4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 19:06 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
Size

2.1MB
MD5

9e5b8bd11d639d2c2a8b5847011260c9
SHA1

3ced05bb135af8ab9bc78bdf0f7085faa62bcc19
SHA256

4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474
SHA512

43da35faffeb8c6964ddc8b31872bf6db0dd3983dc6bedeaf4bbda5c21b9f60efef2e43d3ca9f80e158f42b3d9c43235016dfc9a5e8eae64f9c2a3817629483f
SSDEEP

49152:eYsjh8tjYNswedQNvvrueSnjECzs/EtL+U14w+loiTFd69/EtH:wOKedQ5unj0oM6e

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Executes dropped EXE 1 IoCs

pid	Process
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2884	2876	WerFault.exe	85
2680	3880	WerFault.exe	95
4804	3880	WerFault.exe	95
2556	3880	WerFault.exe	95
3816	3880	WerFault.exe	95
116	3880	WerFault.exe	95
1488	3880	WerFault.exe	95
552	3880	WerFault.exe	95
4292	3880	WerFault.exe	95
1208	3880	WerFault.exe	95
4928	3880	WerFault.exe	95
4708	3880	WerFault.exe	95
812	3880	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2876	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3880	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3880	2876	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe	95
PID 2876 wrote to memory of 3880	2876	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe	95
PID 2876 wrote to memory of 3880	2876	4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe	95

C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
"C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 344
  2⤵
  - Program crash
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
  C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 344
    3⤵
    - Program crash
    PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 636
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 644
    3⤵
    - Program crash
    PID:2556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 644
    3⤵
    - Program crash
    PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 688
    3⤵
    - Program crash
    PID:116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 936
    3⤵
    - Program crash
    PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1396
    3⤵
    - Program crash
    PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1392
    3⤵
    - Program crash
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1492
    3⤵
    - Program crash
    PID:1208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1720
    3⤵
    - Program crash
    PID:4928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1700
    3⤵
    - Program crash
    PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1108
    3⤵
    - Program crash
    PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2876 -ip 2876
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3880 -ip 3880
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3880 -ip 3880
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3880 -ip 3880
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3880 -ip 3880
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3880 -ip 3880
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3880 -ip 3880
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3880 -ip 3880
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3880 -ip 3880
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3880 -ip 3880
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3880 -ip 3880
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3880 -ip 3880
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3880 -ip 3880
1⤵
PID:3200

Network

DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

48.254.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.254.221.88.in-addr.arpa

IN PTR

Response

48.254.221.88.in-addr.arpa

IN PTR

a88-221-254-48deploystaticakamaitechnologiescom
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

198.5.85.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.5.85.104.in-addr.arpa

IN PTR

Response

198.5.85.104.in-addr.arpa

IN PTR

a104-85-5-198deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

pastebin.com

4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

104.20.68.143
GET

https://pastebin.com/raw/AqndxJKK

4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Remote address:

172.67.34.170:443

Request

GET /raw/AqndxJKK HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Host: pastebin.com
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Tue, 14 Nov 2023 20:03:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-frame-options: DENY
x-content-type-options: nosniff
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 715
Server: cloudflare
CF-RAY: 8261db428fc466f0-AMS
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

170.34.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

170.34.67.172.in-addr.arpa

IN PTR

Response
DNS

146.99.217.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.99.217.23.in-addr.arpa

IN PTR

Response

146.99.217.23.in-addr.arpa

IN PTR

a23-217-99-146deploystaticakamaitechnologiescom
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301478_1ATXLTSLM5UX4ZJYP&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301478_1ATXLTSLM5UX4ZJYP&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 498337
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EA49A70EF1784FB980829CB24CABFC9D Ref B: DUS30EDGE0720 Ref C: 2023-11-14T20:03:42Z
date: Tue, 14 Nov 2023 20:03:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301045_1V3F59LO4JDHHM1AD&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301045_1V3F59LO4JDHHM1AD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 389552
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5876642087CB438CB6A3527264264CDF Ref B: DUS30EDGE0720 Ref C: 2023-11-14T20:03:42Z
date: Tue, 14 Nov 2023 20:03:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 543528
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 58BA861C30EF46C3AD7E4D17344AC9A0 Ref B: DUS30EDGE0720 Ref C: 2023-11-14T20:03:42Z
date: Tue, 14 Nov 2023 20:03:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301180_12QE0TUIBFKPVIEKD&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301180_12QE0TUIBFKPVIEKD&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 485755
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0A4A5D551E524F05B21E40DFA487704E Ref B: DUS30EDGE0720 Ref C: 2023-11-14T20:03:42Z
date: Tue, 14 Nov 2023 20:03:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301033_1LC8H97PHI36W759M&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301033_1LC8H97PHI36W759M&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 358283
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9176FC3630BE4C7997619EF967824E5A Ref B: DUS30EDGE0720 Ref C: 2023-11-14T20:03:43Z
date: Tue, 14 Nov 2023 20:03:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301466_1PCHXC6THHPTM3TTR&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301466_1PCHXC6THHPTM3TTR&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 299167
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4EC1675F07734D2D95E32A076F68A88D Ref B: DUS30EDGE0720 Ref C: 2023-11-14T20:04:02Z
date: Tue, 14 Nov 2023 20:04:02 GMT
DNS

147.255.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.255.221.88.in-addr.arpa

IN PTR

Response

147.255.221.88.in-addr.arpa

IN PTR

a88-221-255-147deploystaticakamaitechnologiescom
DNS

10.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.179.89.13.in-addr.arpa

IN PTR

Response

172.67.34.170:443

https://pastebin.com/raw/AqndxJKK

tls, http

4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

1.1kB
4.5kB
13
9

HTTP Request

GET https://pastebin.com/raw/AqndxJKK

HTTP Response

404
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301466_1PCHXC6THHPTM3TTR&pid=21.2&w=1080&h=1920&c=4

tls, http2

101.4kB
2.7MB
1945
1941

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301478_1ATXLTSLM5UX4ZJYP&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301045_1V3F59LO4JDHHM1AD&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301589_1ELTX2YB56L7P0UAL&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301180_12QE0TUIBFKPVIEKD&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301033_1LC8H97PHI36W759M&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301466_1PCHXC6THHPTM3TTR&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14

8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

48.254.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

48.254.221.88.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

198.5.85.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

198.5.85.104.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

172.67.34.170

104.20.67.143

104.20.68.143
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

170.34.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

170.34.67.172.in-addr.arpa
8.8.8.8:53

146.99.217.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

146.99.217.23.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

147.255.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

147.255.221.88.in-addr.arpa
8.8.8.8:53

10.179.89.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

10.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4c61ae09285cbd2e59772af9b8124ef611c5a3ea87f36e5a7a1f2b380c0cf474.exe

Filesize
2.1MB

MD5
800295b92b8f6449b5da6876d0b204b6

SHA1
a7120b92be6c821e6327220ca0f72820b4abe277

SHA256
7c7a01c47ebc721d61806c9d5d04492617ba225eaca1edfbfbc72742bb67b1a1

SHA512
41dd3f8c7d72b90d2a54060cf1fb831d1e92595f34721d78249a7886f30795b435dcf4bbf9f8ea3db300743ce6b1ec45fa70c6055541c191dff8abaa7eba961a

Download Submit
memory/2876-0-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2876-6-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3880-7-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3880-8-0x0000000004FC0000-0x00000000050CE000-memory.dmp

Filesize
1.1MB

Download
memory/3880-9-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3880-19-0x000000000BAF0000-0x000000000BBB0000-memory.dmp

Filesize
768KB

Download
memory/3880-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.