Resubmissions

18-04-2024 05:06

240418-frk11adc2x 10

18-04-2024 05:06

240418-frg94sdc2v 10

18-04-2024 05:06

240418-frd8fsdb9y 10

18-04-2024 05:06

240418-frdlxsbh73 10

18-04-2024 05:06

240418-frda6adb9x 10

Analysis

  • max time kernel
    444s
  • max time network
    445s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 05:06

General

  • Target

    5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe

  • Size

    527KB

  • MD5

    5764f48fdd3277b92114e60010f14fde

  • SHA1

    759ca2314be4f0fa951ac4d410f1db79b594dc78

  • SHA256

    5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0

  • SHA512

    06af25640135771564c18f97294f23b5640991222c20a02004b860694025173c5ac9379e39656d8326da4effb14ef615546fea865ec3745a94f82f64ef311f64

  • SSDEEP

    6144:m9X0GPt/p90FOKWU3TDPTuU4ldQZ7OTcaYEQSh9Ty0y6c4H3yEDFDQMb6Ph0VA4B:I02PWw9C6hlSZ6g2G0yKHp1VbWabfBnR

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe
    "C:\Users\Admin\AppData\Local\Temp\5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe
      "C:\Users\Admin\AppData\Local\Temp\5e240877008b5a5cdd5b9f84fb53760ee68268e935588b625f414ad633c727a0.exe"
      2⤵
        PID:4104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 952
        2⤵
        • Program crash
        PID:1452
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2868 -ip 2868
      1⤵
        PID:1032

      Network

      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=33797DBFF5F962552C9869DAF41963BD; domain=.bing.com; expires=Tue, 13-May-2025 05:06:47 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 2FB79D28DDD741519FBA2DC0C20020E5 Ref B: LON04EDGE1210 Ref C: 2024-04-18T05:06:47Z
        date: Thu, 18 Apr 2024 05:06:47 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=33797DBFF5F962552C9869DAF41963BD
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=bpqMuryY8SYXJ9YCAY9a8Hszup8bacGVuz5jp82SeYA; domain=.bing.com; expires=Tue, 13-May-2025 05:06:47 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 63296B614A5E4C7EA7D88269BA2D627F Ref B: LON04EDGE1210 Ref C: 2024-04-18T05:06:47Z
        date: Thu, 18 Apr 2024 05:06:47 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=33797DBFF5F962552C9869DAF41963BD; MSPTC=bpqMuryY8SYXJ9YCAY9a8Hszup8bacGVuz5jp82SeYA
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 19C621F1ACD84E019C6522370C674DF6 Ref B: LON04EDGE1210 Ref C: 2024-04-18T05:06:47Z
        date: Thu, 18 Apr 2024 05:06:47 GMT
      • flag-us
        DNS
        0.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        241.154.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.154.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-nl
        GET
        https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90
        Remote address:
        23.62.61.129:443
        Request
        GET /th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90 HTTP/2.0
        host: www.bing.com
        accept: */*
        cookie: MUID=33797DBFF5F962552C9869DAF41963BD; MSPTC=bpqMuryY8SYXJ9YCAY9a8Hszup8bacGVuz5jp82SeYA
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-type: image/png
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        content-length: 5773
        date: Thu, 18 Apr 2024 05:06:48 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.7d3d3e17.1713416808.c02475a
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        26.35.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.35.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        67.32.209.4.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        67.32.209.4.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        21.114.53.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        21.114.53.23.in-addr.arpa
        IN PTR
        Response
        21.114.53.23.in-addr.arpa
        IN PTR
        a23-53-114-21deploystaticakamaitechnologiescom
      • flag-us
        DNS
        129.61.62.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        129.61.62.23.in-addr.arpa
        IN PTR
        Response
        129.61.62.23.in-addr.arpa
        IN PTR
        a23-62-61-129deploystaticakamaitechnologiescom
      • flag-us
        DNS
        103.169.127.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        103.169.127.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        56.126.166.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        56.126.166.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        31.121.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        31.121.18.2.in-addr.arpa
        IN PTR
        Response
        31.121.18.2.in-addr.arpa
        IN PTR
        a2-18-121-31deploystaticakamaitechnologiescom
      • flag-us
        DNS
        18.24.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.24.18.2.in-addr.arpa
        IN PTR
        Response
        18.24.18.2.in-addr.arpa
        IN PTR
        a2-18-24-18deploystaticakamaitechnologiescom
      • flag-us
        DNS
        14.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.227.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        209.143.182.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.143.182.52.in-addr.arpa
        IN PTR
        Response
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=
        tls, http2
        2.0kB
        9.2kB
        21
        18

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d2b5aca099084c8fa8a96afe12195b6b&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=

        HTTP Response

        204
      • 23.62.61.129:443
        https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90
        tls, http2
        1.7kB
        11.2kB
        20
        16

        HTTP Request

        GET https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

        HTTP Response

        200
      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
        151 B
        1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        0.159.190.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        0.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        241.154.82.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        241.154.82.20.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
        143 B
        1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        26.35.223.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        26.35.223.20.in-addr.arpa

      • 8.8.8.8:53
        67.32.209.4.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        67.32.209.4.in-addr.arpa

      • 8.8.8.8:53
        21.114.53.23.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        21.114.53.23.in-addr.arpa

      • 8.8.8.8:53
        129.61.62.23.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        129.61.62.23.in-addr.arpa

      • 8.8.8.8:53
        103.169.127.40.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        103.169.127.40.in-addr.arpa

      • 8.8.8.8:53
        56.126.166.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        56.126.166.20.in-addr.arpa

      • 8.8.8.8:53
        31.121.18.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        31.121.18.2.in-addr.arpa

      • 8.8.8.8:53
        18.24.18.2.in-addr.arpa
        dns
        69 B
        131 B
        1
        1

        DNS Request

        18.24.18.2.in-addr.arpa

      • 8.8.8.8:53
        14.227.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        14.227.111.52.in-addr.arpa

      • 8.8.8.8:53
        209.143.182.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        209.143.182.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsf8732.tmp\System.dll

        Filesize

        11KB

        MD5

        fccff8cb7a1067e23fd2e2b63971a8e1

        SHA1

        30e2a9e137c1223a78a0f7b0bf96a1c361976d91

        SHA256

        6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

        SHA512

        f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.