Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2024 12:19

General

  • Target

    58e68c34dce6a7a66593b557954cd50b.exe

  • Size

    1.3MB

  • MD5

    58e68c34dce6a7a66593b557954cd50b

  • SHA1

    1d1de139015861736ef94ce6c69b5974c9ecd78f

  • SHA256

    a5c0d7a6ba2435920c2177373572f471f4f25933e6c1ab9c805e0e8ca4eebfc8

  • SHA512

    9e7fc799bceef03471bdbbefb3ae59e6381c71f3f87d8f88ad98a247b9d86330f5ecdd8f4c3b78d798aac6a71e920459e06e82d8ccdb9c9887bf46697a722cd7

  • SSDEEP

    24576:Zf6fyqSKowooryzVCpmeJEs28GhiS+fxTACT7E275T0A6vG:Zf6aqSKqJgJo8Gh/YxdTn75w

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe
    "C:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe
      C:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2664

Network

  • flag-us
    DNS
    zipansion.com
    58e68c34dce6a7a66593b557954cd50b.exe
    Remote address:
    8.8.8.8:53
    Request
    zipansion.com
    IN A
    Response
    zipansion.com
    IN A
    104.21.73.114
    zipansion.com
    IN A
    172.67.144.180
  • flag-us
    GET
    http://zipansion.com/2pRLi
    58e68c34dce6a7a66593b557954cd50b.exe
    Remote address:
    104.21.73.114:80
    Request
    GET /2pRLi HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: zipansion.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 13 Jan 2024 12:19:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=joc725h7puprgt97vhu8s2e54h; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: http://yxeepsek.net/-36721PQRJ/2pRLi?rndad=1502943035-1705148371
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PEGaLIZBOekpa8MgZycDbtXwmnCvH40gkzfa1%2FgCu8efLv5bj%2BspblO5IRw5%2BW4D1OAR7TnODh9z8dFG3vhd9oFvYvop1TdBEPDkm7dw4DTlWaBAGJca0BmcHFFA%2BW62"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 844d9685f9b85315-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    yxeepsek.net
    58e68c34dce6a7a66593b557954cd50b.exe
    Remote address:
    8.8.8.8:53
    Request
    yxeepsek.net
    IN A
    Response
    yxeepsek.net
    IN A
    172.67.194.101
    yxeepsek.net
    IN A
    104.21.20.204
  • flag-us
    GET
    http://yxeepsek.net/-36721PQRJ/2pRLi?rndad=1502943035-1705148371
    58e68c34dce6a7a66593b557954cd50b.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /-36721PQRJ/2pRLi?rndad=1502943035-1705148371 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Response
    HTTP/1.1 302 Found
    Date: Sat, 13 Jan 2024 12:19:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: FLYSESSID=qugnkteqs99726sikb6tugpseh; path=/; HttpOnly; SameSite=Lax
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    x-powered-by: adfly
    strict-transport-security: max-age=0
    location: /suspended?a=3&u=20186239
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CSpExqJo7Sm%2FrlhLahB%2BqP845oAdc7mPiovjgKQDmoJiGD2wpHoe4LJ8O1b9ZOQJLR1RU%2FfUnZuCNfh%2FSWo1%2FlYFGEpJj5M9t%2Bj5kT6TWbuntt8GJMuxDxGHFcKGN8E%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 844d9688299579b8-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    GET
    http://yxeepsek.net/suspended?a=3&u=20186239
    58e68c34dce6a7a66593b557954cd50b.exe
    Remote address:
    172.67.194.101:80
    Request
    GET /suspended?a=3&u=20186239 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: yxeepsek.net
    Cookie: FLYSESSID=qugnkteqs99726sikb6tugpseh
    Response
    HTTP/1.1 200 OK
    Date: Sat, 13 Jan 2024 12:19:31 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    last-modified: Tue, 10 Nov 2020 09:44:07 GMT
    vary: Accept-Encoding
    x-turbo-charged-by: LiteSpeed
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bWZwBrTCAsoIJ46YudopkR02%2B4bqJ2y%2Fy5K8dIUO9W%2B1qAfxFH2cZXRbnxAmcxVp%2Fk%2FRRun8LyyDfUBNPzwLuiWrcjh8ZBsVYy20K1nxAS5rvh2o3H9x1fbS00Jw6Bg%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 844d9689bbae79b8-LHR
    alt-svc: h2=":443"; ma=60
  • 104.21.73.114:80
    http://zipansion.com/2pRLi
    http
    58e68c34dce6a7a66593b557954cd50b.exe
    437 B
    1.1kB
    6
    4

    HTTP Request

    GET http://zipansion.com/2pRLi

    HTTP Response

    301
  • 172.67.194.101:80
    http://yxeepsek.net/suspended?a=3&u=20186239
    http
    58e68c34dce6a7a66593b557954cd50b.exe
    886 B
    3.3kB
    9
    9

    HTTP Request

    GET http://yxeepsek.net/-36721PQRJ/2pRLi?rndad=1502943035-1705148371

    HTTP Response

    302

    HTTP Request

    GET http://yxeepsek.net/suspended?a=3&u=20186239

    HTTP Response

    200
  • 8.8.8.8:53
    zipansion.com
    dns
    58e68c34dce6a7a66593b557954cd50b.exe
    59 B
    91 B
    1
    1

    DNS Request

    zipansion.com

    DNS Response

    104.21.73.114
    172.67.144.180

  • 8.8.8.8:53
    yxeepsek.net
    dns
    58e68c34dce6a7a66593b557954cd50b.exe
    58 B
    90 B
    1
    1

    DNS Request

    yxeepsek.net

    DNS Response

    172.67.194.101
    104.21.20.204

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe

    Filesize

    166KB

    MD5

    0c98080ca4c755359f093ecb17cc51c5

    SHA1

    758736137f46554214b7a7c63da13845502fb31e

    SHA256

    73228f83fc0edcc7b3fc59297cc047f200180acadde1f49d91dadef4869e3982

    SHA512

    3822efd5854b053b7c5eaca3771ef1bbd33a4e89fef1ed5f68a4402762ed057c124356141dc0aa2731fec50e73b3f9665928bff97c58e0fac7826c3a1011b664

  • C:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe

    Filesize

    123KB

    MD5

    c90d8bab3b1be3c9593fdfdc5703869c

    SHA1

    61336ce53414000064c8700d5b33881e145c7e1a

    SHA256

    06f97bb677363512e1847bc9a26c1377ce0c715302d5f9b0ab0140da6c628b1c

    SHA512

    c0f68ffa0baec1058514a822204b55d2e471b6658cd6513405dfe4565f1b7c3274e47f7d5a9dcf313b31e8e977f5d09cb9ad4441bfd25f0a117095b594009749

  • \Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe

    Filesize

    395KB

    MD5

    180860a9a55e49542bca4745982376fc

    SHA1

    9cd15d40a5c6e72a77a39431695eed8ba45bb6a6

    SHA256

    05e09449daedd944e09266dc9cd192811f9b884c86999fea45e5fb1c3618e858

    SHA512

    c318c0ba9dd7c34646e73bfadb9490ea410a7157390cc6e522bc0eae85489006c5ffca15689744dad47951a6aa4602e0ee7434ecdf861dce21dec619fb885510

  • memory/2216-0-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

  • memory/2216-1-0x0000000000130000-0x0000000000242000-memory.dmp

    Filesize

    1.1MB

  • memory/2216-2-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/2216-15-0x0000000003400000-0x000000000386A000-memory.dmp

    Filesize

    4.4MB

  • memory/2216-14-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/2664-17-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

  • memory/2664-19-0x0000000000280000-0x0000000000392000-memory.dmp

    Filesize

    1.1MB

  • memory/2664-18-0x0000000000400000-0x00000000005F2000-memory.dmp

    Filesize

    1.9MB

  • memory/2664-26-0x0000000000400000-0x000000000086A000-memory.dmp

    Filesize

    4.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.