Analysis

  • max time kernel
    145s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 13:26 UTC

General

  • Target

    37f2ca8cc37e7c421928cb47284d5346.exe

  • Size

    1.6MB

  • MD5

    37f2ca8cc37e7c421928cb47284d5346

  • SHA1

    ece33c6251fd018379219b0c5e02be2d021aee2b

  • SHA256

    261bb35edc3b664ff1e316ac60d4f432ded57b260e015a8dacea61f09a9870bf

  • SHA512

    6666b764b6970272756168a79d9008625eee9b919b6bb0f715907b7b531e3577da8095238958415cb8f1fe513652ea1103637f4ef14c7cf4c0f582ef92a0f5fe

  • SSDEEP

    49152:Eb5k2L5u3L+zwXrzmVdEquAUx7y+gJ5Ul:EsCMbeyquAoG++Kl

Score
1/10

Malware Config

Signatures

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37f2ca8cc37e7c421928cb47284d5346.exe
    "C:\Users\Admin\AppData\Local\Temp\37f2ca8cc37e7c421928cb47284d5346.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\37f2ca8cc37e7c421928cb47284d5346.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1868
  • C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 6000
    1⤵
    • Runs ping.exe
    PID:1952

Network

  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    1.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=0C03AAED5C176AF12DABBEEF5DF76BC4; domain=.bing.com; expires=Mon, 03-Feb-2025 17:30:11 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: EDB78BEFFE194C3CB4F0028A665D7A72 Ref B: LON04EDGE1016 Ref C: 2024-01-10T17:30:11Z
    date: Wed, 10 Jan 2024 17:30:10 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0C03AAED5C176AF12DABBEEF5DF76BC4
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=2WiGuxm2iWP4J5J9SYnKAsiDFoYOiWwbkv8DsMdDclE; domain=.bing.com; expires=Mon, 03-Feb-2025 17:30:12 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 67D45D3525BB4FF795B5DF188A98EB43 Ref B: LON04EDGE1016 Ref C: 2024-01-10T17:30:11Z
    date: Wed, 10 Jan 2024 17:30:11 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0C03AAED5C176AF12DABBEEF5DF76BC4; MSPTC=2WiGuxm2iWP4J5J9SYnKAsiDFoYOiWwbkv8DsMdDclE
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1136DC62C91C4DDF9090B121B101AE66 Ref B: LON04EDGE1016 Ref C: 2024-01-10T17:30:12Z
    date: Wed, 10 Jan 2024 17:30:11 GMT
  • flag-us
    DNS
    189.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    189.178.17.96.in-addr.arpa
    IN PTR
    Response
    189.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-189deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    195.233.44.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    195.233.44.23.in-addr.arpa
    IN PTR
    Response
    195.233.44.23.in-addr.arpa
    IN PTR
    a23-44-233-195deploystaticakamaitechnologiescom
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=
    tls, http2
    2.9kB
    9.7kB
    26
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=

    HTTP Response

    204
  • 96.17.178.176:80
    21.1kB
    434.9kB
    308
    312
  • 52.165.165.26:443
  • 52.165.165.26:443
  • 4.231.128.59:443
  • 4.231.128.59:443
  • 52.165.165.26:443
  • 4.231.128.59:443
  • 13.85.23.206:443
  • 23.44.234.16:80
  • 52.142.223.178:80
  • 52.165.165.26:443
  • 13.85.23.206:443
  • 52.165.165.26:443
  • 52.165.165.26:443
  • 88.221.135.217:80
  • 23.44.234.16:80
  • 20.231.121.79:80
  • 23.37.1.183:80
  • 23.37.1.183:80
  • 20.54.110.119:443
  • 13.85.23.206:443
  • 96.17.178.187:80
  • 96.17.178.187:80
  • 96.17.178.187:80
  • 88.221.135.217:80
  • 88.221.135.217:80
  • 88.221.135.217:80
  • 88.221.135.217:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 88.221.135.217:80
  • 88.221.135.217:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 88.221.135.210:80
  • 88.221.135.217:80
  • 88.221.135.217:80
  • 88.221.135.217:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 88.221.135.217:80
  • 96.17.178.173:80
  • 96.17.178.173:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 52.111.229.43:443
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 88.221.135.210:80
  • 20.74.47.205:443
  • 20.74.47.205:443
  • 20.74.47.205:443
  • 204.79.197.200:443
    g.bing.com
    1.4kB
    41.9kB
    30
    30
  • 204.79.197.200:443
  • 204.79.197.200:443
  • 204.79.197.200:443
  • 204.79.197.200:443
  • 88.221.135.210:80
  • 88.221.134.18:80
  • 88.221.134.18:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 13.85.23.206:443
  • 87.248.205.0:80
  • 87.248.205.0:80
  • 87.248.205.0:80
  • 87.248.205.0:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 87.248.205.0:80
  • 87.248.205.0:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 87.248.205.0:80
  • 87.248.205.0:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 13.85.23.206:443
  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    112 B
    158 B
    2
    1

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    1.181.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    1.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    189.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    189.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    146 B
    144 B
    2
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    146 B
    106 B
    2
    1

    DNS Request

    200.197.79.204.in-addr.arpa

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    140 B
    156 B
    2
    1

    DNS Request

    9.228.82.20.in-addr.arpa

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    88.156.103.20.in-addr.arpa

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    195.233.44.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    195.233.44.23.in-addr.arpa

  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.