bd57459a2f276b92b03f6c1a9302bb5f8b6f4b902301be3557f182b5cad960d8

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 05:45 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

796d7b1934e23131acf7d42199020586.exe
Size

418KB
MD5

796d7b1934e23131acf7d42199020586
SHA1

7a6ac6c44b489c9fa269a859ff4a70c50c68c846
SHA256

bd57459a2f276b92b03f6c1a9302bb5f8b6f4b902301be3557f182b5cad960d8
SHA512

ca3d3fd1f963b3529db396ecd2e3537a09f603f3faca3ec7aaa167c563ac0a5065962dd08f7fabb6644f6490e1d93438361fc567c36a9adcaff9bef3e61b2883
SSDEEP

12288:sY5Ymqw/87Z2ljexOX8E5AY4mof/O3oqYiQB:sY5Ymqq87ZG2OmnFW3pT

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WdkelrI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\796d7b1934e23131acf7d42199020586.exe"	796d7b1934e23131acf7d42199020586.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4024	372	WerFault.exe	85

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
372	796d7b1934e23131acf7d42199020586.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
372	796d7b1934e23131acf7d42199020586.exe

C:\Users\Admin\AppData\Local\Temp\796d7b1934e23131acf7d42199020586.exe
"C:\Users\Admin\AppData\Local\Temp\796d7b1934e23131acf7d42199020586.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
PID:372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 384
  2⤵
  - Program crash
  PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 372 -ip 372
1⤵
PID:3856

Network

DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR

Response
DNS

dl.dropbox.com

796d7b1934e23131acf7d42199020586.exe

Remote address:

8.8.8.8:53

Request

dl.dropbox.com

IN A

Response

dl.dropbox.com

IN CNAME

edge-block-www-env.dropbox-dns.com

edge-block-www-env.dropbox-dns.com

IN A

162.125.65.15
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
GET

http://dl.dropbox.com/u/27620206/index.html

796d7b1934e23131acf7d42199020586.exe

Remote address:

162.125.65.15:80

Request

GET /u/27620206/index.html HTTP/1.1
Host: dl.dropbox.com
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Response

HTTP/1.1 301 Moved Permanently

location: https://dl.dropbox.com/u/27620206/index.html
date: Sat, 27 Jan 2024 05:46:16 GMT
server: envoy
x-dropbox-request-id: 41c7fd99ab8f4f1e863a92e8f888c5ce
content-length: 0
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

15.65.125.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.65.125.162.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

104.246.116.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.246.116.51.in-addr.arpa

IN PTR

Response

162.125.65.15:80

http://dl.dropbox.com/u/27620206/index.html

http

796d7b1934e23131acf7d42199020586.exe

394 B
389 B
5
4

HTTP Request

GET http://dl.dropbox.com/u/27620206/index.html

HTTP Response

301

8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

81.171.91.138.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

81.171.91.138.in-addr.arpa
8.8.8.8:53

dl.dropbox.com

dns

796d7b1934e23131acf7d42199020586.exe

60 B
121 B
1
1

DNS Request

dl.dropbox.com

DNS Response

162.125.65.15
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

15.65.125.162.in-addr.arpa

dns

72 B
122 B
1
1

DNS Request

15.65.125.162.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

104.246.116.51.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

104.246.116.51.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-0-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/372-2-0x00000000006C0000-0x0000000000707000-memory.dmp

Filesize
284KB

Download
memory/372-4-0x0000000000520000-0x000000000052D000-memory.dmp

Filesize
52KB

Download
memory/372-3-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/372-6-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/372-5-0x0000000002AA0000-0x0000000002B17000-memory.dmp

Filesize
476KB

Download
memory/372-8-0x00000000006C0000-0x0000000000707000-memory.dmp

Filesize
284KB

Download
memory/372-9-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.