99c04d2dc579bd0dc8580eb8689ed63bf56ddd11d57369f1d5c4cb84e7f0738a | Triage

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2024, 23:48 UTC

Sharing

Report Analysis Logs

General

Target

95b05d07387d37665d747ebc037441fc.exe
Size

1.6MB
MD5

95b05d07387d37665d747ebc037441fc
SHA1

ddfcc624ab19687b7f973df79446e65e1757af49
SHA256

99c04d2dc579bd0dc8580eb8689ed63bf56ddd11d57369f1d5c4cb84e7f0738a
SHA512

a5c011737019282c99bd0d1a31f7423437cf89f8ad27f8fbff9c01b79f7f757dfa4a8933a0dd7f3c591720749747ff161f91539cabc4d208d79ecee71a4ed0df
SSDEEP

49152:fYUSQrXtWqcakLz0JCg+MoECUiWcakLz0O:fhSQjtWqcakcJCg+MoFUiWcakcO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2920	95b05d07387d37665d747ebc037441fc.exe

Executes dropped EXE 1 IoCs

pid	Process
2920	95b05d07387d37665d747ebc037441fc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4644-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0007000000023226-12.dat	upx
behavioral2/memory/2920-15-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

flow	ioc
14	pastebin.com

Program crash 18 IoCs

pid	pid_target	Process	procid_target
2500	2920	WerFault.exe	85
3468	2920	WerFault.exe	85
5792	2920	WerFault.exe	85
5548	2920	WerFault.exe	85
4940	2920	WerFault.exe	85
3232	2920	WerFault.exe	85
4768	2920	WerFault.exe	85
984	2920	WerFault.exe	85
1756	2920	WerFault.exe	85
2560	2920	WerFault.exe	85
812	2920	WerFault.exe	85
2276	2920	WerFault.exe	85
4408	2920	WerFault.exe	85
2196	2920	WerFault.exe	85
2880	2920	WerFault.exe	85
1780	2920	WerFault.exe	85
5204	2920	WerFault.exe	85
4484	2920	WerFault.exe	85

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1796	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	95b05d07387d37665d747ebc037441fc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	95b05d07387d37665d747ebc037441fc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	95b05d07387d37665d747ebc037441fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	95b05d07387d37665d747ebc037441fc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	95b05d07387d37665d747ebc037441fc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4644	95b05d07387d37665d747ebc037441fc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4644	95b05d07387d37665d747ebc037441fc.exe
2920	95b05d07387d37665d747ebc037441fc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 2920	4644	95b05d07387d37665d747ebc037441fc.exe	85
PID 4644 wrote to memory of 2920	4644	95b05d07387d37665d747ebc037441fc.exe	85
PID 4644 wrote to memory of 2920	4644	95b05d07387d37665d747ebc037441fc.exe	85
PID 2920 wrote to memory of 1796	2920	95b05d07387d37665d747ebc037441fc.exe	86
PID 2920 wrote to memory of 1796	2920	95b05d07387d37665d747ebc037441fc.exe	86
PID 2920 wrote to memory of 1796	2920	95b05d07387d37665d747ebc037441fc.exe	86
PID 2920 wrote to memory of 2732	2920	95b05d07387d37665d747ebc037441fc.exe	88
PID 2920 wrote to memory of 2732	2920	95b05d07387d37665d747ebc037441fc.exe	88
PID 2920 wrote to memory of 2732	2920	95b05d07387d37665d747ebc037441fc.exe	88
PID 2732 wrote to memory of 4360	2732	cmd.exe	90
PID 2732 wrote to memory of 4360	2732	cmd.exe	90
PID 2732 wrote to memory of 4360	2732	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\95b05d07387d37665d747ebc037441fc.exe
"C:\Users\Admin\AppData\Local\Temp\95b05d07387d37665d747ebc037441fc.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\95b05d07387d37665d747ebc037441fc.exe
  C:\Users\Admin\AppData\Local\Temp\95b05d07387d37665d747ebc037441fc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\95b05d07387d37665d747ebc037441fc.exe" /TN Jdf19jEI5ce2 /F
    3⤵
    - Creates scheduled task(s)
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN Jdf19jEI5ce2 > C:\Users\Admin\AppData\Local\Temp\WKpBCuk4U.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN Jdf19jEI5ce2
      4⤵
      PID:4360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 604
    3⤵
    - Program crash
    PID:2500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 648
    3⤵
    - Program crash
    PID:3468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 656
    3⤵
    - Program crash
    PID:5792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 656
    3⤵
    - Program crash
    PID:5548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 776
    3⤵
    - Program crash
    PID:4940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 784
    3⤵
    - Program crash
    PID:3232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1464
    3⤵
    - Program crash
    PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1908
    3⤵
    - Program crash
    PID:984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 2144
    3⤵
    - Program crash
    PID:1756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1924
    3⤵
    - Program crash
    PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1912
    3⤵
    - Program crash
    PID:812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 2124
    3⤵
    - Program crash
    PID:2276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1992
    3⤵
    - Program crash
    PID:4408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 2108
    3⤵
    - Program crash
    PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1904
    3⤵
    - Program crash
    PID:2880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1976
    3⤵
    - Program crash
    PID:1780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1928
    3⤵
    - Program crash
    PID:5204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 720
    3⤵
    - Program crash
    PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2920 -ip 2920
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2920 -ip 2920
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2920 -ip 2920
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2920 -ip 2920
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2920 -ip 2920
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2920 -ip 2920
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2920 -ip 2920
1⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2920 -ip 2920
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2920 -ip 2920
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2920 -ip 2920
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2920 -ip 2920
1⤵
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2920 -ip 2920
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2920 -ip 2920
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2920 -ip 2920
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2920 -ip 2920
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2920 -ip 2920
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2920 -ip 2920
1⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2920 -ip 2920
1⤵
PID:2016

Network

DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

pastebin.com

95b05d07387d37665d747ebc037441fc.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.68.143
DNS

cutit.org

95b05d07387d37665d747ebc037441fc.exe

Remote address:

8.8.8.8:53

Request

cutit.org

IN A

Response

cutit.org

IN A

64.91.240.248
GET

https://cutit.org/oxgBR

95b05d07387d37665d747ebc037441fc.exe

Remote address:

64.91.240.248:443

Request

GET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
Host: cutit.org
Cache-Control: no-cache

Response

HTTP/1.1 302 Moved Temporarily

Date: Sun, 11 Feb 2024 23:48:54 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Location: http://ww12.cutit.org/oxgBR?usid=25&utid=5299449484
Content-Length: 0
Content-Type: text/html; charset=UTF-8
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

143.67.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.67.20.104.in-addr.arpa

IN PTR

Response
DNS

248.240.91.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

248.240.91.64.in-addr.arpa

IN PTR

Response

248.240.91.64.in-addr.arpa

IN PTR

crocodile parklogiccom
DNS

40.13.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.13.222.173.in-addr.arpa

IN PTR

Response

40.13.222.173.in-addr.arpa

IN PTR

a173-222-13-40deploystaticakamaitechnologiescom
DNS

ww12.cutit.org

95b05d07387d37665d747ebc037441fc.exe

Remote address:

8.8.8.8:53

Request

ww12.cutit.org

IN A

Response

ww12.cutit.org

IN CNAME

726512.parkingcrew.net

726512.parkingcrew.net

IN A

76.223.26.96

726512.parkingcrew.net

IN A

13.248.148.254
GET

http://ww12.cutit.org/oxgBR?usid=25&utid=5299449484

95b05d07387d37665d747ebc037441fc.exe

Remote address:

76.223.26.96:80

Request

GET /oxgBR?usid=25&utid=5299449484 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
Cache-Control: no-cache
Host: ww12.cutit.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 11 Feb 2024 23:48:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Buckets: bucket011
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_LMcRN7BH5J3eFAmowLbldwL6Kktas1Pn+/da7pbR/HHeRcbJlxFasLSQawv3w9RaRxQ/ythsxn5Vf3NvsvAr+g==
X-Template: tpl_CleanPeppermintBlack_twoclick
X-Language: english
Accept-CH: viewport-width
Accept-CH: dpr
Accept-CH: device-memory
Accept-CH: rtt
Accept-CH: downlink
Accept-CH: ect
Accept-CH: ua
Accept-CH: ua-full-version
Accept-CH: ua-platform
Accept-CH: ua-platform-version
Accept-CH: ua-arch
Accept-CH: ua-model
Accept-CH: ua-mobile
Accept-CH-Lifetime: 30
X-Domain: cutit.org
X-Subdomain: ww12
DNS

201.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.179.17.96.in-addr.arpa

IN PTR

Response

201.179.17.96.in-addr.arpa

IN PTR

a96-17-179-201deploystaticakamaitechnologiescom
DNS

96.26.223.76.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.26.223.76.in-addr.arpa

IN PTR

Response

96.26.223.76.in-addr.arpa

IN PTR

aba1c1ff9d2ec5376awsglobalacceleratorcom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

28.160.77.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.160.77.104.in-addr.arpa

IN PTR

Response

28.160.77.104.in-addr.arpa

IN PTR

a104-77-160-28deploystaticakamaitechnologiescom
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

18.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.173.189.20.in-addr.arpa

IN PTR

Response

104.20.67.143:443

pastebin.com

95b05d07387d37665d747ebc037441fc.exe

190 B
92 B
4
2
64.91.240.248:443

https://cutit.org/oxgBR

tls, http

95b05d07387d37665d747ebc037441fc.exe

1.2kB
3.9kB
15
10

HTTP Request

GET https://cutit.org/oxgBR

HTTP Response

302
76.223.26.96:80

http://ww12.cutit.org/oxgBR?usid=25&utid=5299449484

http

95b05d07387d37665d747ebc037441fc.exe

1.2kB
17.5kB
20
19

HTTP Request

GET http://ww12.cutit.org/oxgBR?usid=25&utid=5299449484

HTTP Response

200

8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

95b05d07387d37665d747ebc037441fc.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.67.143

172.67.34.170

104.20.68.143
8.8.8.8:53

cutit.org

dns

95b05d07387d37665d747ebc037441fc.exe

55 B
71 B
1
1

DNS Request

cutit.org

DNS Response

64.91.240.248
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

143.67.20.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

143.67.20.104.in-addr.arpa
8.8.8.8:53

248.240.91.64.in-addr.arpa

dns

72 B
109 B
1
1

DNS Request

248.240.91.64.in-addr.arpa
8.8.8.8:53

40.13.222.173.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

40.13.222.173.in-addr.arpa
8.8.8.8:53

ww12.cutit.org

dns

95b05d07387d37665d747ebc037441fc.exe

60 B
128 B
1
1

DNS Request

ww12.cutit.org

DNS Response

76.223.26.96

13.248.148.254
8.8.8.8:53

201.179.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

201.179.17.96.in-addr.arpa
8.8.8.8:53

96.26.223.76.in-addr.arpa

dns

71 B
127 B
1
1

DNS Request

96.26.223.76.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

28.160.77.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

28.160.77.104.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

18.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

18.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95b05d07387d37665d747ebc037441fc.exe

Filesize
1.6MB

MD5
0726ab9d53cae13bf0f394db209e249f

SHA1
211836e57d6411e7d3c266620613d8c9391d0bda

SHA256
a2325f2d39db3cf72561807b2d7c9a832bc7164ceb07ae25f62d9744b730f756

SHA512
6c63d2eaedc5862e04dabb47194615a42e337fedf3cd27a3779ee2030a78bafb24046f0036d3d1a5097fd0f2a5248857f16bdd359fab8a7ba86b89730c46bdf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WKpBCuk4U.xml

Filesize
1KB

MD5
b41449363205f3abc4e6c33b9443d9d5

SHA1
9328349d0bba3b3bb657e013b5d853a0655528a4

SHA256
1a2188fb5778bd8b5b403ba0df62a5a9827bfd3bd06ed9ca344ac16a3e48ded0

SHA512
3a283f273046bcd3661b82fb49b09c6eae41c44c649036213a3a48fa17934826fe0ed2de32275c2b64b0e9bcf66cb2e85d3415c2496d96ca2174d57ce2aa85d9

Download Submit
memory/2920-17-0x0000000023FA0000-0x000000002401E000-memory.dmp

Filesize
504KB

Download
memory/2920-15-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2920-22-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/2920-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-41-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4644-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4644-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4644-4-0x0000000001730000-0x00000000017AE000-memory.dmp

Filesize
504KB

Download
memory/4644-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download