Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2024 20:04
Static task
static1
Behavioral task
behavioral1
Sample
0eb8849564cce6ae74801f923bc97e52.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0eb8849564cce6ae74801f923bc97e52.exe
Resource
win10v2004-20231215-en
General
-
Target
0eb8849564cce6ae74801f923bc97e52.exe
-
Size
538KB
-
MD5
0eb8849564cce6ae74801f923bc97e52
-
SHA1
77e70d251573396481e0305908a83aa12082699a
-
SHA256
434782669aae645047f93e2c0594167286f83633f25b6ddfefbe4bd3edfeb914
-
SHA512
1bbd2627897dfe55574522408b15d86466bd8706dfdba9af9abacca22e11f9c11547dc7120545bba86e459bc18ec5f9cd3402ca9feb971891a7947c1311d082e
-
SSDEEP
12288:+NuaIsd+lbShO2PLOHKwsYyHBsU6lxSnyYxYKSCh3BeQs8D:+oaIzDWLO/sYyHBp6in1xcCh3BeQs8D
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Wine 0eb8849564cce6ae74801f923bc97e52.exe
Processes
Network
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.179.17.96.in-addr.arpaIN PTRResponse29.179.17.96.in-addr.arpaIN PTRa96-17-179-29deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request18.53.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.171.91.138.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request28.160.77.104.in-addr.arpaIN PTRResponse28.160.77.104.in-addr.arpaIN PTRa104-77-160-28deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN A
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300950_1CI16BMH94QQ9WZ43&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317300950_1CI16BMH94QQ9WZ43&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 391016
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 94A118CFE3854445A1469677801A46FD Ref B: LON04EDGE1014 Ref C: 2024-01-04T20:06:19Z
date: Thu, 04 Jan 2024 20:06:19 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301383_1L76EFRJ4S38LB1VW&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301383_1L76EFRJ4S38LB1VW&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 391501
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 194E85C6076C4BC7B85639D11FA2EE6F Ref B: LON04EDGE1014 Ref C: 2024-01-04T20:06:19Z
date: Thu, 04 Jan 2024 20:06:19 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 508519
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ADA9477E0F694094946BF46A14A4E78A Ref B: LON04EDGE1014 Ref C: 2024-01-04T20:06:19Z
date: Thu, 04 Jan 2024 20:06:19 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301285_1YX3CCWTOZVY6EU1J&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301285_1YX3CCWTOZVY6EU1J&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 387682
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 53212C9A9F4A470B999A34FB087E4F13 Ref B: LON04EDGE1014 Ref C: 2024-01-04T20:06:19Z
date: Thu, 04 Jan 2024 20:06:19 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301078_1O81E4QM35DM2EN4A&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301078_1O81E4QM35DM2EN4A&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 390067
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3AA37D5D92CD45F6839AAE09223D141B Ref B: LON04EDGE1014 Ref C: 2024-01-04T20:06:19Z
date: Thu, 04 Jan 2024 20:06:19 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301694_17Y0IRSKKQEXFDPLC&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301694_17Y0IRSKKQEXFDPLC&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 339880
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4F5971FBF7E3402E98E52966C2636FA9 Ref B: LON04EDGE1014 Ref C: 2024-01-04T20:06:35Z
date: Thu, 04 Jan 2024 20:06:34 GMT
-
Remote address:8.8.8.8:53Request79.121.231.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.1.37.23.in-addr.arpaIN PTRResponse183.1.37.23.in-addr.arpaIN PTRa23-37-1-183deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request119.110.54.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request23.160.77.104.in-addr.arpaIN PTRResponse23.160.77.104.in-addr.arpaIN PTRa104-77-160-23deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request23.160.77.104.in-addr.arpaIN PTRResponse23.160.77.104.in-addr.arpaIN PTRa104-77-160-23deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request4.179.17.96.in-addr.arpaIN PTRResponse4.179.17.96.in-addr.arpaIN PTRa96-17-179-4deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.179.17.96.in-addr.arpaIN PTRResponse11.179.17.96.in-addr.arpaIN PTRa96-17-179-11deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request134.71.91.104.in-addr.arpaIN PTRResponse134.71.91.104.in-addr.arpaIN PTRa104-91-71-134deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request134.71.91.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request134.71.91.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request42.179.17.96.in-addr.arpaIN PTRResponse42.179.17.96.in-addr.arpaIN PTRa96-17-179-42deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request140.179.17.96.in-addr.arpaIN PTRResponse140.179.17.96.in-addr.arpaIN PTRa96-17-179-140deploystaticakamaitechnologiescom
-
1.2kB 8.3kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301694_17Y0IRSKKQEXFDPLC&pid=21.2&w=1080&h=1920&c=4tls, http2108.3kB 2.5MB 1820 1814
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300950_1CI16BMH94QQ9WZ43&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301383_1L76EFRJ4S38LB1VW&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301511_14RJSOYL5IFIBQQUL&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301285_1YX3CCWTOZVY6EU1J&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301078_1O81E4QM35DM2EN4A&pid=21.2&w=1920&h=1080&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301694_17Y0IRSKKQEXFDPLC&pid=21.2&w=1080&h=1920&c=4HTTP Response
200 -
1.2kB 8.3kB 16 14
-
1.2kB 8.3kB 16 14
-
1.2kB 8.3kB 16 14
-
71 B 157 B 1 1
DNS Request
59.128.231.4.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
29.179.17.96.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
18.53.126.40.in-addr.arpa
-
146 B 144 B 2 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
81.171.91.138.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
140 B 144 B 2 1
DNS Request
18.31.95.13.in-addr.arpa
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
28.160.77.104.in-addr.arpa
-
124 B 173 B 2 1
DNS Request
tse1.mm.bing.net
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
72 B 158 B 1 1
DNS Request
79.121.231.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
183.1.37.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
119.110.54.20.in-addr.arpa
DNS Request
119.110.54.20.in-addr.arpa
-
144 B 274 B 2 2
DNS Request
23.160.77.104.in-addr.arpa
DNS Request
23.160.77.104.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
4.179.17.96.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
11.179.17.96.in-addr.arpa
-
216 B 137 B 3 1
DNS Request
134.71.91.104.in-addr.arpa
DNS Request
134.71.91.104.in-addr.arpa
DNS Request
134.71.91.104.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
42.179.17.96.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
140.179.17.96.in-addr.arpa