Resubmissions
18-04-2024 05:06
240418-frk11adc2x 1018-04-2024 05:06
240418-frg94sdc2v 1018-04-2024 05:06
240418-frd8fsdb9y 1018-04-2024 05:06
240418-frdlxsbh73 1018-04-2024 05:06
240418-frda6adb9x 10Analysis
-
max time kernel
444s -
max time network
445s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 05:06
Static task
static1
Behavioral task
behavioral1
Sample
5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe
Resource
win7-20240215-en
Behavioral task
behavioral3
Sample
5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe
Resource
win11-20240412-en
General
-
Target
5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe
-
Size
527KB
-
MD5
5764f48fdd3277b92114e60010f14fde
-
SHA1
759ca2314be4f0fa951ac4d410f1db79b594dc78
-
SHA256
5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0
-
SHA512
06af25640135771564c18f97294f23b5640991222c20a02004b860694025173c5ac9379e39656d8326da4effb14ef615546fea865ec3745a94f82f64ef311f64
-
SSDEEP
6144:m9X0GPt/p90FOKWU3TDPTuU4ldQZ7OTcaYEQSh9Ty0y6c4H3yEDFDQMb6Ph0VA4B:I02PWw9C6hlSZ6g2G0yKHp1VbWabfBnR
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2868 5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1452 2868 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2868 wrote to memory of 4104 2868 5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe 94 PID 2868 wrote to memory of 4104 2868 5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe 94 PID 2868 wrote to memory of 4104 2868 5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe"C:\Users\Admin\AppData\Local\Temp\5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe"C:\Users\Admin\AppData\Local\Temp\5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe"2⤵PID:4104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 9522⤵
- Program crash
PID:1452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2868 -ip 28681⤵PID:1032
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=33797DBFF5F962552C9869DAF41963BD; domain=.bing.com; expires=Tue, 13-May-2025 05:06:47 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2FB79D28DDD741519FBA2DC0C20020E5 Ref B: LON04EDGE1210 Ref C: 2024-04-18T05:06:47Z
date: Thu, 18 Apr 2024 05:06:47 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=33797DBFF5F962552C9869DAF41963BD
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=bpqMuryY8SYXJ9YCAY9a8Hszup8bacGVuz5jp82SeYA; domain=.bing.com; expires=Tue, 13-May-2025 05:06:47 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 63296B614A5E4C7EA7D88269BA2D627F Ref B: LON04EDGE1210 Ref C: 2024-04-18T05:06:47Z
date: Thu, 18 Apr 2024 05:06:47 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=33797DBFF5F962552C9869DAF41963BD; MSPTC=bpqMuryY8SYXJ9YCAY9a8Hszup8bacGVuz5jp82SeYA
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 19C621F1ACD84E019C6522370C674DF6 Ref B: LON04EDGE1210 Ref C: 2024-04-18T05:06:47Z
date: Thu, 18 Apr 2024 05:06:47 GMT
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
GEThttps://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90Remote address:23.62.61.129:443RequestGET /th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=33797DBFF5F962552C9869DAF41963BD; MSPTC=bpqMuryY8SYXJ9YCAY9a8Hszup8bacGVuz5jp82SeYA
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 5773
date: Thu, 18 Apr 2024 05:06:48 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.7d3d3e17.1713416808.c02475a
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request67.32.209.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.114.53.23.in-addr.arpaIN PTRResponse21.114.53.23.in-addr.arpaIN PTRa23-53-114-21deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request129.61.62.23.in-addr.arpaIN PTRResponse129.61.62.23.in-addr.arpaIN PTRa23-62-61-129deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request31.121.18.2.in-addr.arpaIN PTRResponse31.121.18.2.in-addr.arpaIN PTRa2-18-121-31deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request18.24.18.2.in-addr.arpaIN PTRResponse18.24.18.2.in-addr.arpaIN PTRa2-18-24-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.143.182.52.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=tls, http22.0kB 9.2kB 21 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=HTTP Response
204 -
23.62.61.129:443https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90tls, http21.7kB 11.2kB 20 16
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90HTTP Response
200
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
67.32.209.4.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
21.114.53.23.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
129.61.62.23.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
31.121.18.2.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
18.24.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
209.143.182.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c