Analysis
-
max time kernel
137s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 12:32 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6ec8108b351c0766f4a04ec7aa4b37bb.dll
Resource
win7-20231215-en
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
6ec8108b351c0766f4a04ec7aa4b37bb.dll
Resource
win10v2004-20231215-en
2 signatures
150 seconds
General
-
Target
6ec8108b351c0766f4a04ec7aa4b37bb.dll
-
Size
92KB
-
MD5
6ec8108b351c0766f4a04ec7aa4b37bb
-
SHA1
3225e298f344b290ef3340b6d66498339c2adefe
-
SHA256
29828dee79dc20847ee00ce0cacea333485270b0fd3cc7e03ed6ce2e384428a4
-
SHA512
3759cf849f532b464ec3d1c6d7624cf46f978659978b81a3dd77dc7b3728bdfd8249207df1b1d43a01156d58a9cbc62912603d924b3086935e2fedc6b932ea2f
-
SSDEEP
1536:37BcvfaiPAlGewIrMifHM1x431M5d4e8qu/E6BRLuFVQTuLpIfUJ:3Nc6BlGewIrV44FM5Oe8qutUFyuWsJ
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 652 1372 WerFault.exe 14 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4860 wrote to memory of 1372 4860 rundll32.exe 14 PID 4860 wrote to memory of 1372 4860 rundll32.exe 14 PID 4860 wrote to memory of 1372 4860 rundll32.exe 14
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ec8108b351c0766f4a04ec7aa4b37bb.dll,#11⤵PID:1372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 5802⤵
- Program crash
PID:652
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ec8108b351c0766f4a04ec7aa4b37bb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1372 -ip 13721⤵PID:808
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=166EA2834B5A67B31BF4B1774ABA664B; domain=.bing.com; expires=Mon, 20-Jan-2025 22:12:43 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E7FA6DB7418441ACB81129E9D163DF49 Ref B: LON04EDGE1018 Ref C: 2023-12-27T22:12:43Z
date: Wed, 27 Dec 2023 22:12:43 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=166EA2834B5A67B31BF4B1774ABA664B
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=jbH2zaFtbd8qGJG9TJOOlXGWGIimJ8SweLQehjEKqJY; domain=.bing.com; expires=Mon, 20-Jan-2025 22:12:43 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D1692FCADCA44E9CBC655E4AAEBA86A5 Ref B: LON04EDGE1018 Ref C: 2023-12-27T22:12:43Z
date: Wed, 27 Dec 2023 22:12:43 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=166EA2834B5A67B31BF4B1774ABA664B; MSPTC=jbH2zaFtbd8qGJG9TJOOlXGWGIimJ8SweLQehjEKqJY
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EA026B55092E46B6B5E51DCE8590AA55 Ref B: LON04EDGE1018 Ref C: 2023-12-27T22:12:44Z
date: Wed, 27 Dec 2023 22:12:44 GMT
-
Remote address:8.8.8.8:53Request23.177.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request204.178.17.96.in-addr.arpaIN PTRResponse204.178.17.96.in-addr.arpaIN PTRa96-17-178-204deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request167.109.18.2.in-addr.arpaIN PTRResponse167.109.18.2.in-addr.arpaIN PTRa2-18-109-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request140.71.91.104.in-addr.arpaIN PTRResponse140.71.91.104.in-addr.arpaIN PTRa104-91-71-140deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTRResponse0.204.248.87.in-addr.arpaIN PTRhttps-87-248-204-0lhrllnwnet
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTRResponse0.204.248.87.in-addr.arpaIN PTRhttps-87-248-204-0lhrllnwnet
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=tls, http22.2kB 12.5kB 25 22
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=HTTP Response
204 -
104 B 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
72 B 158 B 1 1
DNS Request
23.177.190.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
204.178.17.96.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
146 B 147 B 2 1
DNS Request
158.240.127.40.in-addr.arpa
DNS Request
158.240.127.40.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
167.109.18.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
57.169.31.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
140.71.91.104.in-addr.arpa
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
142 B 314 B 2 2
DNS Request
43.58.199.20.in-addr.arpa
DNS Request
43.58.199.20.in-addr.arpa
-
142 B 232 B 2 2
DNS Request
0.205.248.87.in-addr.arpa
DNS Request
0.205.248.87.in-addr.arpa
-
-
142 B 232 B 2 2
DNS Request
0.204.248.87.in-addr.arpa
DNS Request
0.204.248.87.in-addr.arpa
-
-
-
-