Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-03-2024 11:16
Behavioral task
behavioral1
Sample
Olhaissuai.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Olhaissuai.exe
Resource
win10v2004-20240226-en
General
-
Target
Olhaissuai.exe
-
Size
241KB
-
MD5
bd8c704e88e3c75f06c295b175635afb
-
SHA1
53c4ff268b35e7bb263ea17bc88802f32849f945
-
SHA256
c61e6bc1177e420bd7a93285a6e5bb295b17b2973a04209bc074545291fe6533
-
SHA512
5cde213035081c05aee4b51d8039888acab619b268edf3822a2e77c2038f2a72c5cf37a3afaac0b36e7c10349e7c41dc09f99eef06b92c473da1f5679169879a
-
SSDEEP
6144:2QmcU78FNSFORyiBAUALiHN5kOmYwS6XFWkcl5rv:2qUONS9iBAsHNmOTHIcjr
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2472-0-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral1/memory/2652-7-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral1/memory/2472-8-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral1/memory/2652-10-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral1/memory/2652-9-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral1/memory/2652-12-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral1/files/0x0007000000016d4e-14.dat upx behavioral1/memory/2652-15-0x0000000000400000-0x00000000004AD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\IfvkkxW = "c:\\ProgramData\\EauqbpT\\WcsuujG\\IfvkkxW.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2472 set thread context of 2652 2472 Olhaissuai.exe 28 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2652 2472 Olhaissuai.exe 28 PID 2472 wrote to memory of 2652 2472 Olhaissuai.exe 28 PID 2472 wrote to memory of 2652 2472 Olhaissuai.exe 28 PID 2472 wrote to memory of 2652 2472 Olhaissuai.exe 28 PID 2472 wrote to memory of 2652 2472 Olhaissuai.exe 28 PID 2472 wrote to memory of 2652 2472 Olhaissuai.exe 28
Processes
Network
-
Remote address:8.8.8.8:53Requestdl.dropbox.comIN AResponsedl.dropbox.comIN CNAMEedge-block-www-env.dropbox-dns.comedge-block-www-env.dropbox-dns.comIN A162.125.67.15
-
Remote address:162.125.67.15:80RequestGET /u/56753148/index.html HTTP/1.1
Host: dl.dropbox.com
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 301 Moved Permanently
date: Mon, 18 Mar 2024 11:17:10 GMT
server: envoy
x-dropbox-request-id: b670442a0f9b4197a48fe92c0d1ee7c7
content-length: 0
-
Remote address:162.125.67.15:80RequestGET /u/56753148/index.html HTTP/1.1
Host: dl.dropbox.com
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 301 Moved Permanently
date: Mon, 18 Mar 2024 11:17:40 GMT
server: envoy
x-dropbox-request-id: 9c1d1ee870a64db087c0b3defaeb7b95
content-length: 0
-
Remote address:8.8.8.8:53Requestdl.dropbox.comIN AResponsedl.dropbox.comIN CNAMEedge-block-www-env.dropbox-dns.comedge-block-www-env.dropbox-dns.comIN A162.125.67.15
-
Remote address:162.125.67.15:80RequestGET /u/56753148/index.html HTTP/1.1
Host: dl.dropbox.com
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 301 Moved Permanently
date: Mon, 18 Mar 2024 11:18:10 GMT
server: envoy
x-dropbox-request-id: f62abdd56b1f4065b900d838d8ecad30
content-length: 0
-
Remote address:8.8.8.8:53Requestdl.dropbox.comIN AResponsedl.dropbox.comIN CNAMEedge-block-www-env.dropbox-dns.comedge-block-www-env.dropbox-dns.comIN A162.125.67.15
-
Remote address:162.125.67.15:80RequestGET /u/56753148/index.html HTTP/1.1
Host: dl.dropbox.com
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 301 Moved Permanently
date: Mon, 18 Mar 2024 11:18:40 GMT
server: envoy
x-dropbox-request-id: 209f3cc9a3bb4b7bb855510fac674587
content-length: 0
-
446 B 646 B 6 5
HTTP Request
GET http://dl.dropbox.com/u/56753148/index.htmlHTTP Response
301 -
394 B 389 B 5 4
HTTP Request
GET http://dl.dropbox.com/u/56753148/index.htmlHTTP Response
301 -
400 B 606 B 5 4
HTTP Request
GET http://dl.dropbox.com/u/56753148/index.htmlHTTP Response
301 -
354 B 606 B 4 4
HTTP Request
GET http://dl.dropbox.com/u/56753148/index.htmlHTTP Response
301
-
60 B 121 B 1 1
DNS Request
dl.dropbox.com
DNS Response
162.125.67.15
-
60 B 121 B 1 1
DNS Request
dl.dropbox.com
DNS Response
162.125.67.15
-
60 B 121 B 1 1
DNS Request
dl.dropbox.com
DNS Response
162.125.67.15
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD5bd8c704e88e3c75f06c295b175635afb
SHA153c4ff268b35e7bb263ea17bc88802f32849f945
SHA256c61e6bc1177e420bd7a93285a6e5bb295b17b2973a04209bc074545291fe6533
SHA5125cde213035081c05aee4b51d8039888acab619b268edf3822a2e77c2038f2a72c5cf37a3afaac0b36e7c10349e7c41dc09f99eef06b92c473da1f5679169879a