Analysis
-
max time kernel
145s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 13:26 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37f2ca8cc37e7c421928cb47284d5346.exe
Resource
win7-20231129-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
37f2ca8cc37e7c421928cb47284d5346.exe
Resource
win10v2004-20231215-en
4 signatures
150 seconds
General
-
Target
37f2ca8cc37e7c421928cb47284d5346.exe
-
Size
1.6MB
-
MD5
37f2ca8cc37e7c421928cb47284d5346
-
SHA1
ece33c6251fd018379219b0c5e02be2d021aee2b
-
SHA256
261bb35edc3b664ff1e316ac60d4f432ded57b260e015a8dacea61f09a9870bf
-
SHA512
6666b764b6970272756168a79d9008625eee9b919b6bb0f715907b7b531e3577da8095238958415cb8f1fe513652ea1103637f4ef14c7cf4c0f582ef92a0f5fe
-
SSDEEP
49152:Eb5k2L5u3L+zwXrzmVdEquAUx7y+gJ5Ul:EsCMbeyquAoG++Kl
Score
1/10
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1952 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4260 37f2ca8cc37e7c421928cb47284d5346.exe 4260 37f2ca8cc37e7c421928cb47284d5346.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4260 37f2ca8cc37e7c421928cb47284d5346.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4260 wrote to memory of 1868 4260 37f2ca8cc37e7c421928cb47284d5346.exe 22 PID 4260 wrote to memory of 1868 4260 37f2ca8cc37e7c421928cb47284d5346.exe 22 PID 1868 wrote to memory of 1952 1868 cmd.exe 17 PID 1868 wrote to memory of 1952 1868 cmd.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\37f2ca8cc37e7c421928cb47284d5346.exe"C:\Users\Admin\AppData\Local\Temp\37f2ca8cc37e7c421928cb47284d5346.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\37f2ca8cc37e7c421928cb47284d5346.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1868
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60001⤵
- Runs ping.exe
PID:1952
Network
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Request1.181.190.20.in-addr.arpaIN PTRResponse
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0C03AAED5C176AF12DABBEEF5DF76BC4; domain=.bing.com; expires=Mon, 03-Feb-2025 17:30:11 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EDB78BEFFE194C3CB4F0028A665D7A72 Ref B: LON04EDGE1016 Ref C: 2024-01-10T17:30:11Z
date: Wed, 10 Jan 2024 17:30:10 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0C03AAED5C176AF12DABBEEF5DF76BC4
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=2WiGuxm2iWP4J5J9SYnKAsiDFoYOiWwbkv8DsMdDclE; domain=.bing.com; expires=Mon, 03-Feb-2025 17:30:12 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 67D45D3525BB4FF795B5DF188A98EB43 Ref B: LON04EDGE1016 Ref C: 2024-01-10T17:30:11Z
date: Wed, 10 Jan 2024 17:30:11 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0C03AAED5C176AF12DABBEEF5DF76BC4; MSPTC=2WiGuxm2iWP4J5J9SYnKAsiDFoYOiWwbkv8DsMdDclE
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1136DC62C91C4DDF9090B121B101AE66 Ref B: LON04EDGE1016 Ref C: 2024-01-10T17:30:12Z
date: Wed, 10 Jan 2024 17:30:11 GMT
-
Remote address:8.8.8.8:53Request189.178.17.96.in-addr.arpaIN PTRResponse189.178.17.96.in-addr.arpaIN PTRa96-17-178-189deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request195.233.44.23.in-addr.arpaIN PTRResponse195.233.44.23.in-addr.arpaIN PTRa23-44-233-195deploystaticakamaitechnologiescom
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=tls, http22.9kB 9.7kB 26 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=67938039ca764624898e5b66b6a5b935&localId=w:883EF0F5-E343-58F0-299D-1D886ECF4A6A&deviceId=6825827065270825&anid=HTTP Response
204 -
21.1kB 434.9kB 308 312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
1.4kB 41.9kB 30 30
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
112 B 158 B 2 1
DNS Request
g.bing.com
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
71 B 157 B 1 1
DNS Request
1.181.190.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
189.178.17.96.in-addr.arpa
-
146 B 144 B 2 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
146 B 106 B 2 1
DNS Request
200.197.79.204.in-addr.arpa
DNS Request
200.197.79.204.in-addr.arpa
-
140 B 156 B 2 1
DNS Request
9.228.82.20.in-addr.arpa
DNS Request
9.228.82.20.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
88.156.103.20.in-addr.arpa
DNS Request
88.156.103.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
195.233.44.23.in-addr.arpa
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-