Analysis

  • max time kernel
    140s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 07:15 UTC

General

  • Target

    11e1f351761be053235e0c81838d30c3.exe

  • Size

    298KB

  • MD5

    11e1f351761be053235e0c81838d30c3

  • SHA1

    07e9e0345dcb5220f8997246c4b07ca737353bcd

  • SHA256

    5d3997c7f234df5fff4d3c8ca34628ea86b1661e52367df40ef97dc8b9fb7407

  • SHA512

    fac6ba718581ed735251f6c02580a0993318f09f8a89f2df1a5a7ffcbd6562a394d8a8ae5225936f7f12973b1417efafb973af99843c6559a4e8117f719a1759

  • SSDEEP

    6144:6qvh9fzMfF1/uISHy+m7CswhewVbsOLaWLaQ:6qTuF1/ufHy+m7ZwowmgaWLaQ

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11e1f351761be053235e0c81838d30c3.exe
    "C:\Users\Admin\AppData\Local\Temp\11e1f351761be053235e0c81838d30c3.exe"
    1⤵
    • Drops file in Windows directory
    PID:668

Network

  • flag-us
    DNS
    4.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.181.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    get-multiple.link
    11e1f351761be053235e0c81838d30c3.exe
    Remote address:
    8.8.8.8:53
    Request
    get-multiple.link
    IN A
    Response
  • flag-us
    DNS
    get-multiple.link
    11e1f351761be053235e0c81838d30c3.exe
    Remote address:
    8.8.8.8:53
    Request
    get-multiple.link
    IN A
  • flag-us
    DNS
    get-multiple.link
    11e1f351761be053235e0c81838d30c3.exe
    Remote address:
    8.8.8.8:53
    Request
    get-multiple.link
    IN A
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    center-ring.info
    11e1f351761be053235e0c81838d30c3.exe
    Remote address:
    8.8.8.8:53
    Request
    center-ring.info
    IN A
    Response
  • flag-us
    DNS
    ringmynorth.biz
    11e1f351761be053235e0c81838d30c3.exe
    Remote address:
    8.8.8.8:53
    Request
    ringmynorth.biz
    IN A
    Response
  • flag-us
    DNS
    ringmynorth.biz
    11e1f351761be053235e0c81838d30c3.exe
    Remote address:
    8.8.8.8:53
    Request
    ringmynorth.biz
    IN A
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    178.223.142.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    178.223.142.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.99.105.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.99.105.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.99.105.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.99.105.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301233_1DW93FPGEP2PWMOD7&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301233_1DW93FPGEP2PWMOD7&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 301043
    content-type: image/jpeg
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4D5123855B3B4247A84CBA791AFAC992 Ref B: LON04EDGE0615 Ref C: 2024-01-01T08:16:09Z
    date: Mon, 01 Jan 2024 08:16:09 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301642_146AN3TCLR6376QGX&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301642_146AN3TCLR6376QGX&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 272929
    content-type: image/jpeg
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5183804E849F40098CB74A5C338E169C Ref B: LON04EDGE0615 Ref C: 2024-01-01T08:16:09Z
    date: Mon, 01 Jan 2024 08:16:09 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301177_16YAE1SE4HL4IACWN&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301177_16YAE1SE4HL4IACWN&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 396695
    content-type: image/jpeg
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9458980E3488444C8446A679FC9D0C11 Ref B: LON04EDGE0615 Ref C: 2024-01-01T08:16:12Z
    date: Mon, 01 Jan 2024 08:16:11 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301536_1KEHL2APX3BZOFBAK&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301536_1KEHL2APX3BZOFBAK&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 425124
    content-type: image/jpeg
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 66C9DF2494B44C79A7928C45414BF0CA Ref B: LON04EDGE0615 Ref C: 2024-01-01T08:16:12Z
    date: Mon, 01 Jan 2024 08:16:11 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301103_1AT2QBQ1Q6ANODZ4C&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301103_1AT2QBQ1Q6ANODZ4C&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 470736
    content-type: image/jpeg
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 979AFEE0469E454E960F9E0E213F1DBC Ref B: LON04EDGE0615 Ref C: 2024-01-01T08:16:12Z
    date: Mon, 01 Jan 2024 08:16:11 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301586_18O1A0ED10HUC74L1&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301586_18O1A0ED10HUC74L1&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    131.109.69.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    131.109.69.13.in-addr.arpa
    IN PTR
    Response
  • 20.231.121.79:80
    52 B
    1
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    8.9kB
    18
    16
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.6kB
    8.4kB
    19
    16
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301586_18O1A0ED10HUC74L1&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    55.3kB
    1.5MB
    1145
    1140

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301233_1DW93FPGEP2PWMOD7&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301642_146AN3TCLR6376QGX&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301177_16YAE1SE4HL4IACWN&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301536_1KEHL2APX3BZOFBAK&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301103_1AT2QBQ1Q6ANODZ4C&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301586_18O1A0ED10HUC74L1&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.6kB
    8.4kB
    19
    16
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.6kB
    8.4kB
    19
    16
  • 8.8.8.8:53
    4.181.190.20.in-addr.arpa
    dns
    142 B
    157 B
    2
    1

    DNS Request

    4.181.190.20.in-addr.arpa

    DNS Request

    4.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    get-multiple.link
    dns
    11e1f351761be053235e0c81838d30c3.exe
    189 B
    136 B
    3
    1

    DNS Request

    get-multiple.link

    DNS Request

    get-multiple.link

    DNS Request

    get-multiple.link

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    center-ring.info
    dns
    11e1f351761be053235e0c81838d30c3.exe
    62 B
    141 B
    1
    1

    DNS Request

    center-ring.info

  • 8.8.8.8:53
    ringmynorth.biz
    dns
    11e1f351761be053235e0c81838d30c3.exe
    122 B
    123 B
    2
    1

    DNS Request

    ringmynorth.biz

    DNS Request

    ringmynorth.biz

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    142 B
    157 B
    2
    1

    DNS Request

    26.35.223.20.in-addr.arpa

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    178.223.142.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    178.223.142.52.in-addr.arpa

  • 8.8.8.8:53
    58.99.105.20.in-addr.arpa
    dns
    142 B
    157 B
    2
    1

    DNS Request

    58.99.105.20.in-addr.arpa

    DNS Request

    58.99.105.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    248 B
    173 B
    4
    1

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    144 B
    137 B
    2
    1

    DNS Request

    194.178.17.96.in-addr.arpa

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    131.109.69.13.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    131.109.69.13.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/668-0-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

    Filesize

    64KB

  • memory/668-1-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

    Filesize

    64KB

  • memory/668-2-0x00000000015E0000-0x00000000016E0000-memory.dmp

    Filesize

    1024KB

  • memory/668-4-0x00000000016E0000-0x000000000170F000-memory.dmp

    Filesize

    188KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.