Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 05:43 UTC
Static task
static1
Behavioral task
behavioral1
Sample
989e845511599a05762c239c350f2781.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
989e845511599a05762c239c350f2781.exe
Resource
win10v2004-20231215-en
General
-
Target
989e845511599a05762c239c350f2781.exe
-
Size
50KB
-
MD5
989e845511599a05762c239c350f2781
-
SHA1
d7accf372f8700017d98a65794aa36281c473162
-
SHA256
064b545ab43b11732a115f22202f89cebc40451a2144d1a5ba0df045d52b8b84
-
SHA512
48dee154c5fc11dce5a5c22ba5c4a30373cae9a6527c985703fd28d709ff9f1cf6413034a368d6b27a00dd4b13bdd2752d35a255545eac9373ae78682d91b1dc
-
SSDEEP
768:PcGu+aZmwmhgLfoatZ0X1lfx51gSW12t7EyKznRfTIA13tOB0CH:P9Omw7g2GffxbvMznRfTIedOys
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 989e845511599a05762c239c350f2781.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
Network
-
Remote address:8.8.8.8:53Requestadobe.comIN AResponseadobe.comIN A88.221.135.202adobe.comIN A88.221.135.203
-
Remote address:88.221.135.202:80RequestPOST /geo/productid.php HTTP/1.1
Host: adobe.com
User-Agent: Opera/10.80 Pesto/2.2.30
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
ResponseHTTP/1.1 403 Forbidden
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 280
Expires: Tue, 13 Feb 2024 05:43:27 GMT
Date: Tue, 13 Feb 2024 05:43:27 GMT
Connection: close
-
Remote address:8.8.8.8:53Request202.135.221.88.in-addr.arpaIN PTRResponse202.135.221.88.in-addr.arpaIN PTRa88-221-135-202deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesthnzshqhw.co.ccIN AResponsehnzshqhw.co.ccIN A175.126.123.219
-
Remote address:175.126.123.219:80RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: hnzshqhw.co.cc
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://hnzshqhw.co.cc/showthread.php?t=212872
Content-Length: 254
Content-Type: text/html; charset=iso-8859-1
-
Remote address:175.126.123.219:80RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: hnzshqhw.co.cc
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://hnzshqhw.co.cc/showthread.php?t=212872
Content-Length: 254
Content-Type: text/html; charset=iso-8859-1
-
Remote address:175.126.123.219:80RequestGET /showthread.php?t=212872 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://hnzshqhw.co.cc/showthread.php?t=212872
Content-Length: 254
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
-
Remote address:175.126.123.219:80RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: hnzshqhw.co.cc
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://hnzshqhw.co.cc/showthread.php?t=212872
Content-Length: 254
Content-Type: text/html; charset=iso-8859-1
-
Remote address:175.126.123.219:80RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: hnzshqhw.co.cc
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://hnzshqhw.co.cc/showthread.php?t=212872
Content-Length: 254
Content-Type: text/html; charset=iso-8859-1
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request194.178.17.96.in-addr.arpaIN PTRResponse194.178.17.96.in-addr.arpaIN PTRa96-17-178-194deploystaticakamaitechnologiescom
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Cache-Control: no-cache
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Cache-Control: no-cache
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: hnzshqhw.co.cc
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Cache-Control: no-cache
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Cache-Control: no-cache
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request219.123.126.175.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request233.38.18.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.149.64.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request79.121.231.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request180.178.17.96.in-addr.arpaIN PTRResponse180.178.17.96.in-addr.arpaIN PTRa96-17-178-180deploystaticakamaitechnologiescom
-
Remote address:175.126.123.219:80RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: hnzshqhw.co.cc
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://hnzshqhw.co.cc/showthread.php?t=212872
Content-Length: 254
Content-Type: text/html; charset=iso-8859-1
-
Remote address:175.126.123.219:80RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: hnzshqhw.co.cc
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://hnzshqhw.co.cc/showthread.php?t=212872
Content-Length: 254
Content-Type: text/html; charset=iso-8859-1
-
Remote address:175.126.123.219:80RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: hnzshqhw.co.cc
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://hnzshqhw.co.cc/showthread.php?t=212872
Content-Length: 254
Content-Type: text/html; charset=iso-8859-1
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Cache-Control: no-cache
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Cache-Control: no-cache
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:175.126.123.219:443RequestGET /showthread.php?t=212872 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Cache-Control: no-cache
Host: hnzshqhw.co.cc
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.3.29
Content-Length: 47
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:8.8.8.8:53Request2.173.189.20.in-addr.arpaIN PTRResponse
-
411 B 700 B 5 5
HTTP Request
POST http://adobe.com/geo/productid.phpHTTP Response
403 -
175.126.123.219:80http://hnzshqhw.co.cc/showthread.php?t=212872http989e845511599a05762c239c350f2781.exe1.7kB 2.7kB 20 8
HTTP Request
GET http://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
301HTTP Request
GET http://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
301HTTP Request
GET http://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
301HTTP Request
GET http://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
301HTTP Request
GET http://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
301 -
175.126.123.219:443https://hnzshqhw.co.cc/showthread.php?t=212872tls, http989e845511599a05762c239c350f2781.exe2.8kB 7.8kB 25 15
HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404 -
175.126.123.219:80http://hnzshqhw.co.cc/showthread.php?t=212872http989e845511599a05762c239c350f2781.exe819 B 1.6kB 9 6
HTTP Request
GET http://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
301HTTP Request
GET http://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
301HTTP Request
GET http://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
301 -
175.126.123.219:443https://hnzshqhw.co.cc/showthread.php?t=212872tls, http989e845511599a05762c239c350f2781.exe2.5kB 7.4kB 21 14
HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404HTTP Request
GET https://hnzshqhw.co.cc/showthread.php?t=212872HTTP Response
404
-
55 B 87 B 1 1
DNS Request
adobe.com
DNS Response
88.221.135.20288.221.135.203
-
73 B 139 B 1 1
DNS Request
202.135.221.88.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
hnzshqhw.co.cc
DNS Response
175.126.123.219
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
194.178.17.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
74 B 145 B 1 1
DNS Request
219.123.126.175.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
233.38.18.104.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
23.149.64.172.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
79.121.231.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
180.178.17.96.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.173.189.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47B
MD58cebbdcf906d7e7b80bc34904e9bd904
SHA19aec1585ae48f2744c74447391b450fc2c972a0f
SHA25668227354e364f4637416a15ab0d7e98a83deda10e3ce98dd134f0cea55b74573
SHA512aa7cf43a3c80c8df522e95a763c07be226fb5b53727bee8f4076c0d7a5f7000c08832ca226838ea43554cdf12145db4a9fb67cb3176d19d3f275bdfb20d11b22
-
Filesize
47B
MD52079de86c2f563b129b99bacca34ac23
SHA19cd346283354dbae0118488be07b73e6a9292a1a
SHA25657e5a4c140bcc8738d1daa3f6cee05aac052218d286f69e4f4303fbc8af19ea7
SHA512946e89de4a2df78bc3952bb79843c95b137e0494ffba3e0b956aa1073beaf759d14fed9ea033adc2cee1aa8cc272b5a8ea6e23ae74caaf196ff73b555466706a