Analysis
-
max time kernel
124s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 00:17 UTC
Static task
static1
Behavioral task
behavioral1
Sample
MyPigPrincess.exe
Resource
win10-20231215-en
Behavioral task
behavioral2
Sample
MyPigPrincess.exe
Resource
win10v2004-20231215-en
General
-
Target
MyPigPrincess.exe
-
Size
269KB
-
MD5
0abede34f4b18049c4dc7bddb9bb0080
-
SHA1
d6bfb7ea85482b345499cefd4e41cd7ce604637c
-
SHA256
1648038fd245e6039979f6488029d56b06520d728a237af9ad471ee9d6189c3e
-
SHA512
a4b172d1b3d9e8e5f3aabb5208066c30c03943b7bebfe3c759fc6c6592eca7273f9cec675bb603f6aeef5ff058a4ea4a34ef9ecd4485caeaeef9eb6d5d61cea3
-
SSDEEP
6144:AnAlOPl7hWKsmMrDZ6UhukTUG3EEXMsWtvV2j9OAq8ecUxILImQG8j:YrlNWKsmMrDZ6UhukTUG3EEXMsWtvV2s
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4696 WINWORD.EXE 4696 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3748 svchost.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\MyPigPrincess.exe"C:\Users\Admin\AppData\Local\Temp\MyPigPrincess.exe"1⤵PID:1876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:412
Network
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.135.221.88.in-addr.arpaIN PTRResponse107.135.221.88.in-addr.arpaIN PTRa88-221-135-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request114.110.16.96.in-addr.arpaIN PTRResponse114.110.16.96.in-addr.arpaIN PTRa96-16-110-114deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request130.238.56.23.in-addr.arpaIN PTRResponse130.238.56.23.in-addr.arpaIN PTRa23-56-238-130deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.32.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.65.42.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 506638
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FEE183B90A854C579F5AF200746C8A2A Ref B: LON04EDGE0918 Ref C: 2024-01-12T00:19:33Z
date: Fri, 12 Jan 2024 00:19:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301580_1F1XSUIT7JJ8XLYPA&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301580_1F1XSUIT7JJ8XLYPA&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 582460
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 852D5D291E7B4DC39D0468A7E7FD4490 Ref B: LON04EDGE0918 Ref C: 2024-01-12T00:19:33Z
date: Fri, 12 Jan 2024 00:19:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301255_1JJTCDF3S80817GOI&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301255_1JJTCDF3S80817GOI&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 205233
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 513ACE35E9B04A8997103960A1DD0655 Ref B: LON04EDGE0918 Ref C: 2024-01-12T00:19:33Z
date: Fri, 12 Jan 2024 00:19:32 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 541836
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2D7914EC13464666B50B031B731F00A1 Ref B: LON04EDGE0918 Ref C: 2024-01-12T00:19:33Z
date: Fri, 12 Jan 2024 00:19:33 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301171_1NGPNIQ68LQQ3GSOB&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301171_1NGPNIQ68LQQ3GSOB&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 208770
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 45409B25563B48AF80955B4764269FDC Ref B: LON04EDGE0918 Ref C: 2024-01-12T00:19:34Z
date: Fri, 12 Jan 2024 00:19:33 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 490296
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0395E4EBD30C46FB81D2CB4AD81DF1FE Ref B: LON04EDGE0918 Ref C: 2024-01-12T00:19:35Z
date: Fri, 12 Jan 2024 00:19:34 GMT
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request81.171.91.138.in-addr.arpaIN PTRResponse
-
1.7kB 8.2kB 18 13
-
1.5kB 10.6kB 18 15
-
1.5kB 8.4kB 18 15
-
1.7kB 9.1kB 18 13
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4tls, http295.0kB 2.6MB 1921 1913
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301580_1F1XSUIT7JJ8XLYPA&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301255_1JJTCDF3S80817GOI&pid=21.2&w=1920&h=1080&c=4HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301664_1DL2E71ET3JINATLK&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301171_1NGPNIQ68LQQ3GSOB&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Response
200
-
144 B 158 B 2 1
DNS Request
73.159.190.20.in-addr.arpa
DNS Request
73.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
107.135.221.88.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
146 B 147 B 2 1
DNS Request
103.169.127.40.in-addr.arpa
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
114.110.16.96.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
130.238.56.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.32.109.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
88.65.42.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
205.47.74.20.in-addr.arpa
-
124 B 346 B 2 2
DNS Request
tse1.mm.bing.net
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
DNS Response
204.79.197.20013.107.21.200
-
146 B 212 B 2 2
DNS Request
200.197.79.204.in-addr.arpa
DNS Request
200.197.79.204.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
81.171.91.138.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD5dd0c1d22223d8d0e4e271a25a6576eb5
SHA124db1209d718bd8eb443da6eec2ee28d39aaecd8
SHA256c5b636a315f8af0aac9068a2517dbb1fe136a77b9baefd12af102e65b28a13e2
SHA512fe7568b22218c10b268c115f2209ffa8282777e354a9ce0980857879c0364f005fb6af69627e95286a8229191d34e97479498986c657c6d4a394e54731653195