70092856c9eeb38f6d7c031f0300630ec27d3fbd9f751ab0d1246e35f86aba80

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 09:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

1.6MB
MD5

9c3be7203ba00ad3a4aa5c060d92e032
SHA1

73889da9d3516234b199902efdc996e830d7ed12
SHA256

70092856c9eeb38f6d7c031f0300630ec27d3fbd9f751ab0d1246e35f86aba80
SHA512

edb44fd610fddfd469242bf43c0c79997aac07ed1bf7d7263fd0ba49d923bde7b36254e89cd98039df8a9d6ad9914599eaaed22e4f29a8939638a58c5ff140ad
SSDEEP

49152:x2+bFGaqjaqjyX3KLsRnkFyd+PfvSTgr8z:jk1yX3VRE

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1504	2484	loader.exe	83
PID 2484 wrote to memory of 1504	2484	loader.exe	83
PID 1504 wrote to memory of 1900	1504	cmd.exe	84
PID 1504 wrote to memory of 1900	1504	cmd.exe	84
PID 1504 wrote to memory of 2080	1504	cmd.exe	85
PID 1504 wrote to memory of 2080	1504	cmd.exe	85
PID 1504 wrote to memory of 868	1504	cmd.exe	86
PID 1504 wrote to memory of 868	1504	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\loader.exe" MD5
    3⤵
    PID:1900
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2080
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:868

Network

DNS

keyauth.win

loader.exe

Remote address:

8.8.8.8:53

Request

keyauth.win

IN A

Response

keyauth.win

IN A

104.26.1.5

keyauth.win

IN A

104.26.0.5

keyauth.win

IN A

172.67.72.57
POST

https://keyauth.win/api/1.2/

loader.exe

Remote address:

104.26.1.5:443

Request

POST /api/1.2/ HTTP/1.1
Host: keyauth.win
Accept: */*
Content-Length: 129
Content-Type: application/x-www-form-urlencoded

Response

HTTP/1.1 200 OK

Date: Mon, 13 May 2024 09:34:09 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 436
Connection: keep-alive
signature: 203a6a4e98fd017a07972953e955465d53e82fe69cf2cfa0e5e25e786fd68a49
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YXX7fluhlmmHsmAtzjdRLtv5pWG0DJC%2F5hZ5jliZqVeleLEe1Vl0TEMfmECVlc5pUraO1ztmvJ8YIh6VHR7GzP%2FjDhObBOWFiDC7Kyhg8mIytzgCbLAlPO0R8LXG"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Acknowledge: Credit to VaultCord.com
X-Powered-By: VaultCord.com
content-security-policy: upgrade-insecure-requests
permissions-policy: accelerometer=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=31536000; includeSubDomains
x-content-security-policy: img-src *; media-src * data:;
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Server: cloudflare
CF-RAY: 8831a6ae1d5a88af-LHR
DNS

x2.c.lencr.org

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A

Response

x2.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

23.55.97.11
GET

http://x2.c.lencr.org/

Remote address:

23.55.97.11:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: x2.c.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
ETag: "65ca969f-12b"
Cache-Control: max-age=3600
Expires: Mon, 13 May 2024 10:34:09 GMT
Date: Mon, 13 May 2024 09:34:09 GMT
Content-Length: 299
Connection: keep-alive
DNS

5.1.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.1.26.104.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

11.97.55.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.97.55.23.in-addr.arpa

IN PTR

Response

11.97.55.23.in-addr.arpa

IN PTR

a23-55-97-11deploystaticakamaitechnologiescom
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

142.53.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.53.16.96.in-addr.arpa

IN PTR

Response

142.53.16.96.in-addr.arpa

IN PTR

a96-16-53-142deploystaticakamaitechnologiescom
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response

104.26.1.5:443

https://keyauth.win/api/1.2/

tls, http

loader.exe

964 B
7.1kB
9
11

HTTP Request

POST https://keyauth.win/api/1.2/

HTTP Response

200
127.0.0.1:62470

loader.exe
127.0.0.1:62472

loader.exe
23.55.97.11:80

http://x2.c.lencr.org/

http

391 B
760 B
6
4

HTTP Request

GET http://x2.c.lencr.org/

HTTP Response

200
52.111.229.43:443

322 B
7

8.8.8.8:53

keyauth.win

dns

loader.exe

57 B
105 B
1
1

DNS Request

keyauth.win

DNS Response

104.26.1.5

104.26.0.5

172.67.72.57
8.8.8.8:53

x2.c.lencr.org

dns

60 B
165 B
1
1

DNS Request

x2.c.lencr.org

DNS Response

23.55.97.11
8.8.8.8:53

5.1.26.104.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

5.1.26.104.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

11.97.55.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

11.97.55.23.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

142.53.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

142.53.16.96.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa

Windows 7 deprecation

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.