0a663152a82652ed019bd16ad444d18478808c965709d662bba53cd279aa7fd7

Analysis

max time kernel
79s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 21:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60565afe80b272085df3f616431c4bf0N.exe
Size

3.2MB
MD5

60565afe80b272085df3f616431c4bf0
SHA1

0565b1380c909dda1cc51725a8f07404cc3251a8
SHA256

0a663152a82652ed019bd16ad444d18478808c965709d662bba53cd279aa7fd7
SHA512

abe0186067fc7d5d6fe000748fa54a9853650ff2b767b4b2967ed1daa9d65c9d6e33b3807363c3af8c8b17014108409868ca5b6432e77bbb1e3ee51bbbc8ac66
SSDEEP

98304:ATYrPhTuX6vqcakcgFXWcInfecakcdv3kYBiL8gglGHcakcgFXWcInfecakcO:ATupTuXNdlg0nmdlN3LB881GHdlg0nm2

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3380	60565afe80b272085df3f616431c4bf0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3380	60565afe80b272085df3f616431c4bf0N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/64-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0008000000023470-13.dat	upx
behavioral2/memory/3380-15-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
10	pastebin.com

Program crash 18 IoCs

pid	pid_target	Process	procid_target
3516	3380	WerFault.exe	86
1164	3380	WerFault.exe	86
1620	3380	WerFault.exe	86
2812	3380	WerFault.exe	86
2836	3380	WerFault.exe	86
996	3380	WerFault.exe	86
4724	3380	WerFault.exe	86
3868	3380	WerFault.exe	86
4332	3380	WerFault.exe	86
2332	3380	WerFault.exe	86
1476	3380	WerFault.exe	86
4024	3380	WerFault.exe	86
3100	3380	WerFault.exe	86
1916	3380	WerFault.exe	86
4288	3380	WerFault.exe	86
4356	3380	WerFault.exe	86
1432	3380	WerFault.exe	86
516	3380	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60565afe80b272085df3f616431c4bf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60565afe80b272085df3f616431c4bf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4052	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
64	60565afe80b272085df3f616431c4bf0N.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
64	60565afe80b272085df3f616431c4bf0N.exe
3380	60565afe80b272085df3f616431c4bf0N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 3380	64	60565afe80b272085df3f616431c4bf0N.exe	86
PID 64 wrote to memory of 3380	64	60565afe80b272085df3f616431c4bf0N.exe	86
PID 64 wrote to memory of 3380	64	60565afe80b272085df3f616431c4bf0N.exe	86
PID 3380 wrote to memory of 4052	3380	60565afe80b272085df3f616431c4bf0N.exe	88
PID 3380 wrote to memory of 4052	3380	60565afe80b272085df3f616431c4bf0N.exe	88
PID 3380 wrote to memory of 4052	3380	60565afe80b272085df3f616431c4bf0N.exe	88
PID 3380 wrote to memory of 4068	3380	60565afe80b272085df3f616431c4bf0N.exe	91
PID 3380 wrote to memory of 4068	3380	60565afe80b272085df3f616431c4bf0N.exe	91
PID 3380 wrote to memory of 4068	3380	60565afe80b272085df3f616431c4bf0N.exe	91
PID 4068 wrote to memory of 5060	4068	cmd.exe	93
PID 4068 wrote to memory of 5060	4068	cmd.exe	93
PID 4068 wrote to memory of 5060	4068	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\60565afe80b272085df3f616431c4bf0N.exe
"C:\Users\Admin\AppData\Local\Temp\60565afe80b272085df3f616431c4bf0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\60565afe80b272085df3f616431c4bf0N.exe
  C:\Users\Admin\AppData\Local\Temp\60565afe80b272085df3f616431c4bf0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\60565afe80b272085df3f616431c4bf0N.exe" /TN IpGA05kf87aa /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN IpGA05kf87aa > C:\Users\Admin\AppData\Local\Temp\ythZg.xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN IpGA05kf87aa
      4⤵
      System Location Discovery: System Language Discovery
      PID:5060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 612
    3⤵
    - Program crash
    PID:3516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 632
    3⤵
    - Program crash
    PID:1164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 708
    3⤵
    - Program crash
    PID:1620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 708
    3⤵
    - Program crash
    PID:2812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 740
    3⤵
    - Program crash
    PID:2836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 748
    3⤵
    - Program crash
    PID:996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1492
    3⤵
    - Program crash
    PID:4724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1500
    3⤵
    - Program crash
    PID:3868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1744
    3⤵
    - Program crash
    PID:4332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1552
    3⤵
    - Program crash
    PID:2332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1584
    3⤵
    - Program crash
    PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1588
    3⤵
    - Program crash
    PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1568
    3⤵
    - Program crash
    PID:3100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1552
    3⤵
    - Program crash
    PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1704
    3⤵
    - Program crash
    PID:4288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1836
    3⤵
    - Program crash
    PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1552
    3⤵
    - Program crash
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1624
    3⤵
    - Program crash
    PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3380 -ip 3380
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3380 -ip 3380
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3380 -ip 3380
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3380 -ip 3380
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3380 -ip 3380
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3380 -ip 3380
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3380 -ip 3380
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3380 -ip 3380
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3380 -ip 3380
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3380 -ip 3380
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3380 -ip 3380
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3380 -ip 3380
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3380 -ip 3380
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3380 -ip 3380
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3380 -ip 3380
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3380 -ip 3380
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3380 -ip 3380
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3380 -ip 3380
1⤵
PID:4116

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

pastebin.com

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.3.235

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.4.235
DNS

cutit.org

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

8.8.8.8:53

Request

cutit.org

IN A

Response

cutit.org

IN A

172.232.31.180

cutit.org

IN A

172.232.4.213

cutit.org

IN A

172.232.25.148
GET

https://cutit.org/oxgBR

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

172.232.31.180:443

Request

GET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: cutit.org
Cache-Control: no-cache

Response

HTTP/1.1 302 Moved Temporarily

Server: openresty
Date: Thu, 05 Sep 2024 21:56:25 GMT
Content-Type: text/html
Content-Length: 142
Connection: keep-alive
Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
Location: http://ww99.cutit.org/oxgBR
Cache-Control: no-store, max-age=0
DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

235.3.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.3.20.104.in-addr.arpa

IN PTR

Response
DNS

180.31.232.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.31.232.172.in-addr.arpa

IN PTR

Response

180.31.232.172.in-addr.arpa

IN PTR

172-232-31-180iplinodeusercontentcom
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

r10.o.lencr.org

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

8.8.8.8:53

Request

r10.o.lencr.org

IN A

Response

r10.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

2.18.190.73

a1887.dscq.akamai.net

IN A

2.18.190.80
GET

http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgTlFRw%2B%2B5JaPTas9Y%2Bm%2Bj6DhQ%3D%3D

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

2.18.190.73:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgTlFRw%2B%2B5JaPTas9Y%2Bm%2Bj6DhQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r10.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "8F9698A9D4AAFD65B7E0FF81C8372D7EE53E71073882D8A80FA64B48E6C48D9D"
Last-Modified: Thu, 05 Sep 2024 10:24:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21054
Expires: Fri, 06 Sep 2024 03:47:18 GMT
Date: Thu, 05 Sep 2024 21:56:24 GMT
Connection: keep-alive
DNS

73.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.190.18.2.in-addr.arpa

IN PTR

Response

73.190.18.2.in-addr.arpa

IN PTR

a2-18-190-73deploystaticakamaitechnologiescom
DNS

168.245.100.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

168.245.100.95.in-addr.arpa

IN PTR

Response

168.245.100.95.in-addr.arpa

IN PTR

a95-100-245-168deploystaticakamaitechnologiescom
DNS

ww99.cutit.org

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

8.8.8.8:53

Request

ww99.cutit.org

IN A

Response

ww99.cutit.org

IN A

69.16.230.228
GET

http://ww99.cutit.org/oxgBR

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

69.16.230.228:80

Request

GET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Cache-Control: no-cache
Host: ww99.cutit.org
Connection: Keep-Alive
DNS

q.gs

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

8.8.8.8:53

Request

q.gs

IN A

Response

q.gs

IN A

172.67.193.84

q.gs

IN A

104.21.84.133
GET

http://q.gs/EVnYC

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

172.67.193.84:80

Request

GET /EVnYC HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; pt-br; MZ608 Build/7.7.1-141-7-FLEM-UMTS-LA) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Host: q.gs
Cache-Control: no-cache

Response

HTTP/1.1 302 Moved Temporarily

Date: Thu, 05 Sep 2024 21:56:25 GMT
Content-Type: text/html
Content-Length: 143
Connection: keep-alive
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Location: https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BZqXbebVhs5IEykxKzhItJkKcWvl%2Fiv3Or9g5oa6THmvlTlmgmTiejfn4Iw1fjOo8dGkG46RzeoUzqWA0LTmUJCfrf9KKDOAgyLpfvk6Ss1hlSIIzf6v"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8be9781c1e5d639d-LHR
DNS

publisher.linkvertise.com

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

8.8.8.8:53

Request

publisher.linkvertise.com

IN A

Response

publisher.linkvertise.com

IN A

104.22.22.72

publisher.linkvertise.com

IN A

172.67.31.186

publisher.linkvertise.com

IN A

104.22.23.72
GET

https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

104.22.22.72:443

Request

GET /adfly-hard-migrator/url?url=http://q.gs/EVnYC HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; pt-br; MZ608 Build/7.7.1-141-7-FLEM-UMTS-LA) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Cache-Control: no-cache
Host: publisher.linkvertise.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Thu, 05 Sep 2024 21:56:26 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4518
Connection: keep-alive
Referrer-Policy: same-origin
Cache-Control: max-age=15
Expires: Thu, 05 Sep 2024 21:56:41 GMT
Set-Cookie: __cf_bm=NY4Kxh.9RPLTgSRdI0y_5rsr9S3ASSO07u1kFw8gVVY-1725573386-1.0.1.1-VHyVLJphzASEqkjWYr8eBTodJK7vhNb0TznzOnkQ08FRNW5uwu0JaFieDVC8saODPluhgTdlsGQHZtXbBpTOVQ; path=/; expires=Thu, 05-Sep-24 22:26:26 GMT; domain=.linkvertise.com; HttpOnly; Secure; SameSite=None
X-Frame-Options: sameorigin
Server: cloudflare
CF-RAY: 8be978235aac948f-LHR
alt-svc: h3=":443"; ma=86400
DNS

c.pki.goog

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.27.94
DNS

228.230.16.69.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.230.16.69.in-addr.arpa

IN PTR

Response

228.230.16.69.in-addr.arpa

IN PTR

lb05 parklogiccom
DNS

84.193.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

84.193.67.172.in-addr.arpa

IN PTR

Response
DNS

72.22.22.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.22.22.104.in-addr.arpa

IN PTR

Response
GET

http://c.pki.goog/r/gsr1.crl

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

142.250.27.94:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 05 Sep 2024 21:19:04 GMT
Expires: Thu, 05 Sep 2024 22:09:04 GMT
Cache-Control: public, max-age=3000
Age: 2242
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

60565afe80b272085df3f616431c4bf0N.exe

Remote address:

142.250.27.94:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 05 Sep 2024 21:43:52 GMT
Expires: Thu, 05 Sep 2024 22:33:52 GMT
Cache-Control: public, max-age=3000
Age: 754
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

94.27.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

94.27.250.142.in-addr.arpa

IN PTR

Response

94.27.250.142.in-addr.arpa

IN PTR

ra-in-f941e100net
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

43.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.56.20.217.in-addr.arpa

IN PTR

Response
DNS

35.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.56.20.217.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

104.20.3.235:443

pastebin.com

60565afe80b272085df3f616431c4bf0N.exe

190 B
92 B
4
2
172.232.31.180:443

https://cutit.org/oxgBR

tls, http

60565afe80b272085df3f616431c4bf0N.exe

1.1kB
3.9kB
14
9

HTTP Request

GET https://cutit.org/oxgBR

HTTP Response

302
2.18.190.73:80

http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgTlFRw%2B%2B5JaPTas9Y%2Bm%2Bj6DhQ%3D%3D

http

60565afe80b272085df3f616431c4bf0N.exe

524 B
1.1kB
6
4

HTTP Request

GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgTlFRw%2B%2B5JaPTas9Y%2Bm%2Bj6DhQ%3D%3D

HTTP Response

200
69.16.230.228:80

http://ww99.cutit.org/oxgBR

http

60565afe80b272085df3f616431c4bf0N.exe

416 B
172 B
5
4

HTTP Request

GET http://ww99.cutit.org/oxgBR
172.67.193.84:80

http://q.gs/EVnYC

http

60565afe80b272085df3f616431c4bf0N.exe

497 B
1.0kB
6
4

HTTP Request

GET http://q.gs/EVnYC

HTTP Response

302
104.22.22.72:443

https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC

tls, http

60565afe80b272085df3f616431c4bf0N.exe

1.4kB
9.1kB
17
13

HTTP Request

GET https://publisher.linkvertise.com/adfly-hard-migrator/url?url=http://q.gs/EVnYC

HTTP Response

403
142.250.27.94:80

http://c.pki.goog/r/r4.crl

http

60565afe80b272085df3f616431c4bf0N.exe

602 B
3.9kB
8
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

60565afe80b272085df3f616431c4bf0N.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.3.235

172.67.19.24

104.20.4.235
8.8.8.8:53

cutit.org

dns

60565afe80b272085df3f616431c4bf0N.exe

55 B
103 B
1
1

DNS Request

cutit.org

DNS Response

172.232.31.180

172.232.4.213

172.232.25.148
8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

235.3.20.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

235.3.20.104.in-addr.arpa
8.8.8.8:53

180.31.232.172.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

180.31.232.172.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

r10.o.lencr.org

dns

60565afe80b272085df3f616431c4bf0N.exe

61 B
160 B
1
1

DNS Request

r10.o.lencr.org

DNS Response

2.18.190.73

2.18.190.80
8.8.8.8:53

73.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.190.18.2.in-addr.arpa
8.8.8.8:53

168.245.100.95.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

168.245.100.95.in-addr.arpa
8.8.8.8:53

ww99.cutit.org

dns

60565afe80b272085df3f616431c4bf0N.exe

60 B
76 B
1
1

DNS Request

ww99.cutit.org

DNS Response

69.16.230.228
8.8.8.8:53

q.gs

dns

60565afe80b272085df3f616431c4bf0N.exe

50 B
82 B
1
1

DNS Request

q.gs

DNS Response

172.67.193.84

104.21.84.133
8.8.8.8:53

publisher.linkvertise.com

dns

60565afe80b272085df3f616431c4bf0N.exe

71 B
119 B
1
1

DNS Request

publisher.linkvertise.com

DNS Response

104.22.22.72

172.67.31.186

104.22.23.72
8.8.8.8:53

c.pki.goog

dns

60565afe80b272085df3f616431c4bf0N.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.27.94
8.8.8.8:53

228.230.16.69.in-addr.arpa

dns

72 B
104 B
1
1

DNS Request

228.230.16.69.in-addr.arpa
8.8.8.8:53

84.193.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

84.193.67.172.in-addr.arpa
8.8.8.8:53

72.22.22.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

72.22.22.104.in-addr.arpa
8.8.8.8:53

94.27.250.142.in-addr.arpa

dns

72 B
105 B
1
1

DNS Request

94.27.250.142.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

43.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

43.56.20.217.in-addr.arpa
8.8.8.8:53

35.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

35.56.20.217.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60565afe80b272085df3f616431c4bf0N.exe

Filesize
3.2MB

MD5
5cc7d37ea2dfb29892cd465b0fd8eeeb

SHA1
0ae992f79d1870778a0d3efd165309831416ae50

SHA256
6cc48510d51a3165fcede5fff515eb8ffdd912b1f5b44aaa59173f73696a3dcb

SHA512
716e18f28d1922551af11dd48011539a0fb2d5a57d2c15b81b1978498b08efa50d74355b60780ba4fcaf89f6844633938beea2cd659f342f9af144d9d10b60e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ythZg.xml

Filesize
1KB

MD5
13cb1ff77812f36630497541460d3a78

SHA1
32b0507c37521d4122a79aaa241b11e831d5dc70

SHA256
04a74ffab13cec3a99e9d14ebd6dc35ce6730d624d50efcfbdcf6f5c819af05d

SHA512
3be9afac8bcba84d04034c5db58d205a4afe850f416714d267f3bc12c870286b1ec9a7e91870974b2ee4cdc794ea95fb3d6629d095a60e36b1f0d710e51b1bb2

Download Submit
memory/64-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/64-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/64-3-0x0000000001730000-0x00000000017AE000-memory.dmp

Filesize
504KB

Download
memory/64-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3380-15-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/3380-22-0x0000000025010000-0x000000002508E000-memory.dmp

Filesize
504KB

Download
memory/3380-23-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/3380-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3380-45-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.