Analysis

  • max time kernel
    121s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2023, 22:02 UTC

General

  • Target

    fb575b81ad1e487b50b566ff5cbf3233.exe

  • Size

    124KB

  • MD5

    fb575b81ad1e487b50b566ff5cbf3233

  • SHA1

    cd47476ee360e2daa78425ec08fd21aaf42db6ad

  • SHA256

    7d2411ec44f9d62c21606110c4552cf27e7f96201ff9540bd4e3d333ac9fdf95

  • SHA512

    69a9a553b6eb6612cd0a56079a5e97068bdb409aad28a89a3be5838689da2b74a3ca2def2ae91c1188ebc6f0493d3ea9dad03a3899f8e309fce7bb2fff6e556d

  • SSDEEP

    3072:/Lk395hYXJC45616+PtnOYRoKlYHjy4dR3uINyLjY/Xz:/QqQJ1TLiKCHjtdReIgs/z

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 7 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb575b81ad1e487b50b566ff5cbf3233.exe
    "C:\Users\Admin\AppData\Local\Temp\fb575b81ad1e487b50b566ff5cbf3233.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2804

Network

  • flag-us
    DNS
    extratorrent.com
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    8.8.8.8:53
    Request
    extratorrent.com
    IN A
    Response
    extratorrent.com
    IN A
    104.21.234.163
    extratorrent.com
    IN A
    104.21.234.162
  • flag-us
    DNS
    extratorrent.com
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    8.8.8.8:53
    Request
    extratorrent.com
    IN A
  • flag-us
    GET
    http://extratorrent.com/download/2586826/Real%20Steel%202011%20BRRiP%20XViD%20AbSurdiTy.torrent
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    104.21.234.163:80
    Request
    GET /download/2586826/Real%20Steel%202011%20BRRiP%20XViD%20AbSurdiTy.torrent HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: NSIS_Inetc (Mozilla)
    Host: extratorrent.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Tue, 09 Jan 2024 21:27:04 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Tue, 09 Jan 2024 22:27:04 GMT
    Location: http://extra.to/download/2586826/Real%20Steel%202011%20BRRiP%20XViD%20AbSurdiTy.torrent
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xDNSAmKIhIigwYp04amnzwvLXU0VQCmNPEuq1UUukb%2FXklGB2xliFnSM4%2FNwTN6%2B%2FIVsRtCb37deduDuKHxJ0u2TUM7cPhejHM6pnSIbr8KGtEPRbs7Gekuz5vwbG9IVrNeA"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 842fc31a08f648af-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    extra.to
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    8.8.8.8:53
    Request
    extra.to
    IN A
    Response
    extra.to
    IN A
    104.21.32.180
    extra.to
    IN A
    172.67.153.51
  • flag-us
    GET
    http://extra.to/download/2586826/Real%20Steel%202011%20BRRiP%20XViD%20AbSurdiTy.torrent
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    104.21.32.180:80
    Request
    GET /download/2586826/Real%20Steel%202011%20BRRiP%20XViD%20AbSurdiTy.torrent HTTP/1.1
    User-Agent: NSIS_Inetc (Mozilla)
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: extra.to
    Response
    HTTP/1.1 522
    Date: Tue, 09 Jan 2024 21:27:19 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: keep-alive
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RpBgvxc9%2BPHYShxarbQC1l1K8Rl2t20O88RiEOb%2Ft3WGm9%2FicRhhQbUAkYEL%2FzKdi6DQqDuzSitMlqNGjG%2Fi5KS8mbotYxYXF3cRJkcvTNW%2FsBIJZULo1Es9Og%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 842fc31ac9c63867-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    cmp.torrentsmanager.com
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    8.8.8.8:53
    Request
    cmp.torrentsmanager.com
    IN A
    Response
  • flag-us
    DNS
    installer.zugo.com
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    8.8.8.8:53
    Request
    installer.zugo.com
    IN A
    Response
  • flag-us
    DNS
    installer.zugo.com
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    8.8.8.8:53
    Request
    installer.zugo.com
    IN A
  • flag-us
    DNS
    installer.zugo.com
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    8.8.8.8:53
    Request
    installer.zugo.com
    IN A
  • flag-us
    DNS
    data.oa-software.com
    fb575b81ad1e487b50b566ff5cbf3233.exe
    Remote address:
    8.8.8.8:53
    Request
    data.oa-software.com
    IN A
    Response
  • 104.21.234.163:80
    http://extratorrent.com/download/2586826/Real%20Steel%202011%20BRRiP%20XViD%20AbSurdiTy.torrent
    http
    fb575b81ad1e487b50b566ff5cbf3233.exe
    573 B
    1.6kB
    7
    5

    HTTP Request

    GET http://extratorrent.com/download/2586826/Real%20Steel%202011%20BRRiP%20XViD%20AbSurdiTy.torrent

    HTTP Response

    301
  • 104.21.32.180:80
    http://extra.to/download/2586826/Real%20Steel%202011%20BRRiP%20XViD%20AbSurdiTy.torrent
    http
    fb575b81ad1e487b50b566ff5cbf3233.exe
    470 B
    1.7kB
    6
    5

    HTTP Request

    GET http://extra.to/download/2586826/Real%20Steel%202011%20BRRiP%20XViD%20AbSurdiTy.torrent

    HTTP Response

    522
  • 8.8.8.8:53
    extratorrent.com
    dns
    fb575b81ad1e487b50b566ff5cbf3233.exe
    124 B
    94 B
    2
    1

    DNS Request

    extratorrent.com

    DNS Request

    extratorrent.com

    DNS Response

    104.21.234.163
    104.21.234.162

  • 8.8.8.8:53
    extra.to
    dns
    fb575b81ad1e487b50b566ff5cbf3233.exe
    54 B
    86 B
    1
    1

    DNS Request

    extra.to

    DNS Response

    104.21.32.180
    172.67.153.51

  • 8.8.8.8:53
    cmp.torrentsmanager.com
    dns
    fb575b81ad1e487b50b566ff5cbf3233.exe
    69 B
    142 B
    1
    1

    DNS Request

    cmp.torrentsmanager.com

  • 8.8.8.8:53
    installer.zugo.com
    dns
    fb575b81ad1e487b50b566ff5cbf3233.exe
    192 B
    135 B
    3
    1

    DNS Request

    installer.zugo.com

    DNS Request

    installer.zugo.com

    DNS Request

    installer.zugo.com

  • 8.8.8.8:53
    data.oa-software.com
    dns
    fb575b81ad1e487b50b566ff5cbf3233.exe
    66 B
    139 B
    1
    1

    DNS Request

    data.oa-software.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsd873A.tmp\NSISdl.dll

    Filesize

    14KB

    MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

    SHA1

    168f3c158913b0367bf79fa413357fbe97018191

    SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

    SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

  • \Users\Admin\AppData\Local\Temp\nsd873A.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • \Users\Admin\AppData\Local\Temp\nsd873A.tmp\inetc2.dll

    Filesize

    24KB

    MD5

    a44440ef6425e359677fb0689f2187d9

    SHA1

    3c81aaa99afd6f12edaf4994d52391dff1200553

    SHA256

    a8225e4f81de78d3d372c18695a5723406c4292fdd8c2b9cb03aadbc0b127d60

    SHA512

    b3c0b80d8fa08e90aaaa8a32e659d7b71dc0bd4871a18d7dc03886061a5f224c48b1e204e6cd2b2403336659683b2c874b0eed47740e449623644c077e1103a9

  • \Users\Admin\AppData\Local\Temp\nsd873A.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.