24cf45e2f326516edf295ca49e7f619ccc6f11ea9a81cd28b1e4ffa6a376d1a7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 01:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photo2.exe
Size

37KB
MD5

7b6fe54446ff5d20230b2d6f5ce45fad
SHA1

d6404f74516285cc40272d345461d9abd90823b3
SHA256

70aae83fad8fbbbd63c6a348fc4716abdd19a4f9bb9d011cb0f80850beb4543a
SHA512

77ce4a4fbe85e9b2a4c63637b0247724ee33ca0b6024a6a39138c5e73b0a3b3ed36a11a14bed04e05ba1babac183e9bae30a0b5b01c1fb3a655a78a81063f477
SSDEEP

768:LX3pbhvZSjPrIHHVuLIFOXds2L6cJj3AD2DLyxNCK1mM:d3Sr0HSPXdVLDpDLyxNN

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Photo2.exe

Deletes itself 1 IoCs

pid	Process
3412	IEXPAND.EXE

Executes dropped EXE 1 IoCs

pid	Process
3412	IEXPAND.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexpand.exe = "iexpand.exe"	IEXPAND.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iexpand.exe = "iexpand.exe"	Photo2.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\IEXPAND.EXE	Photo2.exe
File opened for modification	C:\WINDOWS\SysWOW64\IEXPAND.EXE	Photo2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
392	Photo2.exe
392	Photo2.exe
392	Photo2.exe
392	Photo2.exe
392	Photo2.exe
392	Photo2.exe
3412	IEXPAND.EXE
3412	IEXPAND.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 3412	392	Photo2.exe	92
PID 392 wrote to memory of 3412	392	Photo2.exe	92
PID 392 wrote to memory of 3412	392	Photo2.exe	92

C:\Users\Admin\AppData\Local\Temp\Photo2.exe
"C:\Users\Admin\AppData\Local\Temp\Photo2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392
- C:\WINDOWS\SysWOW64\IEXPAND.EXE
  "C:\WINDOWS\SYSTEM32\IEXPAND.EXE" C:\Users\Admin\AppData\Local\Temp\Photo2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3412

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114808Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114808Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=00FF8A7CB6706F20068C9E07B7CB6E5F; domain=.bing.com; expires=Wed, 04-Jun-2025 01:16:42 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D58EFB9609D24D1F90EB732933009370 Ref B: LON04EDGE0921 Ref C: 2024-05-10T01:16:42Z
date: Fri, 10 May 2024 01:16:42 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114809Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114809Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=00FF8A7CB6706F20068C9E07B7CB6E5F; _EDGE_S=SID=3ADB60764D6568101221740D4C096924

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=8W1lOp1LAwV-ypjIcCLodeMvU5uOjnPDOpq_FYJW8sQ; domain=.bing.com; expires=Wed, 04-Jun-2025 01:16:42 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AC86DB6D0D25472E8961D723A71CCB7D Ref B: LON04EDGE0921 Ref C: 2024-05-10T01:16:42Z
date: Fri, 10 May 2024 01:16:42 GMT
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=5175af0c1d664956b49ad21f383d055b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114809Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

Remote address:

88.221.83.187:443

Request

GET /aes/c.gif?RG=5175af0c1d664956b49ad21f383d055b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114809Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=00FF8A7CB6706F20068C9E07B7CB6E5F

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B0BEFD52AF184A68AE96126A4B3669B0 Ref B: BRU30EDGE0512 Ref C: 2024-05-10T01:16:42Z
content-length: 0
date: Fri, 10 May 2024 01:16:42 GMT
set-cookie: _EDGE_S=SID=3ADB60764D6568101221740D4C096924; path=/; httponly; domain=bing.com
set-cookie: MUIDB=00FF8A7CB6706F20068C9E07B7CB6E5F; path=/; httponly; expires=Wed, 04-Jun-2025 01:16:42 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b753dd58.1715303802.c5b86ff
DNS

187.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.83.221.88.in-addr.arpa

IN PTR

Response

187.83.221.88.in-addr.arpa

IN PTR

a88-221-83-187deploystaticakamaitechnologiescom
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

88.221.83.187:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=00FF8A7CB6706F20068C9E07B7CB6E5F; _EDGE_S=SID=3ADB60764D6568101221740D4C096924; MSPTC=8W1lOp1LAwV-ypjIcCLodeMvU5uOjnPDOpq_FYJW8sQ; MUIDB=00FF8A7CB6706F20068C9E07B7CB6E5F
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Fri, 10 May 2024 01:16:46 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b753dd58.1715303806.c5b9426
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

31.251.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.251.17.2.in-addr.arpa

IN PTR

Response

31.251.17.2.in-addr.arpa

IN PTR

a2-17-251-31deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114809Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

tls, http2

2.5kB
9.0kB
19
16

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114808Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114809Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204
88.221.83.187:443

https://www.bing.com/aes/c.gif?RG=5175af0c1d664956b49ad21f383d055b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114809Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

tls, http2

1.4kB
5.3kB
16
10

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=5175af0c1d664956b49ad21f383d055b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114809Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

HTTP Response

200
88.221.83.187:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
17
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

187.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

187.83.221.88.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

31.251.17.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

31.251.17.2.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\IEXPAND.EXE

Filesize
37KB

MD5
7b6fe54446ff5d20230b2d6f5ce45fad

SHA1
d6404f74516285cc40272d345461d9abd90823b3

SHA256
70aae83fad8fbbbd63c6a348fc4716abdd19a4f9bb9d011cb0f80850beb4543a

SHA512
77ce4a4fbe85e9b2a4c63637b0247724ee33ca0b6024a6a39138c5e73b0a3b3ed36a11a14bed04e05ba1babac183e9bae30a0b5b01c1fb3a655a78a81063f477

Download Submit
memory/392-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/392-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.