Analysis

  • max time kernel
    122s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 02:32 UTC

General

  • Target

    57c0c96f77cfe14b32dd935d8b731c2c.exe

  • Size

    133KB

  • MD5

    57c0c96f77cfe14b32dd935d8b731c2c

  • SHA1

    4731392ffd0cb79526c41297b334eb34a808da38

  • SHA256

    a38a76075926f127b08d91dc5878b1dbab59f8d199e252f600fd75a80514cdfe

  • SHA512

    34f8da9079bbdeaf2830067414a2e9e95e1ab84c6bdcff87484c479f04709c9711f78253acf976c5e937a9d85fec183e97a772d8340bcd00ea9b309a9753223c

  • SSDEEP

    3072:lhiE4lDQJt3nOP84/c2JNGSlGNisCb+LD8YrVM+Q:WE4lmt3O0M3opCb+v8Yr/Q

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe
    "C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe
      C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:2424

Network

  • flag-us
    DNS
    cutit.org
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    8.8.8.8:53
    Request
    cutit.org
    IN A
    Response
    cutit.org
    IN A
    64.91.240.248
  • flag-us
    GET
    https://cutit.org/oxgBR
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    64.91.240.248:443
    Request
    GET /oxgBR HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: cutit.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Date: Sat, 13 Jan 2024 02:32:54 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
    X-Powered-By: PHP/5.4.16
    Connection: close
    Cache-Control: no-cache
    Pragma: no-cache
    Location: http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393
    Content-Length: 0
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    ww12.cutit.org
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    8.8.8.8:53
    Request
    ww12.cutit.org
    IN A
    Response
    ww12.cutit.org
    IN CNAME
    726512.parkingcrew.net
    726512.parkingcrew.net
    IN A
    13.248.148.254
    726512.parkingcrew.net
    IN A
    76.223.26.96
  • flag-us
    GET
    http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    13.248.148.254:80
    Request
    GET /oxgBR?usid=25&utid=4725258393 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: ww12.cutit.org
  • flag-us
    DNS
    q.gs
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    8.8.8.8:53
    Request
    q.gs
    IN A
    Response
    q.gs
    IN A
    104.21.84.133
    q.gs
    IN A
    172.67.193.84
  • flag-us
    DNS
    q.gs
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    8.8.8.8:53
    Request
    q.gs
    IN A
  • flag-us
    GET
    http://q.gs/EVnYC
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    104.21.84.133:80
    Request
    GET /EVnYC HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: q.gs
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 13 Jan 2024 02:33:33 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=juuh4vnccafo1806ocqme6p1m3; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: http://yxeepsek.net/-20RWJP/EVnYC?rndad=1502943035-1705113213
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lcj9mDQesSo5lnVNQc4U7CqYZeDmE6eEfR2C1cD%2F2u%2BmOZ%2BevOHxilYFaa34ZW%2BwACa38UOYyHtx9egvKczzq2%2BwdHG4crHRAi5r2AHCur%2FGVuGZrcDd"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 844a3c2e489c7330-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    yxeepsek.net
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    8.8.8.8:53
    Request
    yxeepsek.net
    IN A
    Response
    yxeepsek.net
    IN A
    172.67.194.101
    yxeepsek.net
    IN A
    104.21.20.204
  • flag-us
    GET
    http://yxeepsek.net/-20RWJP/EVnYC?rndad=1502943035-1705113213
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /-20RWJP/EVnYC?rndad=1502943035-1705113213 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Response
    HTTP/1.1 302 Found
    Date: Sat, 13 Jan 2024 02:33:33 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=petr6l4kqh19irrb0m2jnn8aeo; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: /suspended?a=3&u=20186239
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Xlq%2FHfdJJzOIuv9RuhLk87fT59LE430ISYlku0L21STWsfVautmq0uytP7YMytuvYHesGxTI6PG02EVgKTvK0gI4jE6urDLfw4ptIRLL0u6c4BYue83QjcOCOLS8VvQ%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 844a3c304fb47767-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    GET
    http://yxeepsek.net/suspended?a=3&u=20186239
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /suspended?a=3&u=20186239 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Cookie: FLYSESSID=petr6l4kqh19irrb0m2jnn8aeo
    Response
    HTTP/1.1 200 OK
    Date: Sat, 13 Jan 2024 02:33:33 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    last-modified: Tue, 10 Nov 2020 09:44:07 GMT
    vary: Accept-Encoding
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f4TfNCNMA1kF4xcHufv%2FEkaDBq8vyYTJ6ZsjsVttoeMP57oYdiQEGd17ZUJLOKM7QoHOZctMOJrxD93e1jWkMEFOBPlrrBBGp6Xrdkf7Xvz15r0yyo33LrOrF9ZGg50%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 844a3c31b8d67767-LHR
    alt-svc: h2=":443"; ma=60
  • 64.91.240.248:443
    https://cutit.org/oxgBR
    tls, http
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    1.6kB
    3.4kB
    14
    8

    HTTP Request

    GET https://cutit.org/oxgBR

    HTTP Response

    302
  • 13.248.148.254:80
    http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393
    http
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    494 B
    88 B
    6
    2

    HTTP Request

    GET http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393
  • 104.21.84.133:80
    http://q.gs/EVnYC
    http
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    480 B
    2.1kB
    7
    5

    HTTP Request

    GET http://q.gs/EVnYC

    HTTP Response

    301
  • 172.67.194.101:80
    http://yxeepsek.net/suspended?a=3&u=20186239
    http
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    831 B
    3.2kB
    8
    9

    HTTP Request

    GET http://yxeepsek.net/-20RWJP/EVnYC?rndad=1502943035-1705113213

    HTTP Response

    302

    HTTP Request

    GET http://yxeepsek.net/suspended?a=3&u=20186239

    HTTP Response

    200
  • 8.8.8.8:53
    cutit.org
    dns
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    55 B
    71 B
    1
    1

    DNS Request

    cutit.org

    DNS Response

    64.91.240.248

  • 8.8.8.8:53
    ww12.cutit.org
    dns
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    60 B
    128 B
    1
    1

    DNS Request

    ww12.cutit.org

    DNS Response

    13.248.148.254
    76.223.26.96

  • 8.8.8.8:53
    q.gs
    dns
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    100 B
    82 B
    2
    1

    DNS Request

    q.gs

    DNS Request

    q.gs

    DNS Response

    104.21.84.133
    172.67.193.84

  • 8.8.8.8:53
    yxeepsek.net
    dns
    57c0c96f77cfe14b32dd935d8b731c2c.exe
    58 B
    90 B
    1
    1

    DNS Request

    yxeepsek.net

    DNS Response

    172.67.194.101
    104.21.20.204

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe

    Filesize

    133KB

    MD5

    593fb148b7a8917f7a4f06d2929f56aa

    SHA1

    6417d5ae72c4b30db3ce4ce954b3b9d7d3b1778a

    SHA256

    bb991158bf68358e0de92c12e062ae4031197ccb54b11e44b6432e9788c329de

    SHA512

    10c9355ff6745f50b186e8501574bf2850657f661477871fbcd8df147167f255f8db4e819b126b44a7d20168c88c7cdfd296042532d5ae4f743bf22c66e98c8c

  • memory/320-0-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/320-2-0x0000000000150000-0x0000000000171000-memory.dmp

    Filesize

    132KB

  • memory/320-1-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/320-15-0x0000000000270000-0x00000000002F6000-memory.dmp

    Filesize

    536KB

  • memory/320-14-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2424-18-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2424-20-0x0000000000150000-0x0000000000171000-memory.dmp

    Filesize

    132KB

  • memory/2424-42-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.