Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 17:43 UTC

General

  • Target

    sign.exe

  • Size

    15.9MB

  • MD5

    4f63aebfcbeeb6a580e13bd81d4c8a19

  • SHA1

    00143c99571ec2cdef358a19215acc49e92488bd

  • SHA256

    bb4a96deea854f3a23aa87497b76a2bcba165c7d3b60617dc2b222a6475235d5

  • SHA512

    406d40fbe820ebd924064e7043f7cd817fc047ccbddcec79c848489f027b865c324051500e961a21400dc57a2e37655a52afc2b59db9c8fd291068f2743152e5

  • SSDEEP

    393216:65crRz8IBR1bKCHGuUVLIRfiXbVqRelD:PVzfRlzHTgLq2VMU

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sign.exe
    "C:\Users\Admin\AppData\Local\Temp\sign.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3792

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.178.17.96.in-addr.arpa
    IN PTR
    Response
    198.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-198deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    28.160.77.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.160.77.104.in-addr.arpa
    IN PTR
    Response
    28.160.77.104.in-addr.arpa
    IN PTR
    a104-77-160-28deploystaticakamaitechnologiescom
  • flag-us
    DNS
    200.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.178.17.96.in-addr.arpa
    IN PTR
    Response
    200.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-200deploystaticakamaitechnologiescom
  • flag-us
    DNS
    200.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.178.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    179.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    179.178.17.96.in-addr.arpa
    IN PTR
    Response
    179.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-179deploystaticakamaitechnologiescom
  • flag-us
    DNS
    154.141.79.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.141.79.40.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    198.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    198.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    232.168.11.51.in-addr.arpa

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    171.39.242.20.in-addr.arpa

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    28.160.77.104.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    28.160.77.104.in-addr.arpa

  • 8.8.8.8:53
    200.178.17.96.in-addr.arpa
    dns
    144 B
    137 B
    2
    1

    DNS Request

    200.178.17.96.in-addr.arpa

    DNS Request

    200.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    179.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    179.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    154.141.79.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    154.141.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EInvoice.blt

    Filesize

    512B

    MD5

    7df3e7f582228a72ac26744c80fc5f90

    SHA1

    03b52cb4962e69c3fc0ad47db1a676d463ea090c

    SHA256

    dcd22183888779174553cdc257d24d6d9f354f8003ad6d064527faa2871db60c

    SHA512

    2a1dd6f7b35749e6af3476338c6957d5eeb1c6950926ba99948c1d2fd495252a97de2c63221e535eb43843a6938571d7dd23e1b1f75a883b904271245fb2a44c

  • C:\Users\Admin\AppData\Local\Temp\EInvoice.ibk

    Filesize

    28KB

    MD5

    269b45a27ffad49047f26e279abd0cf6

    SHA1

    ba95e308b1972af2de688ddd4687276782395625

    SHA256

    e534686fe8c6f55d183802eb0cda2ab512f14cf42dbd449e317785c046b899d9

    SHA512

    758c9f3fe9832a4cabddc26f77957027be48889ff0244dac91d610c2a6fc144f8ed43354ceee78bf1771bad5e8e0f88e91504fe5439cfb7cd6d76dbcaa3a0473

  • C:\Users\Admin\AppData\Local\Temp\EInvoice.idt

    Filesize

    28KB

    MD5

    467f77c16ac7d42c26c657fad557e204

    SHA1

    1e1ec3176af201e8052d723342ba1fb3b4bb30f5

    SHA256

    b6fec76634d486e084ef39b2491b9740cf0a5249d622aa2550754169819873b2

    SHA512

    e563f25432b8a53140a6e23e894a7716853a63718863425508f55a23f8a79652539c2dd82691f2e73e0fc951a18844340609d7120f0ee6bd5d3f3423b19109b5

  • C:\Users\Admin\AppData\Local\Temp\signoptions.ini

    Filesize

    383B

    MD5

    70673f5bc61d79295a1b271d90546b00

    SHA1

    8b42af24701c0bf0b8002b2f93eec1af1aacfd39

    SHA256

    3a0b57fe08524b3856db06d397e5d7614056f5a96f671e6e850a6b1dd3697266

    SHA512

    29f2b92ffa84b69567fce742d95d714d861ac7723267b76227ef2dc32d5ed68bb25e3274cc3b3b84054d591c4cbb7560c0970029ec72d18c9ecaae3c1410372d

  • memory/3792-0-0x00000000069D0000-0x00000000069D1000-memory.dmp

    Filesize

    4KB

  • memory/3792-61-0x000000000B4A0000-0x000000000B4A1000-memory.dmp

    Filesize

    4KB

  • memory/3792-62-0x0000000000400000-0x00000000049C7000-memory.dmp

    Filesize

    69.8MB

  • memory/3792-64-0x00000000069D0000-0x00000000069D1000-memory.dmp

    Filesize

    4KB

  • memory/3792-66-0x000000000B4A0000-0x000000000B4A1000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.