Analysis

  • max time kernel
    137s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 12:32 UTC

General

  • Target

    6ec8108b351c0766f4a04ec7aa4b37bb.dll

  • Size

    92KB

  • MD5

    6ec8108b351c0766f4a04ec7aa4b37bb

  • SHA1

    3225e298f344b290ef3340b6d66498339c2adefe

  • SHA256

    29828dee79dc20847ee00ce0cacea333485270b0fd3cc7e03ed6ce2e384428a4

  • SHA512

    3759cf849f532b464ec3d1c6d7624cf46f978659978b81a3dd77dc7b3728bdfd8249207df1b1d43a01156d58a9cbc62912603d924b3086935e2fedc6b932ea2f

  • SSDEEP

    1536:37BcvfaiPAlGewIrMifHM1x431M5d4e8qu/E6BRLuFVQTuLpIfUJ:3Nc6BlGewIrV44FM5Oe8qutUFyuWsJ

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ec8108b351c0766f4a04ec7aa4b37bb.dll,#1
    1⤵
      PID:1372
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 580
        2⤵
        • Program crash
        PID:652
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ec8108b351c0766f4a04ec7aa4b37bb.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4860
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1372 -ip 1372
      1⤵
        PID:808

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.a-0001.a-msedge.net
        g-bing-com.a-0001.a-msedge.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=166EA2834B5A67B31BF4B1774ABA664B; domain=.bing.com; expires=Mon, 20-Jan-2025 22:12:43 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: E7FA6DB7418441ACB81129E9D163DF49 Ref B: LON04EDGE1018 Ref C: 2023-12-27T22:12:43Z
        date: Wed, 27 Dec 2023 22:12:43 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=166EA2834B5A67B31BF4B1774ABA664B
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=jbH2zaFtbd8qGJG9TJOOlXGWGIimJ8SweLQehjEKqJY; domain=.bing.com; expires=Mon, 20-Jan-2025 22:12:43 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: D1692FCADCA44E9CBC655E4AAEBA86A5 Ref B: LON04EDGE1018 Ref C: 2023-12-27T22:12:43Z
        date: Wed, 27 Dec 2023 22:12:43 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=166EA2834B5A67B31BF4B1774ABA664B; MSPTC=jbH2zaFtbd8qGJG9TJOOlXGWGIimJ8SweLQehjEKqJY
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: EA026B55092E46B6B5E51DCE8590AA55 Ref B: LON04EDGE1018 Ref C: 2023-12-27T22:12:44Z
        date: Wed, 27 Dec 2023 22:12:44 GMT
      • flag-us
        DNS
        23.177.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.177.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        204.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        204.178.17.96.in-addr.arpa
        IN PTR
        Response
        204.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-204deploystaticakamaitechnologiescom
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        146.78.124.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        146.78.124.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        9.228.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        9.228.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        158.240.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        158.240.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        158.240.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        158.240.127.40.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        167.109.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        167.109.18.2.in-addr.arpa
        IN PTR
        Response
        167.109.18.2.in-addr.arpa
        IN PTR
        a2-18-109-167deploystaticakamaitechnologiescom
      • flag-us
        DNS
        57.169.31.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        57.169.31.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        140.71.91.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        140.71.91.104.in-addr.arpa
        IN PTR
        Response
        140.71.91.104.in-addr.arpa
        IN PTR
        a104-91-71-140deploystaticakamaitechnologiescom
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        43.58.199.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.58.199.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        43.58.199.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.58.199.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        0.205.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.205.248.87.in-addr.arpa
        IN PTR
        Response
        0.205.248.87.in-addr.arpa
        IN PTR
        https-87-248-205-0lgwllnwnet
      • flag-us
        DNS
        0.205.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.205.248.87.in-addr.arpa
        IN PTR
        Response
        0.205.248.87.in-addr.arpa
        IN PTR
        https-87-248-205-0lgwllnwnet
      • flag-us
        DNS
        0.204.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.204.248.87.in-addr.arpa
        IN PTR
        Response
        0.204.248.87.in-addr.arpa
        IN PTR
        https-87-248-204-0lhrllnwnet
      • flag-us
        DNS
        0.204.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.204.248.87.in-addr.arpa
        IN PTR
        Response
        0.204.248.87.in-addr.arpa
        IN PTR
        https-87-248-204-0lhrllnwnet
      • 204.79.197.200:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
        tls, http2
        2.2kB
        12.5kB
        25
        22

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e929ea349462470f9d15634d6c7908b5&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

        HTTP Response

        204
      • 138.91.171.81:80
        104 B
        2
      • 20.231.121.79:80
      • 13.95.31.18:443
      • 13.95.31.18:443
      • 104.91.71.134:80
      • 2.18.110.57:80
      • 20.231.121.79:80
      • 173.222.13.185:80
      • 173.222.13.185:80
      • 20.54.110.119:443
      • 13.95.31.18:443
      • 104.91.71.140:80
      • 104.91.71.140:80
      • 93.184.221.240:80
      • 52.111.227.13:443
      • 204.79.197.200:443
      • 204.79.197.200:443
      • 204.79.197.200:443
      • 204.79.197.200:443
      • 204.79.197.200:443
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
        158 B
        1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.200
        13.107.21.200

      • 8.8.8.8:53
        23.177.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        23.177.190.20.in-addr.arpa

      • 8.8.8.8:53
        204.178.17.96.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        204.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        146.78.124.51.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        146.78.124.51.in-addr.arpa

      • 8.8.8.8:53
        9.228.82.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        9.228.82.20.in-addr.arpa

      • 8.8.8.8:53
        158.240.127.40.in-addr.arpa
        dns
        146 B
        147 B
        2
        1

        DNS Request

        158.240.127.40.in-addr.arpa

        DNS Request

        158.240.127.40.in-addr.arpa

      • 8.8.8.8:53
        167.109.18.2.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        167.109.18.2.in-addr.arpa

      • 8.8.8.8:53
        57.169.31.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        57.169.31.20.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        140.71.91.104.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        140.71.91.104.in-addr.arpa

      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      • 8.8.8.8:53
        43.58.199.20.in-addr.arpa
        dns
        142 B
        314 B
        2
        2

        DNS Request

        43.58.199.20.in-addr.arpa

        DNS Request

        43.58.199.20.in-addr.arpa

      • 8.8.8.8:53
        0.205.248.87.in-addr.arpa
        dns
        142 B
        232 B
        2
        2

        DNS Request

        0.205.248.87.in-addr.arpa

        DNS Request

        0.205.248.87.in-addr.arpa

      • 8.8.8.8:53
      • 8.8.8.8:53
        0.204.248.87.in-addr.arpa
        dns
        142 B
        232 B
        2
        2

        DNS Request

        0.204.248.87.in-addr.arpa

        DNS Request

        0.204.248.87.in-addr.arpa

      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1372-0-0x0000000010000000-0x0000000010022000-memory.dmp

        Filesize

        136KB

      • memory/1372-1-0x0000000002900000-0x0000000002A00000-memory.dmp

        Filesize

        1024KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.