e718943a54d1847f6bb2bbcd73c8ebde49b96d5fd6fd253d801feaadb87883c6

Analysis

max time kernel
132s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 04:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7edc154a50a3cd916eabc31434badde3.exe
Size

2.9MB
MD5

7edc154a50a3cd916eabc31434badde3
SHA1

a9d8636415f2bc7ccdb441c075fa4e15f9f68efa
SHA256

e718943a54d1847f6bb2bbcd73c8ebde49b96d5fd6fd253d801feaadb87883c6
SHA512

c7bb889d6d4b7227f1db9c52d160342b0abcec7c68be29cd43a69a807e835d9e4ef30d63f9608fb3a0fccc4990691f7e1c7463fe8878e043f89bf7738f431535
SSDEEP

49152:0YpGiR0MePk2iqP4M338dB2IBlGuuDVUsdxxjeQZwxPYRKs:0Ysg12iqgg3gnl/IVUs1jePs

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1652	7edc154a50a3cd916eabc31434badde3.exe

Executes dropped EXE 1 IoCs

pid	Process
1652	7edc154a50a3cd916eabc31434badde3.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1328-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral2/files/0x0007000000023220-11.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1328	7edc154a50a3cd916eabc31434badde3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1328	7edc154a50a3cd916eabc31434badde3.exe
1652	7edc154a50a3cd916eabc31434badde3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 1652	1328	7edc154a50a3cd916eabc31434badde3.exe	85
PID 1328 wrote to memory of 1652	1328	7edc154a50a3cd916eabc31434badde3.exe	85
PID 1328 wrote to memory of 1652	1328	7edc154a50a3cd916eabc31434badde3.exe	85

C:\Users\Admin\AppData\Local\Temp\7edc154a50a3cd916eabc31434badde3.exe
"C:\Users\Admin\AppData\Local\Temp\7edc154a50a3cd916eabc31434badde3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\7edc154a50a3cd916eabc31434badde3.exe
  C:\Users\Admin\AppData\Local\Temp\7edc154a50a3cd916eabc31434badde3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1652

Network

DNS

zipansion.com

7edc154a50a3cd916eabc31434badde3.exe

Remote address:

8.8.8.8:53

Request

zipansion.com

IN A

Response

zipansion.com

IN A

104.21.73.114

zipansion.com

IN A

172.67.144.180
GET

http://zipansion.com/2pRLi

7edc154a50a3cd916eabc31434badde3.exe

Remote address:

104.21.73.114:80

Request

GET /2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: zipansion.com
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Mon, 29 Jan 2024 04:15:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=hus7c9u5h5lk8epvdj01nqfo78; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-36721KLIQ/2pRLi?rndad=1502943035-1706501744
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9%2BaXZcnbwwt8NHantIRH34gnQeeprcrhHxGD4n5lH2mJQO3CemFs4VbpG6Wfnpy8DbFKLDHlWSqrQOdzPmIszOvn62b5SFEhXEtAj4Apz2u%2BFC0ZzxTNHn2%2Ftaxw07%2BM"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84cea7df0a265317-LHR
alt-svc: h2=":443"; ma=60
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

114.73.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.73.21.104.in-addr.arpa

IN PTR

Response
DNS

yxeepsek.net

7edc154a50a3cd916eabc31434badde3.exe

Remote address:

8.8.8.8:53

Request

yxeepsek.net

IN A

Response

yxeepsek.net

IN A

172.67.194.101

yxeepsek.net

IN A

104.21.20.204
GET

http://yxeepsek.net/-36721KLIQ/2pRLi?rndad=1502943035-1706501744

7edc154a50a3cd916eabc31434badde3.exe

Remote address:

172.67.194.101:80

Request

GET /-36721KLIQ/2pRLi?rndad=1502943035-1706501744 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Cache-Control: no-cache
Host: yxeepsek.net
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Date: Mon, 29 Jan 2024 04:15:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=062j2tsma6m13iioha4jdtg4fm; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1xT%2FrPAC3i%2BlIsKAO33zNg5xWo7y90n%2Bwn9p7FAJZg52cD7rvzd%2Bq7etMpIAdTiOovf83ATeRfXrjkMM20J5YPZhasyrXqJWkG5plVjZrzti1fVxz8q8P8yWckjyQ2c%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84cea7e11cb18924-LHR
alt-svc: h2=":443"; ma=60
GET

http://yxeepsek.net/suspended?a=3&u=20186239

7edc154a50a3cd916eabc31434badde3.exe

Remote address:

172.67.194.101:80

Request

GET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Cache-Control: no-cache
Host: yxeepsek.net
Connection: Keep-Alive
Cookie: FLYSESSID=062j2tsma6m13iioha4jdtg4fm

Response

HTTP/1.1 200 OK

Date: Mon, 29 Jan 2024 04:15:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Hd8LicPsx%2FgKdmutBzl1m0OoDSOdAC3Pwj1gqtZDh1h97RTy9DL75me0ULmI7WdnimJvc2HfcI65vrNetptciiy7X8LQgHUx8ikRANcE%2F1yJKtrIIJP%2F5%2BA7OLOkxvY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84cea7e28db38924-LHR
alt-svc: h2=":443"; ma=60
DNS

101.194.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

101.194.67.172.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

104.21.73.114:80

http://zipansion.com/2pRLi

http

7edc154a50a3cd916eabc31434badde3.exe

437 B
1.1kB
6
4

HTTP Request

GET http://zipansion.com/2pRLi

HTTP Response

301
172.67.194.101:80

http://yxeepsek.net/suspended?a=3&u=20186239

http

7edc154a50a3cd916eabc31434badde3.exe

972 B
3.3kB
11
9

HTTP Request

GET http://yxeepsek.net/-36721KLIQ/2pRLi?rndad=1502943035-1706501744

HTTP Response

302

HTTP Request

GET http://yxeepsek.net/suspended?a=3&u=20186239

HTTP Response

200
138.91.171.81:80

104 B
2

8.8.8.8:53

zipansion.com

dns

7edc154a50a3cd916eabc31434badde3.exe

59 B
91 B
1
1

DNS Request

zipansion.com

DNS Response

104.21.73.114

172.67.144.180
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

114.73.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

114.73.21.104.in-addr.arpa
8.8.8.8:53

yxeepsek.net

dns

7edc154a50a3cd916eabc31434badde3.exe

58 B
90 B
1
1

DNS Request

yxeepsek.net

DNS Response

172.67.194.101

104.21.20.204
8.8.8.8:53

101.194.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

101.194.67.172.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7edc154a50a3cd916eabc31434badde3.exe

Filesize
746KB

MD5
6a3b40deed5646c030f676c526ea7429

SHA1
e6719727a4601f364f5951e9d132bf6316dd7aee

SHA256
a0df533582afc03529cd46b782e104cce6acfd9d5b2afbd0a77e5fd8e141e6cd

SHA512
fbd52ba0d3f80c5514b7040698d939619cd55bfadc4166bdfa04534121f6fb25739c0f7878a7a0a84df628cda2c36708675b2e9e097ecaee00daa45da09157de

Download Submit
memory/1328-1-0x0000000001C50000-0x0000000001D83000-memory.dmp

Filesize
1.2MB

Download
memory/1328-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1328-2-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1328-12-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1652-13-0x0000000001CF0000-0x0000000001E23000-memory.dmp

Filesize
1.2MB

Download
memory/1652-16-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1652-14-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/1652-21-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1652-20-0x00000000055F0000-0x000000000581A000-memory.dmp

Filesize
2.2MB

Download
memory/1652-28-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.