5aa317d3682ff127e1e92d2016c08f94be60937a1b8a210876d931d072386336

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 05:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Job Interview/essential.exe
Size

4.7MB
MD5

4ed5d74a746461d3faa9f96995a1eec8
SHA1

d9d513e6ddfe9e83df4540deed3c421f80c5ec41
SHA256

23f6cefdce551431675506cb1c438feb2c66d38d1c77ebefe0fd5042e677ff80
SHA512

d9d632a337b091ce8682197fb77b29e201fbd3113d988bfa69d6c7f672e05bd958147221afdbaa1baa8269a6d35d8aca522b1011bbd32fa4485427f28dc3f0ed
SSDEEP

98304:adLUEBzjYz067yqu/mnFQOi33nFbO4KSgPTPgS8NAvKBUuYDcvwu3707iQMMvozt:aZ220JyNtjSkQYagF

Score

9^/10

Malware Config

Signatures

Detects executables manipulated with Fody 1 IoCs

resource	yara_rule
behavioral10/memory/1604-1-0x0000000000500000-0x00000000009C0000-memory.dmp	INDICATOR_EXE_Packed_Fody

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	essential.exe

C:\Users\Admin\AppData\Local\Temp\Job Interview\essential.exe
"C:\Users\Admin\AppData\Local\Temp\Job Interview\essential.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8orIAAz5uwBsW_ZuxVZOJGjVUCUy-wT6Ssh6DGSiK6W34Sn8OhYvMHm8Sp-BUpWJtsYvlvQaYrXFfcmASV5dS5UNYoPjwtng6zrkYz-By2GVoH9PuFaCi8IFkrhNmmueL8UbeEDqSDVjVEyNN0ZcGBinmpbyeiNTmUVitfERaKucQHKJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D6749f60d6afd13dfc19b93d1da34f6fc&TIME=20240226T154025Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8orIAAz5uwBsW_ZuxVZOJGjVUCUy-wT6Ssh6DGSiK6W34Sn8OhYvMHm8Sp-BUpWJtsYvlvQaYrXFfcmASV5dS5UNYoPjwtng6zrkYz-By2GVoH9PuFaCi8IFkrhNmmueL8UbeEDqSDVjVEyNN0ZcGBinmpbyeiNTmUVitfERaKucQHKJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D6749f60d6afd13dfc19b93d1da34f6fc&TIME=20240226T154025Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=19296C6FBB8D61073088785BBAAA600F; domain=.bing.com; expires=Tue, 25-Mar-2025 05:31:10 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DF464ABDEA3C47FDBC704972A32ACB83 Ref B: LON04EDGE0621 Ref C: 2024-02-29T05:31:10Z
date: Thu, 29 Feb 2024 05:31:10 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8orIAAz5uwBsW_ZuxVZOJGjVUCUy-wT6Ssh6DGSiK6W34Sn8OhYvMHm8Sp-BUpWJtsYvlvQaYrXFfcmASV5dS5UNYoPjwtng6zrkYz-By2GVoH9PuFaCi8IFkrhNmmueL8UbeEDqSDVjVEyNN0ZcGBinmpbyeiNTmUVitfERaKucQHKJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D6749f60d6afd13dfc19b93d1da34f6fc&TIME=20240226T154025Z&CID=531098720&EID=&tids=15000&adUnitId=11730597

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8orIAAz5uwBsW_ZuxVZOJGjVUCUy-wT6Ssh6DGSiK6W34Sn8OhYvMHm8Sp-BUpWJtsYvlvQaYrXFfcmASV5dS5UNYoPjwtng6zrkYz-By2GVoH9PuFaCi8IFkrhNmmueL8UbeEDqSDVjVEyNN0ZcGBinmpbyeiNTmUVitfERaKucQHKJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D6749f60d6afd13dfc19b93d1da34f6fc&TIME=20240226T154025Z&CID=531098720&EID=&tids=15000&adUnitId=11730597 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=19296C6FBB8D61073088785BBAAA600F; _EDGE_S=SID=0B288A2913736C5028AC9E1D12546D10

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=qxyZrD25cFg72wbjOsiDHqUKNwwW5t0WzKDUABfnw48; domain=.bing.com; expires=Tue, 25-Mar-2025 05:31:10 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4D61901DE9C9462982FF6893C0B6756E Ref B: LON04EDGE0621 Ref C: 2024-02-29T05:31:10Z
date: Thu, 29 Feb 2024 05:31:10 GMT
GET

https://www.bing.com/aes/c.gif?type=mv&reqver=1.0&rg=26ecb922612e493bbbf8e740ff39cbea&tids=15000&med=10&pubId=251978541&TIME=20240226T154025Z&adUnitId=11730597

Remote address:

92.123.128.149:443

Request

GET /aes/c.gif?type=mv&reqver=1.0&rg=26ecb922612e493bbbf8e740ff39cbea&tids=15000&med=10&pubId=251978541&TIME=20240226T154025Z&adUnitId=11730597 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=19296C6FBB8D61073088785BBAAA600F

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2F1A392AB9C9438CBF84F41951EF4FAD Ref B: LON04EDGE0709 Ref C: 2024-02-29T05:31:10Z
content-length: 0
date: Thu, 29 Feb 2024 05:31:10 GMT
set-cookie: _EDGE_S=SID=0B288A2913736C5028AC9E1D12546D10; path=/; httponly; domain=bing.com
set-cookie: MUIDB=19296C6FBB8D61073088785BBAAA600F; path=/; httponly; expires=Tue, 25-Mar-2025 05:31:10 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.95777b5c.1709184670.12e49d6f
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

149.128.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.128.123.92.in-addr.arpa

IN PTR

Response

149.128.123.92.in-addr.arpa

IN PTR

a92-123-128-149deploystaticakamaitechnologiescom
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

interviewportal.ddns.net

essential.exe

Remote address:

8.8.8.8:53

Request

interviewportal.ddns.net

IN A

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

13.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.173.189.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8orIAAz5uwBsW_ZuxVZOJGjVUCUy-wT6Ssh6DGSiK6W34Sn8OhYvMHm8Sp-BUpWJtsYvlvQaYrXFfcmASV5dS5UNYoPjwtng6zrkYz-By2GVoH9PuFaCi8IFkrhNmmueL8UbeEDqSDVjVEyNN0ZcGBinmpbyeiNTmUVitfERaKucQHKJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D6749f60d6afd13dfc19b93d1da34f6fc&TIME=20240226T154025Z&CID=531098720&EID=&tids=15000&adUnitId=11730597

tls, http2

2.3kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8orIAAz5uwBsW_ZuxVZOJGjVUCUy-wT6Ssh6DGSiK6W34Sn8OhYvMHm8Sp-BUpWJtsYvlvQaYrXFfcmASV5dS5UNYoPjwtng6zrkYz-By2GVoH9PuFaCi8IFkrhNmmueL8UbeEDqSDVjVEyNN0ZcGBinmpbyeiNTmUVitfERaKucQHKJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D6749f60d6afd13dfc19b93d1da34f6fc&TIME=20240226T154025Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8orIAAz5uwBsW_ZuxVZOJGjVUCUy-wT6Ssh6DGSiK6W34Sn8OhYvMHm8Sp-BUpWJtsYvlvQaYrXFfcmASV5dS5UNYoPjwtng6zrkYz-By2GVoH9PuFaCi8IFkrhNmmueL8UbeEDqSDVjVEyNN0ZcGBinmpbyeiNTmUVitfERaKucQHKJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZm9uZWRyaXZlLmxpdmUuY29tJTJmJTNmb2NpZCUzZGNtbTA3YjdkbnU0%26rlid%3D6749f60d6afd13dfc19b93d1da34f6fc&TIME=20240226T154025Z&CID=531098720&EID=&tids=15000&adUnitId=11730597

HTTP Response

204
92.123.128.149:443

https://www.bing.com/aes/c.gif?type=mv&reqver=1.0&rg=26ecb922612e493bbbf8e740ff39cbea&tids=15000&med=10&pubId=251978541&TIME=20240226T154025Z&adUnitId=11730597

tls, http2

1.4kB
5.5kB
17
15

HTTP Request

GET https://www.bing.com/aes/c.gif?type=mv&reqver=1.0&rg=26ecb922612e493bbbf8e740ff39cbea&tids=15000&med=10&pubId=251978541&TIME=20240226T154025Z&adUnitId=11730597

HTTP Response

200

8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

149.128.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

149.128.123.92.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

interviewportal.ddns.net

dns

essential.exe

70 B
130 B
1
1

DNS Request

interviewportal.ddns.net
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

13.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1604-0-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/1604-1-0x0000000000500000-0x00000000009C0000-memory.dmp

Filesize
4.8MB

Download
memory/1604-2-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1604-3-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1604-4-0x0000000006280000-0x0000000006288000-memory.dmp

Filesize
32KB

Download
memory/1604-5-0x00000000091F0000-0x0000000009228000-memory.dmp

Filesize
224KB

Download
memory/1604-6-0x00000000085F0000-0x00000000085FE000-memory.dmp

Filesize
56KB

Download
memory/1604-7-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1604-8-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1604-9-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/1604-10-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1604-11-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1604-12-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1604-13-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.