230e5141831452d7f1c26a2640ab4018dd8b3078719d75c7729b0c08b2b29a4f

General

Target

d4878bf517b84e49c3377adb1ad8038d.exe
Size

2.9MB
MD5

d4878bf517b84e49c3377adb1ad8038d
SHA1

4c4164f543d64416962598f4ce0e3289dfd4b36e
SHA256

230e5141831452d7f1c26a2640ab4018dd8b3078719d75c7729b0c08b2b29a4f
SHA512

1c50f6f2571c33d86bf052dba01607e98fb34549241c8aea421c1a00790058a274d989b5dda3d528f4ebf7881de6070f8450173525ac0f8df76d7475f5a6878a
SSDEEP

49152:nmh2LMvCzI4FieFUSfJxt7N74NH5HUyNRcUsCVOzetdZJ:nmoLMviI4iCUkt4HBUCczzM3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2204	d4878bf517b84e49c3377adb1ad8038d.exe

Executes dropped EXE 1 IoCs

pid	Process
2204	d4878bf517b84e49c3377adb1ad8038d.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	d4878bf517b84e49c3377adb1ad8038d.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2820-0-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral1/files/0x000a000000013a21-12.dat	upx
behavioral1/files/0x000a000000013a21-10.dat	upx
behavioral1/files/0x000a000000013a21-15.dat	upx
behavioral1/memory/2204-17-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2820	d4878bf517b84e49c3377adb1ad8038d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2820	d4878bf517b84e49c3377adb1ad8038d.exe
2204	d4878bf517b84e49c3377adb1ad8038d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2204	2820	d4878bf517b84e49c3377adb1ad8038d.exe	28
PID 2820 wrote to memory of 2204	2820	d4878bf517b84e49c3377adb1ad8038d.exe	28
PID 2820 wrote to memory of 2204	2820	d4878bf517b84e49c3377adb1ad8038d.exe	28
PID 2820 wrote to memory of 2204	2820	d4878bf517b84e49c3377adb1ad8038d.exe	28

C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe
"C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe
  C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2204

Network

DNS

zipansion.com

d4878bf517b84e49c3377adb1ad8038d.exe

Remote address:

8.8.8.8:53

Request

zipansion.com

IN A

Response

zipansion.com

IN A

104.21.73.114

zipansion.com

IN A

172.67.144.180
GET

http://zipansion.com/2pRLi

d4878bf517b84e49c3377adb1ad8038d.exe

Remote address:

104.21.73.114:80

Request

GET /2pRLi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: zipansion.com
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Mon, 18 Mar 2024 21:06:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=u6m536fb28g8r6csup2sn1e962; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: http://yxeepsek.net/-36721OHCK/2pRLi?rndad=1502943035-1710795985
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MyAY1qH0pBwyLMMDhsrPSjtjb8alYbd8QbRahVRDIpMUYTbGSromzB3Xd5ltNjn8dK1L0oYaK6z4HJLtwdklL4NJeFTX09SttK4nwTebvduHgt0AOvPgQdaFjgFfmZMG"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86682fb96aa5068f-LHR
alt-svc: h2=":443"; ma=60
DNS

yxeepsek.net

d4878bf517b84e49c3377adb1ad8038d.exe

Remote address:

8.8.8.8:53

Request

yxeepsek.net

IN A

Response

yxeepsek.net

IN A

172.67.194.101

yxeepsek.net

IN A

104.21.20.204
DNS

yxeepsek.net

d4878bf517b84e49c3377adb1ad8038d.exe

Remote address:

8.8.8.8:53

Request

yxeepsek.net

IN A
GET

http://yxeepsek.net/-36721OHCK/2pRLi?rndad=1502943035-1710795985

d4878bf517b84e49c3377adb1ad8038d.exe

Remote address:

172.67.194.101:80

Request

GET /-36721OHCK/2pRLi?rndad=1502943035-1710795985 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net

Response

HTTP/1.1 302 Found

Date: Mon, 18 Mar 2024 21:06:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: FLYSESSID=ap5cjcitaq7cjiqacdl1o7ccn7; path=/; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-powered-by: adfly
strict-transport-security: max-age=0
location: /suspended?a=3&u=20186239
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiCf82%2B7sDL8mgHtmQOuRTTNseanP5KeXLahLCVf%2BA8w1G3sEA95kMPHA3sM%2B4DKTQgpR7G%2BAYPYcDNqTHl7LHlNCArsofI7QzQ%2Fcvuk1R3XX98bI5MTeEHZYA5K448%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86682fc20ffd45a1-LHR
alt-svc: h2=":443"; ma=60
GET

http://yxeepsek.net/suspended?a=3&u=20186239

d4878bf517b84e49c3377adb1ad8038d.exe

Remote address:

172.67.194.101:80

Request

GET /suspended?a=3&u=20186239 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: yxeepsek.net
Cookie: FLYSESSID=ap5cjcitaq7cjiqacdl1o7ccn7

Response

HTTP/1.1 200 OK

Date: Mon, 18 Mar 2024 21:06:26 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
last-modified: Tue, 10 Nov 2020 09:44:07 GMT
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lilLXEQpYnwJhZe5wosE%2FdCljndQ8PPDVlC5DyGFhUHu84iAPKcxkd8UYCp1o8pd4RtXHJCm%2BlOIXgeUm8eOfPL0tSnzpJ9uFRIZxt6c35R4EtWfe0f7jMO%2FCc6%2FJQM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 86682fc3cb1b45a1-LHR
alt-svc: h2=":443"; ma=60

104.21.73.114:80

http://zipansion.com/2pRLi

http

d4878bf517b84e49c3377adb1ad8038d.exe

443 B
2.1kB
6
5

HTTP Request

GET http://zipansion.com/2pRLi

HTTP Response

301
172.67.194.101:80

http://yxeepsek.net/suspended?a=3&u=20186239

http

d4878bf517b84e49c3377adb1ad8038d.exe

886 B
3.3kB
9
9

HTTP Request

GET http://yxeepsek.net/-36721OHCK/2pRLi?rndad=1502943035-1710795985

HTTP Response

302

HTTP Request

GET http://yxeepsek.net/suspended?a=3&u=20186239

HTTP Response

200

8.8.8.8:53

zipansion.com

dns

d4878bf517b84e49c3377adb1ad8038d.exe

59 B
91 B
1
1

DNS Request

zipansion.com

DNS Response

104.21.73.114

172.67.144.180
8.8.8.8:53

yxeepsek.net

dns

d4878bf517b84e49c3377adb1ad8038d.exe

116 B
90 B
2
1

DNS Request

yxeepsek.net

DNS Request

yxeepsek.net

DNS Response

172.67.194.101

104.21.20.204

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe

Filesize
1.8MB

MD5
9a836599cece6bfb3fc88a87f9de1dcd

SHA1
45a1b3d2b9433c8a3d9f4b684469ca797e4eee1f

SHA256
a4d3b464204f207909df15654039147b09b42bbb9d1b17f1a97ca255eb76bc65

SHA512
d96e93f75d1423f5de872ac61592487c92c38ea78c80472140dd67fa5c1aa3b3a0bf55f96c3513364c7f3a404c2ef6e7b37942445aab19557c60b42e2bcce779

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe

Filesize
2.4MB

MD5
ee13ce8486934ae1a9c9e88aab46aa8d

SHA1
9d270abd2ec918e1d6b809d4b3d849ff184af4ea

SHA256
30d0396f7e04ae7bc24b5273cf3ec5d91ef311a905be2e436788e6c9d1316655

SHA512
565e9870b6627841d0553b74669c9de33ae5a38e391b70a0fc4752194114c0d8deaa7cc9f03a68089bbb1568d95e17c7a1ffa5562e2dfa60c2283c419eb09801

Download Submit
\Users\Admin\AppData\Local\Temp\d4878bf517b84e49c3377adb1ad8038d.exe

Filesize
2.2MB

MD5
7a10428eade567a2a006d415a510bc0e

SHA1
4b181d5c7a7a429e55cb0a9b7e53246b4855e8c3

SHA256
562473815d7fade38401dabed42850a3ae7c71cda905879c3a6b3b900a42b3f9

SHA512
78df287caea4844be6f54c314ec3a1fcbcd0cc484058a67a3765b6776aa21c50f75a4c70040d6d2266d34ca1c1e6a48bc8511d1e5360e4dd8c262f8bfeca9246

Download Submit
memory/2204-16-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2204-17-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2204-19-0x0000000001B20000-0x0000000001C53000-memory.dmp

Filesize
1.2MB

Download
memory/2204-23-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2204-25-0x0000000003410000-0x000000000363A000-memory.dmp

Filesize
2.2MB

Download
memory/2204-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2820-0-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2820-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

Filesize
1.2MB

Download
memory/2820-14-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-1-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-13-0x0000000003980000-0x0000000003E6F000-memory.dmp

Filesize
4.9MB

Download
memory/2820-31-0x0000000003980000-0x0000000003E6F000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.