e4aa59cadd3b9ec0eb55d96fa4a1e2d44eb8b0f654c342c1ec9f0d7fbf1405ce

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 00:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe
Size

3.6MB
MD5

46117be399d6c9cda28a90eac4a560dc
SHA1

92a08e390cacc10500a4ef99ea69142c94a6d96a
SHA256

e4aa59cadd3b9ec0eb55d96fa4a1e2d44eb8b0f654c342c1ec9f0d7fbf1405ce
SHA512

a6bcb7a05cd708b59f5abc612a558eb636731baaca47b8ea0448648c4f14cdcc400631c9f492941940704f04b2f9acca17074d550af55ded2951fffb8949662e
SSDEEP

98304:gt4aYo4EQz0pscuHh3OFumPPrzgpkFLOAkGkzdnEVomFHKnPwX:gBBM2vFPrzgOFLOyomFHKnPwX

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b49-1.dat	UPX
behavioral2/memory/3208-3-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/3208-14-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b49-1.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
3208	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b49-1.dat	upx
behavioral2/memory/3208-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3208-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3208	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe
3208	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3208	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3208	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe
3208	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe
3208	2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3208

Network

DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

5isohu.com

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

Remote address:

8.8.8.8:53

Request

5isohu.com

IN A

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=06C0D878A1BF67961A36CC0EA09866AE; domain=.bing.com; expires=Fri, 30-May-2025 00:34:19 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0EA90380021A4A4790032237AD51023A Ref B: LON04EDGE0713 Ref C: 2024-05-05T00:34:19Z
date: Sun, 05 May 2024 00:34:19 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=06C0D878A1BF67961A36CC0EA09866AE

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=TV0PatcYcWjX9CMj5uDQ0OxaaMK4wuADo7z9ntcLo60; domain=.bing.com; expires=Fri, 30-May-2025 00:34:19 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D809488862AE41D2ACD83C892FFAE72F Ref B: LON04EDGE0713 Ref C: 2024-05-05T00:34:19Z
date: Sun, 05 May 2024 00:34:19 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=06C0D878A1BF67961A36CC0EA09866AE; MSPTC=TV0PatcYcWjX9CMj5uDQ0OxaaMK4wuADo7z9ntcLo60

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 24E7FD6AD5B04B03AD8AC7AECCB96BB9 Ref B: LON04EDGE0713 Ref C: 2024-05-05T00:34:19Z
date: Sun, 05 May 2024 00:34:19 GMT
DNS

www.aieov.com

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

Remote address:

8.8.8.8:53

Request

www.aieov.com

IN A

Response

www.aieov.com

IN A

45.56.79.23

www.aieov.com

IN A

198.58.118.167

www.aieov.com

IN A

45.33.23.183

www.aieov.com

IN A

96.126.123.244

www.aieov.com

IN A

45.79.19.196

www.aieov.com

IN A

45.33.2.79

www.aieov.com

IN A

173.255.194.134

www.aieov.com

IN A

72.14.185.43

www.aieov.com

IN A

45.33.18.44

www.aieov.com

IN A

45.33.30.197

www.aieov.com

IN A

72.14.178.174

www.aieov.com

IN A

45.33.20.235
GET

http://www.aieov.com/logo.gif

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

Remote address:

45.56.79.23:80

Request

GET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com

Response

HTTP/1.1 403 Forbidden

server: openresty/1.13.6.1
date: Sun, 05 May 2024 00:34:19 GMT
content-type: text/html
content-length: 175
connection: close
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

23.79.56.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.79.56.45.in-addr.arpa

IN PTR

Response

23.79.56.45.in-addr.arpa

IN PTR

li929-23memberslinodecom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.194:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=06C0D878A1BF67961A36CC0EA09866AE; MSPTC=TV0PatcYcWjX9CMj5uDQ0OxaaMK4wuADo7z9ntcLo60
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Sun, 05 May 2024 00:34:21 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1714869261.1a719175
DNS

194.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.61.62.23.in-addr.arpa

IN PTR

Response

194.61.62.23.in-addr.arpa

IN PTR

a23-62-61-194deploystaticakamaitechnologiescom
GET

http://www.aieov.com/logo.gif

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

Remote address:

45.56.79.23:80

Request

GET /logo.gif HTTP/1.1
Accept: */*
Host: www.aieov.com

Response

HTTP/1.1 403 Forbidden

server: openresty/1.13.6.1
date: Sun, 05 May 2024 00:34:24 GMT
content-type: text/html
content-length: 175
connection: close
DNS

5isohu.com

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

Remote address:

8.8.8.8:53

Request

5isohu.com

IN A

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

24.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.121.18.2.in-addr.arpa

IN PTR

Response

24.121.18.2.in-addr.arpa

IN PTR

a2-18-121-24deploystaticakamaitechnologiescom
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

51.15.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

51.15.97.104.in-addr.arpa

IN PTR

Response

51.15.97.104.in-addr.arpa

IN PTR

a104-97-15-51deploystaticakamaitechnologiescom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370255189_1E7XE0SO5A57SENIS&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239370255189_1E7XE0SO5A57SENIS&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 664406
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D8CC14B4B0F14953A8D6974A20DBAFF3 Ref B: LON04EDGE0714 Ref C: 2024-05-05T00:35:58Z
date: Sun, 05 May 2024 00:35:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370255188_1EKPMYV01DV13G64K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239370255188_1EKPMYV01DV13G64K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 682798
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 93EE6B4511B645EE932218C955472756 Ref B: LON04EDGE0714 Ref C: 2024-05-05T00:35:58Z
date: Sun, 05 May 2024 00:35:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B8E49167A68F4591875BD5F24B88E7E1 Ref B: LON04EDGE0714 Ref C: 2024-05-05T00:35:58Z
date: Sun, 05 May 2024 00:35:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A48FAADA688A458C9CAB1E4F8EAD382C Ref B: LON04EDGE0714 Ref C: 2024-05-05T00:35:58Z
date: Sun, 05 May 2024 00:35:58 GMT

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid=

tls, http2

2.0kB
9.2kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb53881471eb43fba4d9caca645dd593&localId=w:9686F947-16CC-59E2-7F90-076D2B78DA93&deviceId=6825828473710710&anid=

HTTP Response

204
45.56.79.23:80

http://www.aieov.com/logo.gif

http

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

336 B
503 B
6
4

HTTP Request

GET http://www.aieov.com/logo.gif

HTTP Response

403
23.62.61.194:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.4kB
16
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
45.56.79.23:80

http://www.aieov.com/logo.gif

http

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

336 B
503 B
6
4

HTTP Request

GET http://www.aieov.com/logo.gif

HTTP Response

403
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

90.1kB
2.6MB
1931
1927

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370255189_1E7XE0SO5A57SENIS&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370255188_1EKPMYV01DV13G64K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.1kB
8.0kB
14
12
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14

8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

5isohu.com

dns

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

56 B
117 B
1
1

DNS Request

5isohu.com
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

www.aieov.com

dns

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

59 B
251 B
1
1

DNS Request

www.aieov.com

DNS Response

45.56.79.23

198.58.118.167

45.33.23.183

96.126.123.244

45.79.19.196

45.33.2.79

173.255.194.134

72.14.185.43

45.33.18.44

45.33.30.197

72.14.178.174

45.33.20.235
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

23.79.56.45.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

23.79.56.45.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

194.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

194.61.62.23.in-addr.arpa
8.8.8.8:53

5isohu.com

dns

2024-05-05_46117be399d6c9cda28a90eac4a560dc_bkransomware_floxif.exe

56 B
117 B
1
1

DNS Request

5isohu.com
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

24.121.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

24.121.18.2.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

51.15.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

51.15.97.104.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/3208-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3208-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3208-12-0x0000000000030000-0x00000000003C0000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.