Analysis
-
max time kernel
156s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 14:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
74a1e4f8c48502f4cf6bdf1ff5c842a8.exe
Resource
win7-20231215-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
74a1e4f8c48502f4cf6bdf1ff5c842a8.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
74a1e4f8c48502f4cf6bdf1ff5c842a8.exe
-
Size
691KB
-
MD5
74a1e4f8c48502f4cf6bdf1ff5c842a8
-
SHA1
ac709a266cb8afaf136986e5e5f93a37ba22c410
-
SHA256
c4dc5ce27a5d56ed4c621fc17dc8febb54acd0db97788d6c539b9ae026d0d8a4
-
SHA512
b26bf7cd4c00548d2e0e8d6fd601f3bfac9491a69a37046932bf144a2ccc29117413b3f4169498b357e94d596ce1dfbeae4a42d91da713dfc4df77e45bb936f7
-
SSDEEP
12288:44I1R/pP6USobBbcY4JiOBRXjIjO8Zsq4nss:44EREUSobBbeJ7RCZN4ss
Score
6/10
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 74a1e4f8c48502f4cf6bdf1ff5c842a8.exe
Processes
Network
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request199.178.17.96.in-addr.arpaIN PTRResponse199.178.17.96.in-addr.arpaIN PTRa96-17-178-199deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request199.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request199.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request199.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestdownloads.seekmo.comIN AResponsedownloads.seekmo.comIN A3.64.163.50
-
Remote address:3.64.163.50:80RequestGET /downloads/aa/aa/bb.htm HTTP/1.1
Host: downloads.seekmo.com
User-Agent: Microsoft-ATL-Native/10.00
ResponseHTTP/1.1 410 Gone
Date: Sat, 06 Jan 2024 16:39:40 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request50.163.64.3.in-addr.arpaIN PTRResponse50.163.64.3.in-addr.arpaIN PTRec2-3-64-163-50eu-central-1compute amazonawscom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttei.fivemillionfriends.comIN AResponse
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttei.fivemillionfriends.comIN AResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request178.223.142.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request182.178.17.96.in-addr.arpaIN PTRResponse182.178.17.96.in-addr.arpaIN PTRa96-17-178-182deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request182.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request182.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request182.178.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request178.178.17.96.in-addr.arpaIN PTRResponse178.178.17.96.in-addr.arpaIN PTRa96-17-178-178deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.179.89.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.179.89.13.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request11.179.89.13.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN A
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN A
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 376372
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 85B2CD02019B4CD58937EC58F2DCD7CF Ref B: LON04EDGE0611 Ref C: 2024-01-06T16:41:48Z
date: Sat, 06 Jan 2024 16:41:48 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301057_1JHF9NK2IDFKNUSZM&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301057_1JHF9NK2IDFKNUSZM&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 401290
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 25A5AA05061D4D2180DC55D7F92AFB91 Ref B: LON04EDGE0611 Ref C: 2024-01-06T16:41:48Z
date: Sat, 06 Jan 2024 16:41:48 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300964_1C92FDN74123R86HE&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317300964_1C92FDN74123R86HE&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 581984
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7B0E926073914275AB591F6250AD1CE2 Ref B: LON04EDGE0611 Ref C: 2024-01-06T16:41:49Z
date: Sat, 06 Jan 2024 16:41:48 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301397_1RRG7O37Z0P13Z6K4&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301397_1RRG7O37Z0P13Z6K4&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 534250
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 92BDEBAD55C74F7C878D85EC20CF8560 Ref B: LON04EDGE0611 Ref C: 2024-01-06T16:41:49Z
date: Sat, 06 Jan 2024 16:41:48 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301111_1DKW3SIPELFG6R5I0&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301111_1DKW3SIPELFG6R5I0&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 147718
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3ECCC7AAC9D341668BBD42A44C6114A8 Ref B: LON04EDGE0611 Ref C: 2024-01-06T16:41:49Z
date: Sat, 06 Jan 2024 16:41:48 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301544_150BJDG31FJ0ZNF34&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301544_150BJDG31FJ0ZNF34&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 134030
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 771B5EC3EEFD40218717F6F06C4DB287 Ref B: LON04EDGE0611 Ref C: 2024-01-06T16:41:51Z
date: Sat, 06 Jan 2024 16:41:51 GMT
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTR
-
104 B 2
-
3.64.163.50:80http://downloads.seekmo.com/downloads/aa/aa/bb.htmhttp74a1e4f8c48502f4cf6bdf1ff5c842a8.exe338 B 471 B 5 4
HTTP Request
GET http://downloads.seekmo.com/downloads/aa/aa/bb.htmHTTP Response
410 -
1.4kB 8.3kB 19 14
-
1.4kB 8.4kB 19 15
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301544_150BJDG31FJ0ZNF34&pid=21.2&w=1080&h=1920&c=4tls, http283.5kB 2.3MB 1649 1639
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301057_1JHF9NK2IDFKNUSZM&pid=21.2&w=1920&h=1080&c=4HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300964_1C92FDN74123R86HE&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301397_1RRG7O37Z0P13Z6K4&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301111_1DKW3SIPELFG6R5I0&pid=21.2&w=1920&h=1080&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301544_150BJDG31FJ0ZNF34&pid=21.2&w=1080&h=1920&c=4HTTP Response
200 -
1.3kB 8.3kB 18 14
-
1.4kB 8.3kB 19 14
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
288 B 137 B 4 1
DNS Request
199.178.17.96.in-addr.arpa
DNS Request
199.178.17.96.in-addr.arpa
DNS Request
199.178.17.96.in-addr.arpa
DNS Request
199.178.17.96.in-addr.arpa
-
66 B 82 B 1 1
DNS Request
downloads.seekmo.com
DNS Response
3.64.163.50
-
70 B 134 B 1 1
DNS Request
50.163.64.3.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 145 B 1 1
DNS Request
tei.fivemillionfriends.com
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
72 B 145 B 1 1
DNS Request
tei.fivemillionfriends.com
-
142 B 157 B 2 1
DNS Request
198.187.3.20.in-addr.arpa
DNS Request
198.187.3.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
178.223.142.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
284 B 157 B 4 1
DNS Request
59.128.231.4.in-addr.arpa
DNS Request
59.128.231.4.in-addr.arpa
DNS Request
59.128.231.4.in-addr.arpa
DNS Request
59.128.231.4.in-addr.arpa
-
288 B 137 B 4 1
DNS Request
182.178.17.96.in-addr.arpa
DNS Request
182.178.17.96.in-addr.arpa
DNS Request
182.178.17.96.in-addr.arpa
DNS Request
182.178.17.96.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
178.178.17.96.in-addr.arpa
-
146 B 147 B 2 1
DNS Request
158.240.127.40.in-addr.arpa
DNS Request
158.240.127.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
205.47.74.20.in-addr.arpa
-
213 B 145 B 3 1
DNS Request
11.179.89.13.in-addr.arpa
DNS Request
11.179.89.13.in-addr.arpa
DNS Request
11.179.89.13.in-addr.arpa
-
186 B 173 B 3 1
DNS Request
tse1.mm.bing.net
DNS Request
tse1.mm.bing.net
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
219 B 106 B 3 1
DNS Request
200.197.79.204.in-addr.arpa
DNS Request
200.197.79.204.in-addr.arpa
DNS Request
200.197.79.204.in-addr.arpa