Overview

overview

7

Static

static

7

66cc083843...a5.exe

windows7-x64

7

66cc083843...a5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 05:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66cc0838432b2b0f1334f589739a3da5.exe

  • Size

    5.5MB

  • MD5

    66cc0838432b2b0f1334f589739a3da5

  • SHA1

    1e3b883c44e992b89ba2467a99ad090afc40ab78

  • SHA256

    e17d28bf3522f3531241be03ff2e93a7cb2efa8d0335be8555d6426de3761795

  • SHA512

    50e61218da095830f5fc0e997f0e521e4087a27a75d197eb6daea06dbdfd8c47708c6b3956524bc5ec52e0d80e8d9a42e3155f954ce30c37009efbba09167e2c

  • SSDEEP

    49152:MLkHdpIgiTBOZm8Q+7kJTi9r9L6pH0JL5kzad2ay3vRmCFOGNj8mW4JH53R+wVGf:DvQd+wH0JmGQ35mCckFR+vicS43

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe
    "C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe
      C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      PID:4228

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    cutit.org
    66cc0838432b2b0f1334f589739a3da5.exe
    Remote address:
    8.8.8.8:53
    Request
    cutit.org
    IN A
    Response
    cutit.org
    IN A
    64.91.240.248
  • flag-us
    GET
    https://cutit.org/oxgBR
    66cc0838432b2b0f1334f589739a3da5.exe
    Remote address:
    64.91.240.248:443
    Request
    GET /oxgBR HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: cutit.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Date: Fri, 19 Jan 2024 05:19:59 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
    X-Powered-By: PHP/5.4.16
    Connection: close
    Cache-Control: no-cache
    Pragma: no-cache
    Location: http://ww1.cutit.org/oxgBR?usid=25&utid=4815561107
    Content-Length: 0
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    248.240.91.64.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    248.240.91.64.in-addr.arpa
    IN PTR
    Response
    248.240.91.64.in-addr.arpa
    IN PTR
    crocodile parklogiccom
  • flag-us
    DNS
    40.13.222.173.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.13.222.173.in-addr.arpa
    IN PTR
    Response
    40.13.222.173.in-addr.arpa
    IN PTR
    a173-222-13-40deploystaticakamaitechnologiescom
  • flag-us
    DNS
    ww1.cutit.org
    66cc0838432b2b0f1334f589739a3da5.exe
    Remote address:
    8.8.8.8:53
    Request
    ww1.cutit.org
    IN A
    Response
    ww1.cutit.org
    IN CNAME
    sedoparking.com
    sedoparking.com
    IN A
    64.190.63.136
  • flag-de
    GET
    http://ww1.cutit.org/oxgBR?usid=25&utid=4815561107
    66cc0838432b2b0f1334f589739a3da5.exe
    Remote address:
    64.190.63.136:80
    Request
    GET /oxgBR?usid=25&utid=4815561107 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Cache-Control: no-cache
    Host: ww1.cutit.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    date: Fri, 19 Jan 2024 05:19:59 GMT
    content-type: text/html; charset=UTF-8
    transfer-encoding: chunked
    vary: Accept-Encoding
    x-powered-by: PHP/8.1.17
    expires: Mon, 26 Jul 1997 05:00:00 GMT
    cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    pragma: no-cache
    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_0wZMztc0wnQgc0g91/OOBtxXLNQ9JM8/LR0Fe1lGR0W76GgOpfa66sYYkCS5trvlrok4Xi5NioSwhJ67B2hbnQ==
    last-modified: Fri, 19 Jan 2024 05:19:59 GMT
    x-cache-miss-from: parking-6bdf4777f8-qhzl9
    server: NginX
  • flag-us
    DNS
    193.179.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    193.179.17.96.in-addr.arpa
    IN PTR
    Response
    193.179.17.96.in-addr.arpa
    IN PTR
    a96-17-179-193deploystaticakamaitechnologiescom
  • flag-us
    DNS
    136.63.190.64.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.63.190.64.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    168.253.116.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.253.116.51.in-addr.arpa
    IN PTR
    Response
  • 20.231.121.79:80
    156 B
     3
  • 64.91.240.248:443
    https://cutit.org/oxgBR
    tls, http
    66cc0838432b2b0f1334f589739a3da5.exe
    1.2kB
     3.9kB
     15
    10

    HTTP Request

    GET https://cutit.org/oxgBR

    HTTP Response

    302
  • 64.190.63.136:80
    http://ww1.cutit.org/oxgBR?usid=25&utid=4815561107
    http
    66cc0838432b2b0f1334f589739a3da5.exe
    1.6kB
     24.3kB
     30
    22

    HTTP Request

    GET http://ww1.cutit.org/oxgBR?usid=25&utid=4815561107

    HTTP Response

    200
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    cutit.org
    dns
    66cc0838432b2b0f1334f589739a3da5.exe
    55 B
     71 B
     1
    1

    DNS Request

    cutit.org

    DNS Response

    64.91.240.248

  • 8.8.8.8:53
    248.240.91.64.in-addr.arpa
    dns
    72 B
     109 B
     1
    1

    DNS Request

    248.240.91.64.in-addr.arpa

  • 8.8.8.8:53
    40.13.222.173.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    40.13.222.173.in-addr.arpa

  • 8.8.8.8:53
    ww1.cutit.org
    dns
    66cc0838432b2b0f1334f589739a3da5.exe
    59 B
     104 B
     1
    1

    DNS Request

    ww1.cutit.org

    DNS Response

    64.190.63.136

  • 8.8.8.8:53
    193.179.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    193.179.17.96.in-addr.arpa

  • 8.8.8.8:53
    136.63.190.64.in-addr.arpa
    dns
    72 B
     156 B
     1
    1

    DNS Request

    136.63.190.64.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    168.253.116.51.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    168.253.116.51.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\66cc0838432b2b0f1334f589739a3da5.exe
    Filesize

    5.5MB

    MD5

    74dd4ca9b7e2c3940ba32365398c0f88

    SHA1

    c2898a56cc5b91736784b8278a7b35e73f03d995

    SHA256

    71f0f976677396388d37d6f7bbd367efe4c9530a809e4cbc59eb435565cecaf4

    SHA512

    fb41b13335b7f8814da33543449cf009a107b648df05f723c3ae4726bbebb0727c414f55bf8ef04bbf595e3cc03cb5bf53661715dd11e632e3cfe89dd3606632

    Download Submit

  • memory/3212-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3212-1-0x00000000023D0000-0x000000000262A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3212-2-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3212-13-0x0000000000400000-0x0000000000605000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4228-14-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4228-16-0x0000000002330000-0x000000000258A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4228-30-0x0000000000400000-0x0000000000D9E000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.