google.com
      Response
      HTTP/1.1 301 Moved Permanently
      Content-Type: text/html; charset=UTF-8
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Wed, 18 Oct 2023 03:31:17 GMT
      Location: https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222&param=empty
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      Content-Security-Policy: frame-ancestors 'self'
      X-XSS-Protection: 1; mode=block
      Server: GSE
      Accept-Ranges: none
      Vary: Accept-Encoding
      Transfer-Encoding: chunked
    • flag-de
      GET
      https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222&param=empty
      f8d48f85213d887e26593cbf8289bbea.exe
      Remote address:
      172.217.23.206:443
      Request
      GET /macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222&param=empty HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Host: script.google.com
      Response
      HTTP/1.1 302 Moved Temporarily
      Content-Type: text/html; charset=UTF-8
      Access-Control-Allow-Origin: *
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Wed, 18 Oct 2023 03:31:19 GMT
      Location: https://script.googleusercontent.com/macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      Content-Security-Policy: frame-ancestors 'self'
      X-XSS-Protection: 1; mode=block
      Server: GSE
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      Accept-Ranges: none
      Vary: Accept-Encoding
      Transfer-Encoding: chunked
    • flag-us
      DNS
      206.23.217.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.217.172.in-addr.arpa
      IN PTR
      Response
      206.23.217.172.in-addr.arpa
      IN PTR
      prg03s05-in-f141e100net
      206.23.217.172.in-addr.arpa
      IN PTR
      prg03s05-in-f206�I
      206.23.217.172.in-addr.arpa
      IN PTR
      ams16s37-in-f14�I
    • flag-us
      DNS
      script.googleusercontent.com
      f8d48f85213d887e26593cbf8289bbea.exe
      Remote address:
      8.8.8.8:53
      Request
      script.googleusercontent.com
      IN A
      Response
      script.googleusercontent.com
      IN CNAME
      googlehosted.l.googleusercontent.com
      googlehosted.l.googleusercontent.com
      IN A
      142.251.36.1
    • flag-nl
      GET
      https://script.googleusercontent.com/macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D
      f8d48f85213d887e26593cbf8289bbea.exe
      Remote address:
      142.251.36.1:443
      Request
      GET /macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Host: script.googleusercontent.com
      Response
      HTTP/1.1 200 OK
      Content-Type: text/plain; charset=utf-8
      Access-Control-Allow-Origin: *
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Pragma: no-cache
      Expires: Mon, 01 Jan 1990 00:00:00 GMT
      Date: Wed, 18 Oct 2023 03:31:19 GMT
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      Content-Security-Policy: frame-ancestors 'self'
      X-XSS-Protection: 1; mode=block
      Server: GSE
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      Accept-Ranges: none
      Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
      Transfer-Encoding: chunked
    • flag-us
      DNS
      trk.srcstat.com
      f8d48f85213d887e26593cbf8289bbea.exe
      Remote address:
      8.8.8.8:53
      Request
      trk.srcstat.com
      IN A
      Response
      trk.srcstat.com
      IN CNAME
      xxe82.bmtrck.com
      xxe82.bmtrck.com
      IN A
      3.70.16.242
    • flag-de
      GET
      http://trk.srcstat.com/postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONAL
      f8d48f85213d887e26593cbf8289bbea.exe
      Remote address:
      3.70.16.242:80
      Request
      GET /postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONAL HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Host: trk.srcstat.com
      Response
      HTTP/1.1 400 Bad Request
      Server: openresty
      Date: Wed, 18 Oct 2023 03:31:19 GMT
      Content-Type: text/html; charset=utf-8
      Content-Length: 134
      Connection: keep-alive
      accept-ch: Sec-CH-UA,Sec-CH-UA-Arch,Sec-CH-UA-Bitness,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Full-Version,Sec-CH-UA-Mobile,Sec-CH-UA-Platform,Sec-CH-UA-Model,Sec-CH-UA-Platform-Version,Sec-CH-UA-Reduced
      Access-Control-Allow-Origin: *
      ETag: W/"86-W1anoWM3jbC0X5xVlSksmemF4cY"
      X-Response-Time: 3.511ms
    • flag-us
      DNS
      1.36.251.142.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.36.251.142.in-addr.arpa
      IN PTR
      Response
      1.36.251.142.in-addr.arpa
      IN PTR
      ams15s44-in-f11e100net
    • flag-us
      DNS
      242.16.70.3.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      242.16.70.3.in-addr.arpa
      IN PTR
      Response
      242.16.70.3.in-addr.arpa
      IN PTR
      ec2-3-70-16-242 eu-central-1compute amazonawscom
    • flag-us
      DNS
      131.109.69.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      131.109.69.13.in-addr.arpa
      IN PTR
      Response
    • 5.42.64.2:80
      f8d48f85213d887e26593cbf8289bbea.exe
      260 B
      200 B
      5
      5
    • 5.42.64.2:80
      f8d48f85213d887e26593cbf8289bbea.exe
      260 B
      200 B
      5
      5
    • 5.42.64.2:80
      f8d48f85213d887e26593cbf8289bbea.exe
      260 B
      200 B
      5
      5
    • 5.42.64.2:80
      f8d48f85213d887e26593cbf8289bbea.exe
      260 B
      200 B
      5
      5
    • 5.42.64.2:80
      f8d48f85213d887e26593cbf8289bbea.exe
      260 B
      200 B
      5
      5
    • 5.42.64.2:80
      f8d48f85213d887e26593cbf8289bbea.exe
      260 B
      200 B
      5
      5
    • 5.42.64.2:80
      f8d48f85213d887e26593cbf8289bbea.exe
      260 B
      200 B
      5
      5
    • 5.42.64.2:80
      f8d48f85213d887e26593cbf8289bbea.exe
      260 B
      200 B
      5
      5
    • 5.42.64.2:80
      f8d48f85213d887e26593cbf8289bbea.exe
      260 B
      200 B
      5
      5
    • 172.217.23.206:80
      http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222&param=empty
      http
      f8d48f85213d887e26593cbf8289bbea.exe
      481 B
      1.2kB
      5
      4

      HTTP Request

      GET http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222&param=empty

      HTTP Response

      301
    • 172.217.23.206:443
      https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222&param=empty
      tls, http
      f8d48f85213d887e26593cbf8289bbea.exe
      1.0kB
      9.2kB
      10
      13

      HTTP Request

      GET https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=5&ip=NOIP&slots=2222&param=empty

      HTTP Response

      302
    • 142.251.36.1:443
      https://script.googleusercontent.com/macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D
      tls, http
      f8d48f85213d887e26593cbf8289bbea.exe
      1.3kB
      10.5kB
      10
      13

      HTTP Request

      GET https://script.googleusercontent.com/macros/echo?user_content_key=LNXWMrdWN6ZYOWDHMAtSe_YWxqkkvbDjxK2eI2pgBj8YMAIlZyu3GE8GykcoESaC6avrDKoaQx-p-sQ0JUV0hkTOReBTPCeuOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6zqvS4V0cmy1dEEXVXg5zXDjcYCeAylu8DyVhn7i0fteRV_StcynBwb4deQK9NYe9nyjGugVZE-wIMxqgQX8JhELwW1HKFlogGMzl5YZMv-zanmfUJ0nV5QOX3d-7DXRm3Ta&lib=MAg_X_j8YJSR0PZgL-LNb21v93CYKtC0D

      HTTP Response

      200
    • 3.70.16.242:80
      http://trk.srcstat.com/postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONAL
      http
      f8d48f85213d887e26593cbf8289bbea.exe
      440 B
      778 B
      6
      4

      HTTP Request

      GET http://trk.srcstat.com/postback?cid=REPLACE&payout=OPTIONAL&txid=OPTIONAL

      HTTP Response

      400
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      2.136.104.51.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      2.136.104.51.in-addr.arpa

    • 8.8.8.8:53
      8.3.197.209.in-addr.arpa
      dns
      70 B
      111 B
      1
      1

      DNS Request

      8.3.197.209.in-addr.arpa

    • 8.8.8.8:53
      72.32.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      72.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      108.211.229.192.in-addr.arpa
      dns
      74 B
      145 B
      1
      1

      DNS Request

      108.211.229.192.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      254.7.248.8.in-addr.arpa
      dns
      70 B
      124 B
      1
      1

      DNS Request

      254.7.248.8.in-addr.arpa

    • 8.8.8.8:53
      script.google.com
      dns
      f8d48f85213d887e26593cbf8289bbea.exe
      63 B
      79 B
      1
      1

      DNS Request

      script.google.com

      DNS Response

      172.217.23.206

    • 8.8.8.8:53
      206.23.217.172.in-addr.arpa
      dns
      73 B
      173 B
      1
      1

      DNS Request

      206.23.217.172.in-addr.arpa

    • 8.8.8.8:53
      script.googleusercontent.com
      dns
      f8d48f85213d887e26593cbf8289bbea.exe
      74 B
      119 B
      1
      1

      DNS Request

      script.googleusercontent.com

      DNS Response

      142.251.36.1

    • 8.8.8.8:53
      trk.srcstat.com
      dns
      f8d48f85213d887e26593cbf8289bbea.exe
      61 B
      104 B
      1
      1

      DNS Request

      trk.srcstat.com

      DNS Response

      3.70.16.242

    • 8.8.8.8:53
      1.36.251.142.in-addr.arpa
      dns
      71 B
      109 B
      1
      1

      DNS Request

      1.36.251.142.in-addr.arpa

    • 8.8.8.8:53
      242.16.70.3.in-addr.arpa
      dns
      70 B
      134 B
      1
      1

      DNS Request

      242.16.70.3.in-addr.arpa

    • 8.8.8.8:53
      131.109.69.13.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      131.109.69.13.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3416-1-0x0000000000920000-0x0000000000A20000-memory.dmp

      Filesize

      1024KB

    • memory/3416-2-0x00000000008D0000-0x000000000090E000-memory.dmp

      Filesize

      248KB

    • memory/3416-3-0x0000000000400000-0x0000000000723000-memory.dmp

      Filesize

      3.1MB

    • memory/3416-4-0x0000000000400000-0x0000000000723000-memory.dmp

      Filesize

      3.1MB

    • memory/3416-5-0x0000000000920000-0x0000000000A20000-memory.dmp

      Filesize

      1024KB

    • memory/3416-6-0x00000000008D0000-0x000000000090E000-memory.dmp

      Filesize

      248KB

    • memory/3416-7-0x0000000000400000-0x0000000000723000-memory.dmp

      Filesize

      3.1MB

    • memory/3416-10-0x0000000000400000-0x0000000000723000-memory.dmp

      Filesize

      3.1MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.