Overview

overview

8

Static

static

3

65a71e7975...0f.exe

windows7-x64

8

65a71e7975...0f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 10:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65a71e797532fd22ae5ad59d92367d0f.exe

  • Size

    426KB

  • MD5

    65a71e797532fd22ae5ad59d92367d0f

  • SHA1

    49a1f0640a792f383ce33dcd4abf411ffac3db7f

  • SHA256

    12ea8131dddcc2466ede5afedc007dc83bed3f5cd06480507cd8d36433a4c208

  • SHA512

    298e085300468ed3deb93e28ff76c9f319c65af6ad3dcbdf8feacc4830ade7c968b229feb1cd1559cb36627712e45ffda04e75a18c68839e6bc7534e55fac1ea

  • SSDEEP

    12288:NtKe6Zv23YdAPaPUD18t2o7UZlgEt4lsAXA2:d6Zv2aP7tiTt4lTXx

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65a71e797532fd22ae5ad59d92367d0f.exe
    "C:\Users\Admin\AppData\Local\Temp\65a71e797532fd22ae5ad59d92367d0f.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    PID:4008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 700
      2⤵
      • Program crash
      PID:2656
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4008 -ip 4008
    1⤵
      PID:4908

    Network

    • flag-us
      DNS
      18.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.179.17.96.in-addr.arpa
      IN PTR
      Response
      18.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      16.53.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      16.53.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.a-0001.a-msedge.net
      g-bing-com.a-0001.a-msedge.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=09DBB6F116FE6355246AA505171E624B; domain=.bing.com; expires=Mon, 20-Jan-2025 17:08:41 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 52C32FCD61B1439BAB19694113577B02 Ref B: LON04EDGE1212 Ref C: 2023-12-27T17:08:41Z
      date: Wed, 27 Dec 2023 17:08:40 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=09DBB6F116FE6355246AA505171E624B
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=7CiSQhzzcXcVWZywGbWRTI53ysM6nr-w6BfSdRAQ3_A; domain=.bing.com; expires=Mon, 20-Jan-2025 17:08:41 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 29341BD79A6547558EC5D652A4FCE051 Ref B: LON04EDGE1212 Ref C: 2023-12-27T17:08:41Z
      date: Wed, 27 Dec 2023 17:08:40 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=09DBB6F116FE6355246AA505171E624B; MSPTC=7CiSQhzzcXcVWZywGbWRTI53ysM6nr-w6BfSdRAQ3_A
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 72599AC2BAD144EAB8CEBC347743AE89 Ref B: LON04EDGE1212 Ref C: 2023-12-27T17:08:41Z
      date: Wed, 27 Dec 2023 17:08:41 GMT
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      9.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.179.17.96.in-addr.arpa
      IN PTR
      Response
      9.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-9deploystaticakamaitechnologiescom
    • flag-us
      DNS
      53.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      53.179.17.96.in-addr.arpa
      IN PTR
      Response
      53.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-53deploystaticakamaitechnologiescom
    • flag-us
      DNS
      53.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      53.179.17.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      22.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      22.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.236.111.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      22.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.236.111.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      67.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.179.17.96.in-addr.arpa
      IN PTR
      Response
      67.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-67deploystaticakamaitechnologiescom
    • 204.79.197.200:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
      tls, http2
      2.1kB
       9.8kB
       23
      20

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

      HTTP Response

      204
    • 138.91.171.81:80
      46 B
       1
    • 8.8.8.8:53
      18.179.17.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      18.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      16.53.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      16.53.126.40.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      168 B
       158 B
       3
      1

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      9.228.82.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      9.228.82.20.in-addr.arpa

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
       106 B
       1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      142 B
       135 B
       2
      1

      DNS Request

      41.110.16.96.in-addr.arpa

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      142 B
       145 B
       2
      1

      DNS Request

      206.23.85.13.in-addr.arpa

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      9.179.17.96.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      9.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      53.179.17.96.in-addr.arpa
      dns
      142 B
       135 B
       2
      1

      DNS Request

      53.179.17.96.in-addr.arpa

      DNS Request

      53.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      22.236.111.52.in-addr.arpa
      dns
      216 B
       158 B
       3
      1

      DNS Request

      22.236.111.52.in-addr.arpa

      DNS Request

      22.236.111.52.in-addr.arpa

      DNS Request

      22.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      67.179.17.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      67.179.17.96.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\concp32.exe
      Filesize

      426KB

      MD5

      d3f54891b93d73aae9ebbe2d1f6bd20d

      SHA1

      23baf56124a27206734b1ee44afa45d262b70fae

      SHA256

      2ea3b537ecae9b672b6feaf8f40e2019ea6968ebf7387fc28481c2ae3a36e377

      SHA512

      bafdf5e1e1263698a8d7e48e53ba7e7fee8afd8b22a83d3c6e41b12baa1ddf2ed123972b3c78dbce8f8a21c97854c859c81cac133879fa9851792ef4854a37b4

      Download Submit

    • memory/4008-0-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4008-7-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.