33bca0b7c35d92fe1dec4638d803349ca76a0f4b2a647efa49697edb77d2ae95

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 13:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zSCD97F9B7/61cf42dc105f3_Fri17e8bf67cf5c.exe
Size

123KB
MD5

550df332f73bf3d4477a7db99407bc25
SHA1

b1d3d4b2119195163d9ca10dde2c86f16ad6a45a
SHA256

cb17edd2f1497ec1f54b46d1aa36227b2d6b7a856f3e28771e3aee5e855485db
SHA512

412456d898f92c540b8f243da445466f4874c4f502ee886209186171a7e6e7725e8bfaa2880d0698b783a76a8515b96c822d5333446ac5af2cd953e58e042b6e
SSDEEP

3072:MVcsnNYPnMBRrxqcC/sivuwCmFASKx45LfANZn9KiW1p:XvMBR4ZCaAxiN7p

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.org
5	iplogger.org

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2792	2312	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61cf42dc105f3_Fri17e8bf67cf5c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2792	2312	61cf42dc105f3_Fri17e8bf67cf5c.exe	32
PID 2312 wrote to memory of 2792	2312	61cf42dc105f3_Fri17e8bf67cf5c.exe	32
PID 2312 wrote to memory of 2792	2312	61cf42dc105f3_Fri17e8bf67cf5c.exe	32
PID 2312 wrote to memory of 2792	2312	61cf42dc105f3_Fri17e8bf67cf5c.exe	32

C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42dc105f3_Fri17e8bf67cf5c.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCD97F9B7\61cf42dc105f3_Fri17e8bf67cf5c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1380
  2⤵
  - Program crash
  PID:2792

Network

DNS

iplogger.org

61cf42dc105f3_Fri17e8bf67cf5c.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

104.26.3.46

iplogger.org

IN A

104.26.2.46

iplogger.org

IN A

172.67.74.161
GET

https://iplogger.org/1wa8E7

61cf42dc105f3_Fri17e8bf67cf5c.exe

Remote address:

104.26.3.46:443

Request

GET /1wa8E7 HTTP/1.1
Host: iplogger.org

Response

HTTP/1.1 403 Forbidden

Date: Wed, 25 Dec 2024 13:36:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: qI0j2C5JgVgu2CbJe9Bi0ciLy8VdftuDFzNjE9Axu1zidy/Vpt0jcCv9Hnj0wP29eGS8MpnWax7a+T+zdi5Ys/Lm7nlHk4Pda5KASrW+0tWULRPwcyMWfO/MA34iBROCl45TZyZ8oqiJf5hz1nJ80Q==$SThiQJaSKSjX4jZE+KG3NQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2FQGlrwp%2Fj%2FiPU5Vf83rgEXYBKtyMM2Ys5Ik0bfzpRdMKZxyaXnXKpQ%2FkarkTTHUWNyACSVzwlobG4d5mL19Jh%2Bl%2FRiBha1cN%2FFxeayu%2BcLY58URIxBPO%2BtyI4hDKVU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f7938bb4cebedef-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26981&min_rtt=26054&rtt_var=8688&sent=6&recv=7&lost=0&retrans=1&sent_bytes=3187&recv_bytes=362&delivery_rate=130862&cwnd=232&unsent_bytes=0&cid=cc5f9e14aa9bec6d&ts=367&x=0"
DNS

c.pki.goog

61cf42dc105f3_Fri17e8bf67cf5c.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.67
GET

http://c.pki.goog/r/gsr1.crl

61cf42dc105f3_Fri17e8bf67cf5c.exe

Remote address:

142.250.179.67:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 25 Dec 2024 12:48:34 GMT
Expires: Wed, 25 Dec 2024 13:38:34 GMT
Cache-Control: public, max-age=3000
Age: 2888
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

61cf42dc105f3_Fri17e8bf67cf5c.exe

Remote address:

142.250.179.67:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 25 Dec 2024 13:30:22 GMT
Expires: Wed, 25 Dec 2024 14:20:22 GMT
Cache-Control: public, max-age=3000
Age: 380
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

n4flb.net

61cf42dc105f3_Fri17e8bf67cf5c.exe

Remote address:

8.8.8.8:53

Request

n4flb.net

IN A

Response
DNS

n4flb.net

61cf42dc105f3_Fri17e8bf67cf5c.exe

Remote address:

8.8.8.8:53

Request

n4flb.net

IN A

Response
DNS

crl.microsoft.com

Remote address:

8.8.8.8:53

Request

crl.microsoft.com

IN A

Response

crl.microsoft.com

IN CNAME

crl.www.ms.akadns.net

crl.www.ms.akadns.net

IN CNAME

a1363.dscg.akamai.net

a1363.dscg.akamai.net

IN A

2.19.252.143

a1363.dscg.akamai.net

IN A

2.19.252.157
GET

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

Remote address:

2.19.252.143:80

Request

GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 346168ca-101e-0054-5d36-4c18bd000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 25 Dec 2024 13:37:13 GMT
Connection: keep-alive
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

184.25.193.234
GET

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

Remote address:

184.25.193.234:80

Request

GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: ca00f663-501e-0037-2bf2-2b8546000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 25 Dec 2024 13:37:13 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV80578340.0
ms-cv-esi: CASMicrosoftCV80578340.0
X-RTag: RT

104.26.3.46:443

https://iplogger.org/1wa8E7

tls, http

61cf42dc105f3_Fri17e8bf67cf5c.exe

1.0kB
13.9kB
14
20

HTTP Request

GET https://iplogger.org/1wa8E7

HTTP Response

403
142.250.179.67:80

http://c.pki.goog/r/r4.crl

http

61cf42dc105f3_Fri17e8bf67cf5c.exe

606 B
5.0kB
8
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
2.19.252.143:80

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

http

399 B
1.7kB
4
4

HTTP Request

GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

HTTP Response

200
184.25.193.234:80

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

http

393 B
1.7kB
4
4

HTTP Request

GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

HTTP Response

200

8.8.8.8:53

iplogger.org

dns

61cf42dc105f3_Fri17e8bf67cf5c.exe

58 B
106 B
1
1

DNS Request

iplogger.org

DNS Response

104.26.3.46

104.26.2.46

172.67.74.161
8.8.8.8:53

c.pki.goog

dns

61cf42dc105f3_Fri17e8bf67cf5c.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.67
8.8.8.8:53

n4flb.net

dns

61cf42dc105f3_Fri17e8bf67cf5c.exe

55 B
128 B
1
1

DNS Request

n4flb.net
8.8.8.8:53

n4flb.net

dns

61cf42dc105f3_Fri17e8bf67cf5c.exe

55 B
128 B
1
1

DNS Request

n4flb.net
8.8.8.8:53

crl.microsoft.com

dns

63 B
162 B
1
1

DNS Request

crl.microsoft.com

DNS Response

2.19.252.143

2.19.252.157
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

184.25.193.234

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Windows 7 deprecation

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.