Resubmissions
09/08/2024, 00:46 UTC
240809-a4lkeaxcjd 106/08/2024, 17:35 UTC
240806-v56l7avfnr 101/08/2024, 21:24 UTC
240801-z89v8s1cjb 1Analysis
-
max time kernel
277s -
max time network
294s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
-
submitted
01/08/2024, 21:24 UTC
General
-
Target
1.scr
-
Size
371KB
-
MD5
29b8d499c4ae98d7107a28477b01c5e4
-
SHA1
3efa32d32c4b7cc88120008c79c380c3a0c80933
-
SHA256
6c641b4d5c5032270b712691c0b4fef9332601cfe2d7d6a07169fe410058f6ea
-
SHA512
533d672b77801b1a1e65d19cc1b32caa93a67ee58ecffd61adb586369805fe973f534bd37b5406e16a68014da963224e4dee3ddea8d2205ce6332d7ee4d1a94f
-
SSDEEP
6144:aWJEs8PunzXNHsWBElFoZurwEGgKaebh4eV0ljQ95a0EJ6UA:aWJz86TNHsW6lKZP8yhvuQ5vEO
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Users\Admin\AppData\Local\Temp\1.scr"C:\Users\Admin\AppData\Local\Temp\1.scr" /S1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
-
DNS240.221.184.93.in-addr.arpaRemote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse -
DNS88.156.103.20.in-addr.arpaRemote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
DNSblowjob-avenue.comRemote address:8.8.8.8:53Requestblowjob-avenue.comIN AResponseblowjob-avenue.comIN A194.48.248.52
-
POSThttp://blowjob-avenue.com/Remote address:194.48.248.52:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla / 5.0 (Windows NT 10.0; rv: 1.0) Gecko / 19041 Sonderklasse / 1.0
Content-Length: 67
Host: blowjob-avenue.com
ResponseHTTP/1.1 200 OK
Server: nginx/1.25.4
Date: Thu, 01 Aug 2024 21:24:50 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 68
-
DNS52.248.48.194.in-addr.arpaRemote address:8.8.8.8:53Request52.248.48.194.in-addr.arpaIN PTRResponse
-
DNS86.23.85.13.in-addr.arpaRemote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
DNS172.214.232.199.in-addr.arpaRemote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
DNS18.31.95.13.in-addr.arpaRemote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
DNS19.229.111.52.in-addr.arpaRemote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
POSThttp://blowjob-avenue.com/Remote address:194.48.248.52:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla / 5.0 (Windows NT 10.0; rv: 1.0) Gecko / 19041 Sonderklasse / 1.0
Content-Length: 202
Host: blowjob-avenue.com
ResponseHTTP/1.1 200 OK
Server: nginx/1.25.4
Date: Thu, 01 Aug 2024 21:29:22 GMT
Content-Type: text/plain; charset=utf-8
Content-Encoding: gzip
Content-Length: 251
Vary: Accept-Encoding
-
194.48.248.52:80http://blowjob-avenue.com/http
HTTP Request
POST http://blowjob-avenue.com/HTTP Response
200 -
194.48.248.52:80http://blowjob-avenue.com/http
HTTP Request
POST http://blowjob-avenue.com/HTTP Response
200
-
8.8.8.8:53240.221.184.93.in-addr.arpadns
DNS Request
240.221.184.93.in-addr.arpa
-
8.8.8.8:5388.156.103.20.in-addr.arpadns
DNS Request
88.156.103.20.in-addr.arpa
-
8.8.8.8:53blowjob-avenue.comdns
DNS Request
blowjob-avenue.com
DNS Response
194.48.248.52
-
8.8.8.8:5352.248.48.194.in-addr.arpadns
DNS Request
52.248.48.194.in-addr.arpa
-
8.8.8.8:5386.23.85.13.in-addr.arpadns
DNS Request
86.23.85.13.in-addr.arpa
-
8.8.8.8:5318.31.95.13.in-addr.arpadns
DNS Request
18.31.95.13.in-addr.arpa
-
8.8.8.8:53172.214.232.199.in-addr.arpadns
DNS Request
172.214.232.199.in-addr.arpa
-
8.8.8.8:5319.229.111.52.in-addr.arpadns
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
240KB