Overview

overview

7

Static

static

3

d4241664d5...32.exe

windows7-x64

7

d4241664d5...32.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2023, 19:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4241664d57cbee73958005d2d30d510_exe32.exe

  • Size

    60KB

  • MD5

    d4241664d57cbee73958005d2d30d510

  • SHA1

    0122431ddf292c8c8d3ec6bc7799f90aeb33f836

  • SHA256

    96fef3c78f78f180669bdd741be26e6c0a3acb039e6a4235110fc498ad0804e4

  • SHA512

    5cce198150b95fa68f71543837fccfaedee43b3c620fd1f32b797cb7837c88d7499cbecc4a182ad5c0622c4f8d484c957a38fbc2a93c10fd93024c4a4d2d35a3

  • SSDEEP

    1536:Itka3G9MXSRa+ycuCRo0oxNqIxSupVvIZ:Qka29MXZxIZ

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4241664d57cbee73958005d2d30d510_exe32.exe
    "C:\Users\Admin\AppData\Local\Temp\d4241664d57cbee73958005d2d30d510_exe32.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\bijaweed.exe
      C:\Users\Admin\AppData\Local\Temp\bijaweed.exe
      2⤵
      • Executes dropped EXE
      PID:1028

Network

  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    icanhazip.com
    bijaweed.exe
    Remote address:
    8.8.8.8:53
    Request
    icanhazip.com
    IN A
    Response
    icanhazip.com
    IN A
    104.18.115.97
    icanhazip.com
    IN A
    104.18.114.97
  • flag-us
    GET
    http://icanhazip.com/
    bijaweed.exe
    Remote address:
    104.18.115.97:80
    Request
    GET / HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
    Host: icanhazip.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Mon, 16 Oct 2023 00:50:25 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=pR.Mcz3eFQoXIl26YQYgXSIQvuxbqXFjDoEQY0kDfmE-1697417425-0-AcTfEoDPkj+DXUKGp45P0v2oeX0/TwLzabMlgf5oVeVF/vtRstLfemxSfBMFPzFpz4QlKgsiLg6MRgpga23VYlo=; path=/; expires=Mon, 16-Oct-23 01:20:25 GMT; domain=.icanhazip.com; HttpOnly; SameSite=None
    Server: cloudflare
    CF-RAY: 816c4ebd3f396681-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.115.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.115.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 104.18.115.97:80
    http://icanhazip.com/
    http
    bijaweed.exe
    457 B
     718 B
     6
    4

    HTTP Request

    GET http://icanhazip.com/

    HTTP Response

    200
  • 188.120.194.101:13142
    bijaweed.exe
    156 B
     3
  • 96.37.204.12:443
    bijaweed.exe
    260 B
     5
  • 96.37.204.12:443
    bijaweed.exe
    260 B
     5
  • 66.196.63.33:443
    bijaweed.exe
    260 B
     5
  • 66.196.63.33:443
    bijaweed.exe
    260 B
     5
  • 71.99.130.24:443
    bijaweed.exe
    260 B
     5
  • 71.99.130.24:443
    bijaweed.exe
    208 B
     4
  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
     145 B
     1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    icanhazip.com
    dns
    bijaweed.exe
    59 B
     91 B
     1
    1

    DNS Request

    icanhazip.com

    DNS Response

    104.18.115.97
    104.18.114.97

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    97.115.18.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    97.115.18.104.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    14.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bijaweed.exe
    Filesize

    60KB

    MD5

    82d96254aa987cb34f5678b31e8f8220

    SHA1

    75a6fdf3d68e6d77dec3cf73c7c86ebf1d314b5a

    SHA256

    4f987beceb2dd955e5a4f9981bb4e4c90f78e4d1068acbfe19c3ef4f8d7f6531

    SHA512

    7ed1f35ee61ddb2f4aa1c386e53405ffcc9f5bb8e1bdf1150e13b2edeb5accccdb561740d44f3e3ed2187c5a838d8e58389f17d31271d4aaf0275ba06794a252

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bijaweed.exe
    Filesize

    60KB

    MD5

    82d96254aa987cb34f5678b31e8f8220

    SHA1

    75a6fdf3d68e6d77dec3cf73c7c86ebf1d314b5a

    SHA256

    4f987beceb2dd955e5a4f9981bb4e4c90f78e4d1068acbfe19c3ef4f8d7f6531

    SHA512

    7ed1f35ee61ddb2f4aa1c386e53405ffcc9f5bb8e1bdf1150e13b2edeb5accccdb561740d44f3e3ed2187c5a838d8e58389f17d31271d4aaf0275ba06794a252

    Download Submit

  • memory/1028-5-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1912-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.