Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 02:32 UTC
Behavioral task
behavioral1
Sample
57c0c96f77cfe14b32dd935d8b731c2c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
57c0c96f77cfe14b32dd935d8b731c2c.exe
Resource
win10v2004-20231215-en
General
-
Target
57c0c96f77cfe14b32dd935d8b731c2c.exe
-
Size
133KB
-
MD5
57c0c96f77cfe14b32dd935d8b731c2c
-
SHA1
4731392ffd0cb79526c41297b334eb34a808da38
-
SHA256
a38a76075926f127b08d91dc5878b1dbab59f8d199e252f600fd75a80514cdfe
-
SHA512
34f8da9079bbdeaf2830067414a2e9e95e1ab84c6bdcff87484c479f04709c9711f78253acf976c5e937a9d85fec183e97a772d8340bcd00ea9b309a9753223c
-
SSDEEP
3072:lhiE4lDQJt3nOP84/c2JNGSlGNisCb+LD8YrVM+Q:WE4lmt3O0M3opCb+v8Yr/Q
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2424 57c0c96f77cfe14b32dd935d8b731c2c.exe -
Executes dropped EXE 1 IoCs
pid Process 2424 57c0c96f77cfe14b32dd935d8b731c2c.exe -
Loads dropped DLL 1 IoCs
pid Process 320 57c0c96f77cfe14b32dd935d8b731c2c.exe -
resource yara_rule behavioral1/memory/320-0-0x0000000000400000-0x0000000000486000-memory.dmp upx behavioral1/files/0x0008000000012222-11.dat upx behavioral1/memory/320-15-0x0000000000270000-0x00000000002F6000-memory.dmp upx -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 57c0c96f77cfe14b32dd935d8b731c2c.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405 57c0c96f77cfe14b32dd935d8b731c2c.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2 57c0c96f77cfe14b32dd935d8b731c2c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 57c0c96f77cfe14b32dd935d8b731c2c.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 320 57c0c96f77cfe14b32dd935d8b731c2c.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 320 57c0c96f77cfe14b32dd935d8b731c2c.exe 2424 57c0c96f77cfe14b32dd935d8b731c2c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 320 wrote to memory of 2424 320 57c0c96f77cfe14b32dd935d8b731c2c.exe 29 PID 320 wrote to memory of 2424 320 57c0c96f77cfe14b32dd935d8b731c2c.exe 29 PID 320 wrote to memory of 2424 320 57c0c96f77cfe14b32dd935d8b731c2c.exe 29 PID 320 wrote to memory of 2424 320 57c0c96f77cfe14b32dd935d8b731c2c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe"C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exeC:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:2424
-
Network
-
Remote address:8.8.8.8:53Requestcutit.orgIN AResponsecutit.orgIN A64.91.240.248
-
Remote address:64.91.240.248:443RequestGET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: cutit.org
Cache-Control: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Location: http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requestww12.cutit.orgIN AResponseww12.cutit.orgIN CNAME726512.parkingcrew.net726512.parkingcrew.netIN A13.248.148.254726512.parkingcrew.netIN A76.223.26.96
-
Remote address:13.248.148.254:80RequestGET /oxgBR?usid=25&utid=4725258393 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: ww12.cutit.org
-
Remote address:8.8.8.8:53Requestq.gsIN AResponseq.gsIN A104.21.84.133q.gsIN A172.67.193.84
-
Remote address:8.8.8.8:53Requestq.gsIN A
-
Remote address:104.21.84.133:80RequestGET /EVnYC HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: q.gs
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=juuh4vnccafo1806ocqme6p1m3; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-20RWJP/EVnYC?rndad=1502943035-1705113213
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lcj9mDQesSo5lnVNQc4U7CqYZeDmE6eEfR2C1cD%2F2u%2BmOZ%2BevOHxilYFaa34ZW%2BwACa38UOYyHtx9egvKczzq2%2BwdHG4crHRAi5r2AHCur%2FGVuGZrcDd"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 844a3c2e489c7330-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A172.67.194.101yxeepsek.netIN A104.21.20.204
-
GEThttp://yxeepsek.net/-20RWJP/EVnYC?rndad=1502943035-170511321357c0c96f77cfe14b32dd935d8b731c2c.exeRemote address:172.67.194.101:80RequestGET /-20RWJP/EVnYC?rndad=1502943035-1705113213 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=petr6l4kqh19irrb0m2jnn8aeo; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Xlq%2FHfdJJzOIuv9RuhLk87fT59LE430ISYlku0L21STWsfVautmq0uytP7YMytuvYHesGxTI6PG02EVgKTvK0gI4jE6urDLfw4ptIRLL0u6c4BYue83QjcOCOLS8VvQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 844a3c304fb47767-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:172.67.194.101:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=petr6l4kqh19irrb0m2jnn8aeo
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f4TfNCNMA1kF4xcHufv%2FEkaDBq8vyYTJ6ZsjsVttoeMP57oYdiQEGd17ZUJLOKM7QoHOZctMOJrxD93e1jWkMEFOBPlrrBBGp6Xrdkf7Xvz15r0yyo33LrOrF9ZGg50%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 844a3c31b8d67767-LHR
alt-svc: h2=":443"; ma=60
-
1.6kB 3.4kB 14 8
HTTP Request
GET https://cutit.org/oxgBRHTTP Response
302 -
13.248.148.254:80http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393http57c0c96f77cfe14b32dd935d8b731c2c.exe494 B 88 B 6 2
HTTP Request
GET http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393 -
480 B 2.1kB 7 5
HTTP Request
GET http://q.gs/EVnYCHTTP Response
301 -
172.67.194.101:80http://yxeepsek.net/suspended?a=3&u=20186239http57c0c96f77cfe14b32dd935d8b731c2c.exe831 B 3.2kB 8 9
HTTP Request
GET http://yxeepsek.net/-20RWJP/EVnYC?rndad=1502943035-1705113213HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
-
55 B 71 B 1 1
DNS Request
cutit.org
DNS Response
64.91.240.248
-
60 B 128 B 1 1
DNS Request
ww12.cutit.org
DNS Response
13.248.148.25476.223.26.96
-
100 B 82 B 2 1
DNS Request
q.gs
DNS Request
q.gs
DNS Response
104.21.84.133172.67.193.84
-
58 B 90 B 1 1
DNS Request
yxeepsek.net
DNS Response
172.67.194.101104.21.20.204
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD5593fb148b7a8917f7a4f06d2929f56aa
SHA16417d5ae72c4b30db3ce4ce954b3b9d7d3b1778a
SHA256bb991158bf68358e0de92c12e062ae4031197ccb54b11e44b6432e9788c329de
SHA51210c9355ff6745f50b186e8501574bf2850657f661477871fbcd8df147167f255f8db4e819b126b44a7d20168c88c7cdfd296042532d5ae4f743bf22c66e98c8c