phoenix | 195c8edd53b0bead92afcf59d84011f774471c10f1456242296eac55a40fca76

Analysis

max time kernel
132s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 15:48 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
Size

1.1MB
MD5

1368c5c6d641570b1402adca6e7be846
SHA1

86f2be85cd5539765cb2929b9b17fc6f81a90673
SHA256

195c8edd53b0bead92afcf59d84011f774471c10f1456242296eac55a40fca76
SHA512

bc711238fb49850a863afa5727aad8325b61bd398d03e15e03083de0c7198d892957e12405c363eae30df43c0d2513f93be512d24fb685a4262177afdb96a084
SSDEEP

24576:6u6Jx3O0c+JY5UZ+XC0kGso/WaKF8lInYSHgWY:MI0c++OCvkGsUWaKBY

Score

10^/10

phoenix collection keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
bhavnatutor.com
Port:
587
Username:
sales@bhavnatutor.com
Password:
Onyeoba111

Signatures

Phoenix Keylogger
Phoenix is a keylogger and info stealer first seen in July 2019.
stealer keylogger phoenix

Phoenix Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/2524-7-0x0000000005930000-0x0000000005968000-memory.dmp	family_phoenix

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ifconfig.me

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	84

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2524	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	MSBuild.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	84
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	84
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	84
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	84
PID 1832 wrote to memory of 2524	1832	1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1368c5c6d641570b1402adca6e7be846_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2524

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

ifconfig.me

MSBuild.exe

Remote address:

8.8.8.8:53

Request

ifconfig.me

IN A

Response

ifconfig.me

IN A

34.117.118.44
GET

http://ifconfig.me/ip

MSBuild.exe

Remote address:

34.117.118.44:80

Request

GET /ip HTTP/1.1
Host: ifconfig.me
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

server: fasthttp
date: Sat, 04 May 2024 15:48:33 GMT
content-type: text/plain
Content-Length: 14
access-control-allow-origin: *
via: 1.1 google
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=30FA5233703E6CE70BA2464671DE6D49; domain=.bing.com; expires=Thu, 29-May-2025 15:48:35 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E7ABFB211EF2447BB54898272E53EB3F Ref B: LON04EDGE1022 Ref C: 2024-05-04T15:48:35Z
date: Sat, 04 May 2024 15:48:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=30FA5233703E6CE70BA2464671DE6D49

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=o6FmlZVDH--uCT4DUqi322T4RCoxQKit5NZYYG6qYj4; domain=.bing.com; expires=Thu, 29-May-2025 15:48:35 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0C9834F411FF4A95982A76A68381040B Ref B: LON04EDGE1022 Ref C: 2024-05-04T15:48:35Z
date: Sat, 04 May 2024 15:48:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=30FA5233703E6CE70BA2464671DE6D49; MSPTC=o6FmlZVDH--uCT4DUqi322T4RCoxQKit5NZYYG6qYj4

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E7DBEECE01544DC893738C58EB35BA4D Ref B: LON04EDGE1022 Ref C: 2024-05-04T15:48:35Z
date: Sat, 04 May 2024 15:48:34 GMT
DNS

44.118.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.118.117.34.in-addr.arpa

IN PTR

Response

44.118.117.34.in-addr.arpa

IN PTR

4411811734bcgoogleusercontentcom
DNS

44.118.117.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.118.117.34.in-addr.arpa

IN PTR
DNS

bhavnatutor.com

MSBuild.exe

Remote address:

8.8.8.8:53

Request

bhavnatutor.com

IN A

Response

bhavnatutor.com

IN A

162.211.86.20
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

20.86.211.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.86.211.162.in-addr.arpa

IN PTR

Response

20.86.211.162.in-addr.arpa

IN PTR

hostfastnixbiz
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.106:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=30FA5233703E6CE70BA2464671DE6D49; MSPTC=o6FmlZVDH--uCT4DUqi322T4RCoxQKit5NZYYG6qYj4
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Sat, 04 May 2024 15:48:39 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.663d3e17.1714837719.f2084c9
DNS

106.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.61.62.23.in-addr.arpa

IN PTR

Response

106.61.62.23.in-addr.arpa

IN PTR

a23-62-61-106deploystaticakamaitechnologiescom
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR

Response

140.71.91.104.in-addr.arpa

IN PTR

a104-91-71-140deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

137.191.110.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

137.191.110.104.in-addr.arpa

IN PTR

Response

137.191.110.104.in-addr.arpa

IN PTR

a104-110-191-137deploystaticakamaitechnologiescom
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CAB2C3E393794303ACB307785E13D882 Ref B: LON04EDGE0918 Ref C: 2024-05-04T15:50:12Z
date: Sat, 04 May 2024 15:50:12 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2588EED46B9A4623ABF96863012D715B Ref B: LON04EDGE0918 Ref C: 2024-05-04T15:50:12Z
date: Sat, 04 May 2024 15:50:12 GMT

34.117.118.44:80

http://ifconfig.me/ip

http

MSBuild.exe

339 B
355 B
6
4

HTTP Request

GET http://ifconfig.me/ip

HTTP Response

200
204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid=

tls, http2

2.0kB
9.2kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f89f95bc6f74457aa9ece4c569e5d422&localId=w:D3F44B69-51EC-77F5-ABEE-EFD974F351D8&deviceId=6755467847604707&anid=

HTTP Response

204
162.211.86.20:587

bhavnatutor.com

smtp-submission

MSBuild.exe

1.1kB
4.4kB
13
16
23.62.61.106:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.3kB
17
11

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

51.5kB
1.5MB
1077
1074

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

ifconfig.me

dns

MSBuild.exe

57 B
73 B
1
1

DNS Request

ifconfig.me

DNS Response

34.117.118.44
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

44.118.117.34.in-addr.arpa

dns

144 B
124 B
2
1

DNS Request

44.118.117.34.in-addr.arpa

DNS Request

44.118.117.34.in-addr.arpa
8.8.8.8:53

bhavnatutor.com

dns

MSBuild.exe

61 B
77 B
1
1

DNS Request

bhavnatutor.com

DNS Response

162.211.86.20
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

20.86.211.162.in-addr.arpa

dns

72 B
102 B
1
1

DNS Request

20.86.211.162.in-addr.arpa
8.8.8.8:53

106.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

106.61.62.23.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

140.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

140.71.91.104.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

137.191.110.104.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

137.191.110.104.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-0-0x00000000017E0000-0x00000000017FF000-memory.dmp

Filesize
124KB

Download
memory/1832-1-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/2524-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2524-6-0x000000007395E000-0x000000007395F000-memory.dmp

Filesize
4KB

Download
memory/2524-7-0x0000000005930000-0x0000000005968000-memory.dmp

Filesize
224KB

Download
memory/2524-8-0x0000000006240000-0x00000000067E4000-memory.dmp

Filesize
5.6MB

Download
memory/2524-9-0x0000000005D70000-0x0000000005E0C000-memory.dmp

Filesize
624KB

Download
memory/2524-10-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download
memory/2524-11-0x00000000067F0000-0x0000000006856000-memory.dmp

Filesize
408KB

Download
memory/2524-12-0x0000000006F20000-0x0000000006FB2000-memory.dmp

Filesize
584KB

Download
memory/2524-13-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

Filesize
40KB

Download
memory/2524-14-0x000000007395E000-0x000000007395F000-memory.dmp

Filesize
4KB

Download
memory/2524-15-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.