Overview

overview

8

Static

static

3

05ee6e633e...47.exe

windows7-x64

8

05ee6e633e...47.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    96s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 04:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05ee6e633e7c5eecfaed281b51bd2047.exe

  • Size

    44KB

  • MD5

    05ee6e633e7c5eecfaed281b51bd2047

  • SHA1

    305087d2a6f1515303e227230ece2942c649086c

  • SHA256

    48fe223e0a1579a0c931b440edea83668e00671ee161f33daa27c560d8cb22a1

  • SHA512

    0f2bd03451dee62e1c6d6ceb51e0604b1694359ec98ec49e5a06c33da460cdc43a4ef6c688942b2f3e4c70f5064e5d2f1173f231df52dc51407d3d8d4e4a0097

  • SSDEEP

    768:IpeBtNUbOERPJCYjDFypeGgvECjugkpprSLUU9UDec:IpMtSbOEdjRypeG0ZjP8OMDec

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05ee6e633e7c5eecfaed281b51bd2047.exe
    "C:\Users\Admin\AppData\Local\Temp\05ee6e633e7c5eecfaed281b51bd2047.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{22D6A6CA-F27D-DB40-8986-A0061B9B1DB0}" /f
      2⤵
        PID:3328
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\05EE6E~1.EXE > nul
        2⤵
          PID:2184

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.a-0001.a-msedge.net
        g-bing-com.a-0001.a-msedge.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=00196BAE167962D5035D785C179963F3; domain=.bing.com; expires=Sat, 18-Jan-2025 14:39:46 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 7F42C470B741431A941C4986B5390EC2 Ref B: LON04EDGE1115 Ref C: 2023-12-25T14:39:46Z
        date: Mon, 25 Dec 2023 14:39:45 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=00196BAE167962D5035D785C179963F3
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=Vyj_TXsbu0EGPUNmlZBbRt21NNgBb0KnQ-B0EBxDou0; domain=.bing.com; expires=Sat, 18-Jan-2025 14:39:46 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 30C1C449EF0C4009BC55BD7EA5CACF82 Ref B: LON04EDGE1115 Ref C: 2023-12-25T14:39:46Z
        date: Mon, 25 Dec 2023 14:39:45 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=00196BAE167962D5035D785C179963F3; MSPTC=Vyj_TXsbu0EGPUNmlZBbRt21NNgBb0KnQ-B0EBxDou0
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 7506DD322F064EC4A2D20C19ECDA8D9F Ref B: LON04EDGE1115 Ref C: 2023-12-25T14:39:46Z
        date: Mon, 25 Dec 2023 14:39:45 GMT
      • flag-us
        DNS
        4.181.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        4.181.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        209.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.178.17.96.in-addr.arpa
        IN PTR
        Response
        209.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-209deploystaticakamaitechnologiescom
      • flag-kr
        GET
        http://211.255.23.46/counter/update1.txt
        05ee6e633e7c5eecfaed281b51bd2047.exe
        Remote address:
        211.255.23.46:80
        Request
        GET /counter/update1.txt HTTP/1.1
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
        Host: 211.255.23.46
        Cache-Control: no-cache
        Response
        HTTP/1.1 404 Not Found
        Date: Mon, 25 Dec 2023 14:39:54 GMT
        Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 mod_wsgi/3.4 Python/2.7.5 PHP/7.3.10
        Content-Length: 217
        Content-Type: text/html; charset=iso-8859-1
      • flag-us
        DNS
        55.36.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        55.36.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.154.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.154.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        46.23.255.211.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        46.23.255.211.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        41.110.16.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        41.110.16.96.in-addr.arpa
        IN PTR
        Response
        41.110.16.96.in-addr.arpa
        IN PTR
        a96-16-110-41deploystaticakamaitechnologiescom
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        18.31.95.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.31.95.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.134.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.134.221.88.in-addr.arpa
        IN PTR
        Response
        18.134.221.88.in-addr.arpa
        IN PTR
        a88-221-134-18deploystaticakamaitechnologiescom
      • flag-us
        DNS
        210.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        210.178.17.96.in-addr.arpa
        IN PTR
        Response
        210.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-210deploystaticakamaitechnologiescom
      • flag-us
        DNS
        14.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.227.111.52.in-addr.arpa
        IN PTR
        Response
      • 138.91.171.81:80
        208 B
         4
      • 204.79.197.200:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
        tls, http2
        2.0kB
         9.4kB
         21
        18

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=441629e34ba44d6a91980a1172a3e39f&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

        HTTP Response

        204
      • 211.255.23.46:80
        http://211.255.23.46/counter/update1.txt
        http
        05ee6e633e7c5eecfaed281b51bd2047.exe
        872 B
         1.2kB
         11
        6

        HTTP Request

        GET http://211.255.23.46/counter/update1.txt

        HTTP Response

        404
      • 121.254.165.105:80
        05ee6e633e7c5eecfaed281b51bd2047.exe
        260 B
         5
      • 224.0.0.251:5353
        122 B
         2
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
         158 B
         1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.200
        13.107.21.200

      • 8.8.8.8:53
        4.181.190.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        4.181.190.20.in-addr.arpa

      • 8.8.8.8:53
        209.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        209.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        55.36.223.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        55.36.223.20.in-addr.arpa

      • 8.8.8.8:53
        241.154.82.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        241.154.82.20.in-addr.arpa

      • 8.8.8.8:53
        46.23.255.211.in-addr.arpa
        dns
        72 B
         128 B
         1
        1

        DNS Request

        46.23.255.211.in-addr.arpa

      • 8.8.8.8:53
        41.110.16.96.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        41.110.16.96.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        103.169.127.40.in-addr.arpa
        dns
        146 B
         147 B
         2
        1

        DNS Request

        103.169.127.40.in-addr.arpa

        DNS Request

        103.169.127.40.in-addr.arpa

      • 8.8.8.8:53
        18.31.95.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        18.31.95.13.in-addr.arpa

      • 8.8.8.8:53
        18.134.221.88.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        18.134.221.88.in-addr.arpa

      • 8.8.8.8:53
        210.178.17.96.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        210.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        14.227.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        14.227.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.