474fe0f75ec639814eac17468c8ce29908ed30f3665457d864cffa6540047ea0

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 06:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll
Size

2.2MB
MD5

feb0bf5b0d7f6820c330fa45091cd189
SHA1

a1f50429415bc7cbf1706c22dfdca734173fb9ac
SHA256

474fe0f75ec639814eac17468c8ce29908ed30f3665457d864cffa6540047ea0
SHA512

07f208c66899c0f298037dd8aab4d772e2ef6321a36519112e5d677170a58ee19d69e8a397ae0cb485cc1f2c71d82b55c004d96cf40c459fbda3b405602670f8
SSDEEP

24576:52WdDKT6lr1CDu2ruh59hmxxJNOjOAUBJjlD4qH5vlalua2UotfG6o:53DlBEidgxJN5AejlD4uvlab2UotfG

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe vchelp.exe"	Regedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	4792	rundll32.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\QFTKBVLATWCGCX.DLL	rundll32.exe
File opened for modification	C:\WINDOWS\SysWOW64\wbem\ELPMGWT.MDA	rundll32.exe
File created	C:\Windows\SysWOW64\arun.reg	rundll32.exe
File opened for modification	C:\windows\SysWOW64\QFTKBVLATWCGCX.DLL	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\11D18gXgg.dll	rundll32.exe
File created	C:\WINDOWS\SysWOW64\wbem\ELPMGWT.MDA	rundll32.exe
File created	C:\windows\SysWOW64\KBQGA.DLL	rundll32.exe
File created	C:\windows\SysWOW64\VNXKOW.LDO	rundll32.exe
File created	C:\Windows\SysWOW64\11D18gXgg.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
3296	Regedit.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4792	5000	rundll32.exe	86
PID 5000 wrote to memory of 4792	5000	rundll32.exe	86
PID 5000 wrote to memory of 4792	5000	rundll32.exe	86
PID 4792 wrote to memory of 4520	4792	rundll32.exe	87
PID 4792 wrote to memory of 4520	4792	rundll32.exe	87
PID 4792 wrote to memory of 4520	4792	rundll32.exe	87
PID 4792 wrote to memory of 3960	4792	rundll32.exe	88
PID 4792 wrote to memory of 3960	4792	rundll32.exe	88
PID 4792 wrote to memory of 3960	4792	rundll32.exe	88
PID 4792 wrote to memory of 3360	4792	rundll32.exe	89
PID 4792 wrote to memory of 3360	4792	rundll32.exe	89
PID 4792 wrote to memory of 3360	4792	rundll32.exe	89
PID 4792 wrote to memory of 3160	4792	rundll32.exe	90
PID 4792 wrote to memory of 3160	4792	rundll32.exe	90
PID 4792 wrote to memory of 3160	4792	rundll32.exe	90
PID 4792 wrote to memory of 3932	4792	rundll32.exe	91
PID 4792 wrote to memory of 3932	4792	rundll32.exe	91
PID 4792 wrote to memory of 3932	4792	rundll32.exe	91
PID 4792 wrote to memory of 3296	4792	rundll32.exe	100
PID 4792 wrote to memory of 3296	4792	rundll32.exe	100
PID 4792 wrote to memory of 3296	4792	rundll32.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\feb0bf5b0d7f6820c330fa45091cd189_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\Regedit.exe
    Regedit.exe /s "C:\Windows\SysWOW64\arun.reg"
    3⤵
    - Modifies WinLogon for persistence
    - Runs .reg file with regedit
    PID:3296

Network

DNS

wallcoo.com

rundll32.exe

Remote address:

8.8.8.8:53

Request

wallcoo.com

IN A

Response

wallcoo.com

IN A

54.39.24.10
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0604FC28447661773DCDE84045966055; domain=.bing.com; expires=Fri, 16-May-2025 06:48:02 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6F471EF7FF5341AF95A929978786C6E2 Ref B: LON04EDGE1206 Ref C: 2024-04-21T06:48:02Z
date: Sun, 21 Apr 2024 06:48:01 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0604FC28447661773DCDE84045966055

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=tttz342nPkQ8mWCtlQSkM6v57Hh8uABqWgeBrLLnsgM; domain=.bing.com; expires=Fri, 16-May-2025 06:48:02 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E0056D0EB9CA4C3CBF7A0C5D01170411 Ref B: LON04EDGE1206 Ref C: 2024-04-21T06:48:02Z
date: Sun, 21 Apr 2024 06:48:01 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0604FC28447661773DCDE84045966055; MSPTC=tttz342nPkQ8mWCtlQSkM6v57Hh8uABqWgeBrLLnsgM

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 37CC5FFC99F64022B00BE2D32D0E0054 Ref B: LON04EDGE1206 Ref C: 2024-04-21T06:48:02Z
date: Sun, 21 Apr 2024 06:48:02 GMT
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR
GET

https://www.bing.com/th?id=OADD2.10239381793954_1BHQ1BWFG78XLZOQQ&pid=21.2&c=16&roil=0.0049&roit=0&roir=0.9951&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.145:443

Request

GET /th?id=OADD2.10239381793954_1BHQ1BWFG78XLZOQQ&pid=21.2&c=16&roil=0.0049&roit=0&roir=0.9951&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=0604FC28447661773DCDE84045966055; MSPTC=tttz342nPkQ8mWCtlQSkM6v57Hh8uABqWgeBrLLnsgM
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1299
date: Sun, 21 Apr 2024 06:48:05 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.8d3d3e17.1713682085.7328757
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

21.114.53.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.114.53.23.in-addr.arpa

IN PTR

Response

21.114.53.23.in-addr.arpa

IN PTR

a23-53-114-21deploystaticakamaitechnologiescom
DNS

145.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.61.62.23.in-addr.arpa

IN PTR

Response

145.61.62.23.in-addr.arpa

IN PTR

a23-62-61-145deploystaticakamaitechnologiescom
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

154.173.246.72.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.173.246.72.in-addr.arpa

IN PTR

Response

154.173.246.72.in-addr.arpa

IN PTR

a72-246-173-154deploystaticakamaitechnologiescom
DNS

154.173.246.72.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.173.246.72.in-addr.arpa

IN PTR
DNS

198.32.209.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.32.209.4.in-addr.arpa

IN PTR

Response
DNS

198.32.209.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.32.209.4.in-addr.arpa

IN PTR
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR
DNS

65.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.139.73.23.in-addr.arpa

IN PTR

Response

65.139.73.23.in-addr.arpa

IN PTR

a23-73-139-65deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

49.15.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

49.15.97.104.in-addr.arpa

IN PTR

Response

49.15.97.104.in-addr.arpa

IN PTR

a104-97-15-49deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B82AF97C265F48EDA0D588C85F3A4B90 Ref B: LON04EDGE0907 Ref C: 2024-04-21T06:49:38Z
date: Sun, 21 Apr 2024 06:49:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 567568328B0145BAAEC0D69D8F7BAFEC Ref B: LON04EDGE0907 Ref C: 2024-04-21T06:49:38Z
date: Sun, 21 Apr 2024 06:49:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C1782DC2BBA940B5BEC0CCA47AB7C257 Ref B: LON04EDGE0907 Ref C: 2024-04-21T06:49:38Z
date: Sun, 21 Apr 2024 06:49:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8C67E0BD642C4F79BC5F749C0CA8E392 Ref B: LON04EDGE0907 Ref C: 2024-04-21T06:49:38Z
date: Sun, 21 Apr 2024 06:49:37 GMT
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response

54.39.24.10:80

wallcoo.com

rundll32.exe

156 B
3
204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

tls, http2

2.1kB
9.2kB
23
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b608e38fba84f3c96099cb20cd4c5c4&localId=w:2DB2BB91-D977-19C3-E39A-25A75E13479E&deviceId=6755467521747595&anid=

HTTP Response

204
23.62.61.145:443

https://www.bing.com/th?id=OADD2.10239381793954_1BHQ1BWFG78XLZOQQ&pid=21.2&c=16&roil=0.0049&roit=0&roir=0.9951&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.5kB
17
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239381793954_1BHQ1BWFG78XLZOQQ&pid=21.2&c=16&roil=0.0049&roit=0&roir=0.9951&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
52.111.236.23:443

322 B
7
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

82.8kB
2.4MB
1744
1740

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
17
14

8.8.8.8:53

wallcoo.com

dns

rundll32.exe

57 B
73 B
1
1

DNS Request

wallcoo.com

DNS Response

54.39.24.10
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

140 B
156 B
2
1

DNS Request

9.228.82.20.in-addr.arpa

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

21.114.53.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

21.114.53.23.in-addr.arpa
8.8.8.8:53

145.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

145.61.62.23.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

154.173.246.72.in-addr.arpa

dns

146 B
139 B
2
1

DNS Request

154.173.246.72.in-addr.arpa

DNS Request

154.173.246.72.in-addr.arpa
8.8.8.8:53

198.32.209.4.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

198.32.209.4.in-addr.arpa

DNS Request

198.32.209.4.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

119.110.54.20.in-addr.arpa

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

65.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

65.139.73.23.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

49.15.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

49.15.97.104.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
346 B
2
2

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

88.156.103.20.in-addr.arpa

DNS Request

88.156.103.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\~Delbat01.bat

Filesize
158B

MD5
b0a27860ea12fd07015510c5c35c7554

SHA1
535e08f7a8759f019fb085554675034faca50bb3

SHA256
1c62ea2659178f376ddcc36492ffc6c4a0c08c78436566f20170bbe3b02d9cd9

SHA512
f4af7e332e6b866501a79cc98a76fa1f1fa3a24d61f27a188b503c64360140dd67e0b9bb60590e8f1b5369413a1cc5d8929ea2f8ff1db843a5d8098aca5c884a

Download Submit
C:\Windows\SysWOW64\11D18gXgg.dll

Filesize
921B

MD5
b7d9db6b08668f6225b47354d1625d57

SHA1
47068158132fe367904bbffe71d6445ba4a87b8d

SHA256
db4a5ad033e9052a1a709ec47e9b1bcd7afb9f3c799ef7c9451871593febb0ff

SHA512
e8bc3753bfb3e82c8e5865be23c8c976d8c7d96db5e5ec5fa80dc1c526f4af5f4e7876a7e1e756db1bff227cbd2d57ac69c7157173c0fe575fb7b345f8d1759e

Download Submit
C:\Windows\SysWOW64\11D18gXgg.dll

Filesize
1KB

MD5
03870ec18f067da58cb6253c2fad3265

SHA1
fb8e064476fb3af2faf3a977835bb3b284cf4a33

SHA256
f2c43e0bb1465011d8b66ddb6c9bd206e37c512d9096546d0990952ac5ada770

SHA512
a3c58f60a0af99d1e5640a663807f5ea0f5a812e15f9ba385a38f93a4267ea6493931aad304645bc158131cfa5fee54052330295d3b2b934f9aa0212b4ca9ef1

Download Submit
C:\Windows\SysWOW64\arun.reg

Filesize
149B

MD5
adfc8b71e83fe2857ee9679492f69327

SHA1
691d668a9bafd29397d07d40f7a9835c2a69995b

SHA256
ce08d9de9b28cee3e147505a99335f3b7f5ab1b82dc009032864c0c1b911cd3c

SHA512
13f37167233bf6b00c0f23174e336f7abfbcded6e7bf8d6d5d146459a74f03cfe96a6e414d5ebfe55967be4c02a3f4e6f23cc2c5333180338a45ad7507ced822

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.