Analysis

  • max time kernel
    121s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-03-2024 11:16

General

  • Target

    Olhaissuai.exe

  • Size

    241KB

  • MD5

    bd8c704e88e3c75f06c295b175635afb

  • SHA1

    53c4ff268b35e7bb263ea17bc88802f32849f945

  • SHA256

    c61e6bc1177e420bd7a93285a6e5bb295b17b2973a04209bc074545291fe6533

  • SHA512

    5cde213035081c05aee4b51d8039888acab619b268edf3822a2e77c2038f2a72c5cf37a3afaac0b36e7c10349e7c41dc09f99eef06b92c473da1f5679169879a

  • SSDEEP

    6144:2QmcU78FNSFORyiBAUALiHN5kOmYwS6XFWkcl5rv:2qUONS9iBAsHNmOTHIcjr

Score
7/10

Malware Config

Signatures

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Olhaissuai.exe
    "C:\Users\Admin\AppData\Local\Temp\Olhaissuai.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe
      2⤵
      • Adds Run key to start application
      PID:2652

Network

  • flag-us
    DNS
    dl.dropbox.com
    notepad.exe
    Remote address:
    8.8.8.8:53
    Request
    dl.dropbox.com
    IN A
    Response
    dl.dropbox.com
    IN CNAME
    edge-block-www-env.dropbox-dns.com
    edge-block-www-env.dropbox-dns.com
    IN A
    162.125.67.15
  • flag-fr
    GET
    http://dl.dropbox.com/u/56753148/index.html
    notepad.exe
    Remote address:
    162.125.67.15:80
    Request
    GET /u/56753148/index.html HTTP/1.1
    Host: dl.dropbox.com
    Accept: text/html, */*
    Accept-Encoding: identity
    User-Agent: Mozilla/3.0 (compatible; Indy Library)
    Response
    HTTP/1.1 301 Moved Permanently
    location: https://dl.dropbox.com/u/56753148/index.html
    date: Mon, 18 Mar 2024 11:17:10 GMT
    server: envoy
    x-dropbox-request-id: b670442a0f9b4197a48fe92c0d1ee7c7
    content-length: 0
  • flag-fr
    GET
    http://dl.dropbox.com/u/56753148/index.html
    notepad.exe
    Remote address:
    162.125.67.15:80
    Request
    GET /u/56753148/index.html HTTP/1.1
    Host: dl.dropbox.com
    Accept: text/html, */*
    Accept-Encoding: identity
    User-Agent: Mozilla/3.0 (compatible; Indy Library)
    Response
    HTTP/1.1 301 Moved Permanently
    location: https://dl.dropbox.com/u/56753148/index.html
    date: Mon, 18 Mar 2024 11:17:40 GMT
    server: envoy
    x-dropbox-request-id: 9c1d1ee870a64db087c0b3defaeb7b95
    content-length: 0
  • flag-us
    DNS
    dl.dropbox.com
    notepad.exe
    Remote address:
    8.8.8.8:53
    Request
    dl.dropbox.com
    IN A
    Response
    dl.dropbox.com
    IN CNAME
    edge-block-www-env.dropbox-dns.com
    edge-block-www-env.dropbox-dns.com
    IN A
    162.125.67.15
  • flag-fr
    GET
    http://dl.dropbox.com/u/56753148/index.html
    notepad.exe
    Remote address:
    162.125.67.15:80
    Request
    GET /u/56753148/index.html HTTP/1.1
    Host: dl.dropbox.com
    Accept: text/html, */*
    Accept-Encoding: identity
    User-Agent: Mozilla/3.0 (compatible; Indy Library)
    Response
    HTTP/1.1 301 Moved Permanently
    location: https://dl.dropbox.com/u/56753148/index.html
    date: Mon, 18 Mar 2024 11:18:10 GMT
    server: envoy
    x-dropbox-request-id: f62abdd56b1f4065b900d838d8ecad30
    content-length: 0
  • flag-us
    DNS
    dl.dropbox.com
    notepad.exe
    Remote address:
    8.8.8.8:53
    Request
    dl.dropbox.com
    IN A
    Response
    dl.dropbox.com
    IN CNAME
    edge-block-www-env.dropbox-dns.com
    edge-block-www-env.dropbox-dns.com
    IN A
    162.125.67.15
  • flag-fr
    GET
    http://dl.dropbox.com/u/56753148/index.html
    notepad.exe
    Remote address:
    162.125.67.15:80
    Request
    GET /u/56753148/index.html HTTP/1.1
    Host: dl.dropbox.com
    Accept: text/html, */*
    Accept-Encoding: identity
    User-Agent: Mozilla/3.0 (compatible; Indy Library)
    Response
    HTTP/1.1 301 Moved Permanently
    location: https://dl.dropbox.com/u/56753148/index.html
    date: Mon, 18 Mar 2024 11:18:40 GMT
    server: envoy
    x-dropbox-request-id: 209f3cc9a3bb4b7bb855510fac674587
    content-length: 0
  • 162.125.67.15:80
    http://dl.dropbox.com/u/56753148/index.html
    http
    notepad.exe
    446 B
    646 B
    6
    5

    HTTP Request

    GET http://dl.dropbox.com/u/56753148/index.html

    HTTP Response

    301
  • 162.125.67.15:80
    http://dl.dropbox.com/u/56753148/index.html
    http
    notepad.exe
    394 B
    389 B
    5
    4

    HTTP Request

    GET http://dl.dropbox.com/u/56753148/index.html

    HTTP Response

    301
  • 162.125.67.15:80
    http://dl.dropbox.com/u/56753148/index.html
    http
    notepad.exe
    400 B
    606 B
    5
    4

    HTTP Request

    GET http://dl.dropbox.com/u/56753148/index.html

    HTTP Response

    301
  • 162.125.67.15:80
    http://dl.dropbox.com/u/56753148/index.html
    http
    notepad.exe
    354 B
    606 B
    4
    4

    HTTP Request

    GET http://dl.dropbox.com/u/56753148/index.html

    HTTP Response

    301
  • 8.8.8.8:53
    dl.dropbox.com
    dns
    notepad.exe
    60 B
    121 B
    1
    1

    DNS Request

    dl.dropbox.com

    DNS Response

    162.125.67.15

  • 8.8.8.8:53
    dl.dropbox.com
    dns
    notepad.exe
    60 B
    121 B
    1
    1

    DNS Request

    dl.dropbox.com

    DNS Response

    162.125.67.15

  • 8.8.8.8:53
    dl.dropbox.com
    dns
    notepad.exe
    60 B
    121 B
    1
    1

    DNS Request

    dl.dropbox.com

    DNS Response

    162.125.67.15

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\ProgramData\EauqbpT\WcsuujG\IfvkkxW.exe

    Filesize

    241KB

    MD5

    bd8c704e88e3c75f06c295b175635afb

    SHA1

    53c4ff268b35e7bb263ea17bc88802f32849f945

    SHA256

    c61e6bc1177e420bd7a93285a6e5bb295b17b2973a04209bc074545291fe6533

    SHA512

    5cde213035081c05aee4b51d8039888acab619b268edf3822a2e77c2038f2a72c5cf37a3afaac0b36e7c10349e7c41dc09f99eef06b92c473da1f5679169879a

  • memory/2472-8-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

  • memory/2472-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2472-0-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

  • memory/2652-10-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

  • memory/2652-7-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

  • memory/2652-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2652-9-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

  • memory/2652-12-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

  • memory/2652-13-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

  • memory/2652-3-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

  • memory/2652-15-0x0000000000400000-0x00000000004AD000-memory.dmp

    Filesize

    692KB

  • memory/2652-16-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.