Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
13/01/2024, 02:32 UTC
General
-
Target
57c0c96f77cfe14b32dd935d8b731c2c.exe
-
Size
133KB
-
MD5
57c0c96f77cfe14b32dd935d8b731c2c
-
SHA1
4731392ffd0cb79526c41297b334eb34a808da38
-
SHA256
a38a76075926f127b08d91dc5878b1dbab59f8d199e252f600fd75a80514cdfe
-
SHA512
34f8da9079bbdeaf2830067414a2e9e95e1ab84c6bdcff87484c479f04709c9711f78253acf976c5e937a9d85fec183e97a772d8340bcd00ea9b309a9753223c
-
SSDEEP
3072:lhiE4lDQJt3nOP84/c2JNGSlGNisCb+LD8YrVM+Q:WE4lmt3O0M3opCb+v8Yr/Q
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe"C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exeC:\Users\Admin\AppData\Local\Temp\57c0c96f77cfe14b32dd935d8b731c2c.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
-
Network
-
DNScutit.orgRemote address:8.8.8.8:53Requestcutit.orgIN AResponsecutit.orgIN A64.91.240.248 -
GEThttps://cutit.org/oxgBRRemote address:64.91.240.248:443RequestGET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: cutit.org
Cache-Control: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Date: Sat, 13 Jan 2024 02:32:54 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Location: http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
DNSww12.cutit.orgRemote address:8.8.8.8:53Requestww12.cutit.orgIN AResponseww12.cutit.orgIN CNAME726512.parkingcrew.net726512.parkingcrew.netIN A13.248.148.254726512.parkingcrew.netIN A76.223.26.96
-
GEThttp://ww12.cutit.org/oxgBR?usid=25&utid=4725258393Remote address:13.248.148.254:80RequestGET /oxgBR?usid=25&utid=4725258393 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: ww12.cutit.org
-
DNSq.gsRemote address:8.8.8.8:53Requestq.gsIN AResponseq.gsIN A104.21.84.133q.gsIN A172.67.193.84
-
DNSq.gsRemote address:8.8.8.8:53Requestq.gsIN A
-
GEThttp://q.gs/EVnYCRemote address:104.21.84.133:80RequestGET /EVnYC HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: q.gs
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Date: Sat, 13 Jan 2024 02:33:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=juuh4vnccafo1806ocqme6p1m3; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-20RWJP/EVnYC?rndad=1502943035-1705113213
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lcj9mDQesSo5lnVNQc4U7CqYZeDmE6eEfR2C1cD%2F2u%2BmOZ%2BevOHxilYFaa34ZW%2BwACa38UOYyHtx9egvKczzq2%2BwdHG4crHRAi5r2AHCur%2FGVuGZrcDd"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 844a3c2e489c7330-LHR
alt-svc: h2=":443"; ma=60
-
DNSyxeepsek.netRemote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A172.67.194.101yxeepsek.netIN A104.21.20.204
-
GEThttp://yxeepsek.net/-20RWJP/EVnYC?rndad=1502943035-1705113213Remote address:172.67.194.101:80RequestGET /-20RWJP/EVnYC?rndad=1502943035-1705113213 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Date: Sat, 13 Jan 2024 02:33:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=petr6l4kqh19irrb0m2jnn8aeo; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Xlq%2FHfdJJzOIuv9RuhLk87fT59LE430ISYlku0L21STWsfVautmq0uytP7YMytuvYHesGxTI6PG02EVgKTvK0gI4jE6urDLfw4ptIRLL0u6c4BYue83QjcOCOLS8VvQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 844a3c304fb47767-LHR
alt-svc: h2=":443"; ma=60
-
GEThttp://yxeepsek.net/suspended?a=3&u=20186239Remote address:172.67.194.101:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=petr6l4kqh19irrb0m2jnn8aeo
ResponseHTTP/1.1 200 OK
Date: Sat, 13 Jan 2024 02:33:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f4TfNCNMA1kF4xcHufv%2FEkaDBq8vyYTJ6ZsjsVttoeMP57oYdiQEGd17ZUJLOKM7QoHOZctMOJrxD93e1jWkMEFOBPlrrBBGp6Xrdkf7Xvz15r0yyo33LrOrF9ZGg50%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 844a3c31b8d67767-LHR
alt-svc: h2=":443"; ma=60
-
64.91.240.248:443https://cutit.org/oxgBRtls, http
HTTP Request
GET https://cutit.org/oxgBRHTTP Response
302 -
13.248.148.254:80http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393http
HTTP Request
GET http://ww12.cutit.org/oxgBR?usid=25&utid=4725258393 -
104.21.84.133:80http://q.gs/EVnYChttp
HTTP Request
GET http://q.gs/EVnYCHTTP Response
301 -
172.67.194.101:80http://yxeepsek.net/suspended?a=3&u=20186239http
HTTP Request
GET http://yxeepsek.net/-20RWJP/EVnYC?rndad=1502943035-1705113213HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
-
8.8.8.8:53cutit.orgdns
DNS Request
cutit.org
DNS Response
64.91.240.248
-
8.8.8.8:53ww12.cutit.orgdns
DNS Request
ww12.cutit.org
DNS Response
13.248.148.25476.223.26.96
-
8.8.8.8:53q.gsdns
DNS Request
q.gs
DNS Request
q.gs
DNS Response
104.21.84.133172.67.193.84
-
8.8.8.8:53yxeepsek.netdns
DNS Request
yxeepsek.net
DNS Response
172.67.194.101104.21.20.204
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD5593fb148b7a8917f7a4f06d2929f56aa
SHA16417d5ae72c4b30db3ce4ce954b3b9d7d3b1778a
SHA256bb991158bf68358e0de92c12e062ae4031197ccb54b11e44b6432e9788c329de
SHA51210c9355ff6745f50b186e8501574bf2850657f661477871fbcd8df147167f255f8db4e819b126b44a7d20168c88c7cdfd296042532d5ae4f743bf22c66e98c8c
-
Filesize
536KB
-
Filesize
132KB
-
Filesize
124KB
-
Filesize
536KB
-
Filesize
124KB
-
Filesize
536KB
-
Filesize
132KB
-
Filesize
536KB