563f35efe9f43a96f093232c71fa17c33d245af3cfd9b3cfe2b0f2f4d2597fce

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 07:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_5cdfabd8cdb2b3eed51679e97d0061bd_cobalt-strike_ryuk.exe
Size

796KB
MD5

5cdfabd8cdb2b3eed51679e97d0061bd
SHA1

236520521f1e6507560ee7ac59524c5ada223518
SHA256

563f35efe9f43a96f093232c71fa17c33d245af3cfd9b3cfe2b0f2f4d2597fce
SHA512

05bebd1058855e94a2d4356b77ea08226533c5c3240e7e6c0ec02e1432a60f0bffe90901c4e2ced29daf34e69b00715fe8fc62da5cbdb22a842558a9e7dc9143
SSDEEP

12288:JXDCAZzP/w24lh12Ylc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:oANw243tc+pFB5z+//ufNRoZW

Score

1^/10

Malware Config

Signatures

C:\Users\Admin\AppData\Local\Temp\2024-04-28_5cdfabd8cdb2b3eed51679e97d0061bd_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_5cdfabd8cdb2b3eed51679e97d0061bd_cobalt-strike_ryuk.exe"
1⤵
PID:2312

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82dUsGtBrQHhkgdw9H4TigDVUCUyts6jB2qlKHztYg1QUcPoLmHTfbsn_WFo79_K9op8-QO8W3pLrlqzl5_j7OMXG31a3lNz57JblJy67Bf3NuYLv_4HcoXAouZ7xmzIOaZ2tYTuCUMh2Gpe1rJ5kS7HJut-gCg5sjWYOSmg8IZuOa8DU%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1202f7674d43197f82b0914ce23713e5&TIME=20240426T134418Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82dUsGtBrQHhkgdw9H4TigDVUCUyts6jB2qlKHztYg1QUcPoLmHTfbsn_WFo79_K9op8-QO8W3pLrlqzl5_j7OMXG31a3lNz57JblJy67Bf3NuYLv_4HcoXAouZ7xmzIOaZ2tYTuCUMh2Gpe1rJ5kS7HJut-gCg5sjWYOSmg8IZuOa8DU%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1202f7674d43197f82b0914ce23713e5&TIME=20240426T134418Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3FAF08B33FBD6B300F3C1CDC3E9A6A9F; domain=.bing.com; expires=Fri, 23-May-2025 07:46:09 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7A203391C46D46128A28982143D667C6 Ref B: LON04EDGE0612 Ref C: 2024-04-28T07:46:09Z
date: Sun, 28 Apr 2024 07:46:08 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82dUsGtBrQHhkgdw9H4TigDVUCUyts6jB2qlKHztYg1QUcPoLmHTfbsn_WFo79_K9op8-QO8W3pLrlqzl5_j7OMXG31a3lNz57JblJy67Bf3NuYLv_4HcoXAouZ7xmzIOaZ2tYTuCUMh2Gpe1rJ5kS7HJut-gCg5sjWYOSmg8IZuOa8DU%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1202f7674d43197f82b0914ce23713e5&TIME=20240426T134418Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82dUsGtBrQHhkgdw9H4TigDVUCUyts6jB2qlKHztYg1QUcPoLmHTfbsn_WFo79_K9op8-QO8W3pLrlqzl5_j7OMXG31a3lNz57JblJy67Bf3NuYLv_4HcoXAouZ7xmzIOaZ2tYTuCUMh2Gpe1rJ5kS7HJut-gCg5sjWYOSmg8IZuOa8DU%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1202f7674d43197f82b0914ce23713e5&TIME=20240426T134418Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3FAF08B33FBD6B300F3C1CDC3E9A6A9F; _EDGE_S=SID=2CE5D7F5880B6D1B327BC39A89436C9A

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=u4vH1KMaZdPvjsBGRVcgSeq17pKQ_7jASfWNvKfm9kw; domain=.bing.com; expires=Fri, 23-May-2025 07:46:09 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 37E436A7C71348CCB963C08E23F76F02 Ref B: LON04EDGE0612 Ref C: 2024-04-28T07:46:09Z
date: Sun, 28 Apr 2024 07:46:09 GMT
GET

https://www.bing.com/aes/c.gif?RG=46ef902865514bd58f826cfd87861027&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134418Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

Remote address:

23.62.61.97:443

Request

GET /aes/c.gif?RG=46ef902865514bd58f826cfd87861027&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134418Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3FAF08B33FBD6B300F3C1CDC3E9A6A9F

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AAC210163A6B4FDE943180DE245BD1A3 Ref B: BRU30EDGE0907 Ref C: 2024-04-28T07:46:09Z
content-length: 0
date: Sun, 28 Apr 2024 07:46:09 GMT
set-cookie: _EDGE_S=SID=2CE5D7F5880B6D1B327BC39A89436C9A; path=/; httponly; domain=bing.com
set-cookie: MUIDB=3FAF08B33FBD6B300F3C1CDC3E9A6A9F; path=/; httponly; expires=Fri, 23-May-2025 07:46:09 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1714290369.17962f9d
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

133.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.190.18.2.in-addr.arpa

IN PTR

Response

133.190.18.2.in-addr.arpa

IN PTR

a2-18-190-133deploystaticakamaitechnologiescom
DNS

97.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.61.62.23.in-addr.arpa

IN PTR

Response

97.61.62.23.in-addr.arpa

IN PTR

a23-62-61-97deploystaticakamaitechnologiescom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

10.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.173.189.20.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82dUsGtBrQHhkgdw9H4TigDVUCUyts6jB2qlKHztYg1QUcPoLmHTfbsn_WFo79_K9op8-QO8W3pLrlqzl5_j7OMXG31a3lNz57JblJy67Bf3NuYLv_4HcoXAouZ7xmzIOaZ2tYTuCUMh2Gpe1rJ5kS7HJut-gCg5sjWYOSmg8IZuOa8DU%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1202f7674d43197f82b0914ce23713e5&TIME=20240426T134418Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

tls, http2

2.5kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82dUsGtBrQHhkgdw9H4TigDVUCUyts6jB2qlKHztYg1QUcPoLmHTfbsn_WFo79_K9op8-QO8W3pLrlqzl5_j7OMXG31a3lNz57JblJy67Bf3NuYLv_4HcoXAouZ7xmzIOaZ2tYTuCUMh2Gpe1rJ5kS7HJut-gCg5sjWYOSmg8IZuOa8DU%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1202f7674d43197f82b0914ce23713e5&TIME=20240426T134418Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82dUsGtBrQHhkgdw9H4TigDVUCUyts6jB2qlKHztYg1QUcPoLmHTfbsn_WFo79_K9op8-QO8W3pLrlqzl5_j7OMXG31a3lNz57JblJy67Bf3NuYLv_4HcoXAouZ7xmzIOaZ2tYTuCUMh2Gpe1rJ5kS7HJut-gCg5sjWYOSmg8IZuOa8DU%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D1202f7674d43197f82b0914ce23713e5&TIME=20240426T134418Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

HTTP Response

204
23.62.61.97:443

https://www.bing.com/aes/c.gif?RG=46ef902865514bd58f826cfd87861027&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134418Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=46ef902865514bd58f826cfd87861027&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134418Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

133.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

133.190.18.2.in-addr.arpa
8.8.8.8:53

97.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

97.61.62.23.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

10.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.173.189.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2312-0-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2312-7-0x0000000002DA0000-0x0000000002E00000-memory.dmp

Filesize
384KB

Download
memory/2312-1-0x0000000002DA0000-0x0000000002E00000-memory.dmp

Filesize
384KB

Download
memory/2312-12-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2312-11-0x0000000002DA0000-0x0000000002E00000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.