Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-01-2024 12:19
Behavioral task
behavioral1
Sample
58e68c34dce6a7a66593b557954cd50b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
58e68c34dce6a7a66593b557954cd50b.exe
Resource
win10v2004-20231222-en
General
-
Target
58e68c34dce6a7a66593b557954cd50b.exe
-
Size
1.3MB
-
MD5
58e68c34dce6a7a66593b557954cd50b
-
SHA1
1d1de139015861736ef94ce6c69b5974c9ecd78f
-
SHA256
a5c0d7a6ba2435920c2177373572f471f4f25933e6c1ab9c805e0e8ca4eebfc8
-
SHA512
9e7fc799bceef03471bdbbefb3ae59e6381c71f3f87d8f88ad98a247b9d86330f5ecdd8f4c3b78d798aac6a71e920459e06e82d8ccdb9c9887bf46697a722cd7
-
SSDEEP
24576:Zf6fyqSKowooryzVCpmeJEs28GhiS+fxTACT7E275T0A6vG:Zf6aqSKqJgJo8Gh/YxdTn75w
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2664 58e68c34dce6a7a66593b557954cd50b.exe -
Executes dropped EXE 1 IoCs
pid Process 2664 58e68c34dce6a7a66593b557954cd50b.exe -
Loads dropped DLL 1 IoCs
pid Process 2216 58e68c34dce6a7a66593b557954cd50b.exe -
resource yara_rule behavioral1/memory/2216-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral1/files/0x0008000000012243-11.dat upx behavioral1/files/0x0008000000012243-16.dat upx behavioral1/memory/2216-15-0x0000000003400000-0x000000000386A000-memory.dmp upx behavioral1/memory/2664-17-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral1/files/0x0008000000012243-13.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2216 58e68c34dce6a7a66593b557954cd50b.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2216 58e68c34dce6a7a66593b557954cd50b.exe 2664 58e68c34dce6a7a66593b557954cd50b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2664 2216 58e68c34dce6a7a66593b557954cd50b.exe 28 PID 2216 wrote to memory of 2664 2216 58e68c34dce6a7a66593b557954cd50b.exe 28 PID 2216 wrote to memory of 2664 2216 58e68c34dce6a7a66593b557954cd50b.exe 28 PID 2216 wrote to memory of 2664 2216 58e68c34dce6a7a66593b557954cd50b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe"C:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exeC:\Users\Admin\AppData\Local\Temp\58e68c34dce6a7a66593b557954cd50b.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2664
-
Network
-
Remote address:8.8.8.8:53Requestzipansion.comIN AResponsezipansion.comIN A104.21.73.114zipansion.comIN A172.67.144.180
-
Remote address:104.21.73.114:80RequestGET /2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: zipansion.com
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=joc725h7puprgt97vhu8s2e54h; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-36721PQRJ/2pRLi?rndad=1502943035-1705148371
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PEGaLIZBOekpa8MgZycDbtXwmnCvH40gkzfa1%2FgCu8efLv5bj%2BspblO5IRw5%2BW4D1OAR7TnODh9z8dFG3vhd9oFvYvop1TdBEPDkm7dw4DTlWaBAGJca0BmcHFFA%2BW62"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 844d9685f9b85315-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:8.8.8.8:53Requestyxeepsek.netIN AResponseyxeepsek.netIN A172.67.194.101yxeepsek.netIN A104.21.20.204
-
GEThttp://yxeepsek.net/-36721PQRJ/2pRLi?rndad=1502943035-170514837158e68c34dce6a7a66593b557954cd50b.exeRemote address:172.67.194.101:80RequestGET /-36721PQRJ/2pRLi?rndad=1502943035-1705148371 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
ResponseHTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=qugnkteqs99726sikb6tugpseh; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CSpExqJo7Sm%2FrlhLahB%2BqP845oAdc7mPiovjgKQDmoJiGD2wpHoe4LJ8O1b9ZOQJLR1RU%2FfUnZuCNfh%2FSWo1%2FlYFGEpJj5M9t%2Bj5kT6TWbuntt8GJMuxDxGHFcKGN8E%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 844d9688299579b8-LHR
alt-svc: h2=":443"; ma=60
-
Remote address:172.67.194.101:80RequestGET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=qugnkteqs99726sikb6tugpseh
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bWZwBrTCAsoIJ46YudopkR02%2B4bqJ2y%2Fy5K8dIUO9W%2B1qAfxFH2cZXRbnxAmcxVp%2Fk%2FRRun8LyyDfUBNPzwLuiWrcjh8ZBsVYy20K1nxAS5rvh2o3H9x1fbS00Jw6Bg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 844d9689bbae79b8-LHR
alt-svc: h2=":443"; ma=60
-
437 B 1.1kB 6 4
HTTP Request
GET http://zipansion.com/2pRLiHTTP Response
301 -
172.67.194.101:80http://yxeepsek.net/suspended?a=3&u=20186239http58e68c34dce6a7a66593b557954cd50b.exe886 B 3.3kB 9 9
HTTP Request
GET http://yxeepsek.net/-36721PQRJ/2pRLi?rndad=1502943035-1705148371HTTP Response
302HTTP Request
GET http://yxeepsek.net/suspended?a=3&u=20186239HTTP Response
200
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166KB
MD50c98080ca4c755359f093ecb17cc51c5
SHA1758736137f46554214b7a7c63da13845502fb31e
SHA25673228f83fc0edcc7b3fc59297cc047f200180acadde1f49d91dadef4869e3982
SHA5123822efd5854b053b7c5eaca3771ef1bbd33a4e89fef1ed5f68a4402762ed057c124356141dc0aa2731fec50e73b3f9665928bff97c58e0fac7826c3a1011b664
-
Filesize
123KB
MD5c90d8bab3b1be3c9593fdfdc5703869c
SHA161336ce53414000064c8700d5b33881e145c7e1a
SHA25606f97bb677363512e1847bc9a26c1377ce0c715302d5f9b0ab0140da6c628b1c
SHA512c0f68ffa0baec1058514a822204b55d2e471b6658cd6513405dfe4565f1b7c3274e47f7d5a9dcf313b31e8e977f5d09cb9ad4441bfd25f0a117095b594009749
-
Filesize
395KB
MD5180860a9a55e49542bca4745982376fc
SHA19cd15d40a5c6e72a77a39431695eed8ba45bb6a6
SHA25605e09449daedd944e09266dc9cd192811f9b884c86999fea45e5fb1c3618e858
SHA512c318c0ba9dd7c34646e73bfadb9490ea410a7157390cc6e522bc0eae85489006c5ffca15689744dad47951a6aa4602e0ee7434ecdf861dce21dec619fb885510