amadey | c5a3dbeea17ddba50482e7844a817171580f977dcea9ad7b655d39a934b93b93

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe
Size

359KB
MD5

18eaeff3ae40e541cbd0cdfdc2298885
SHA1

2fe4663c9d407d97bebcd035d901321dd1d9ef3e
SHA256

6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c
SHA512

83c4ef016804df631b4169aac8ff88210d74017b8b19afa7e791bbf9e6c852de2ce64482ce6c29530b4557e75c40f84a827993b3d0f414a0d3306890652bfd16
SSDEEP

6144:Kmy+bnr+Lp0yN90QEjHCyMnb6yUchr1x18mlQVMhyoVAWgWMvmy:aMrzy905Ob79hdEmJYvmy

Score

10^/10

amadey healer smokeloader backdoor dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

1
006700e5a2ab05704bbb0c589b88924d

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral11/files/0x0008000000023613-13.dat	healer
behavioral11/memory/1280-14-0x00000000004E0000-0x00000000004EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7507750.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7507750.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7507750.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7507750.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7507750.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7507750.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b3281386.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	danke.exe

Executes dropped EXE 7 IoCs

pid	Process
3024	v4192759.exe
1280	a7507750.exe
388	b3281386.exe
1404	danke.exe
2316	c8559996.exe
3164	danke.exe
3864	danke.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7507750.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4192759.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8559996.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8559996.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8559996.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1280	a7507750.exe
1280	a7507750.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	a7507750.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 3024	2428	6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe	89
PID 2428 wrote to memory of 3024	2428	6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe	89
PID 2428 wrote to memory of 3024	2428	6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe	89
PID 3024 wrote to memory of 1280	3024	v4192759.exe	90
PID 3024 wrote to memory of 1280	3024	v4192759.exe	90
PID 3024 wrote to memory of 388	3024	v4192759.exe	98
PID 3024 wrote to memory of 388	3024	v4192759.exe	98
PID 3024 wrote to memory of 388	3024	v4192759.exe	98
PID 388 wrote to memory of 1404	388	b3281386.exe	99
PID 388 wrote to memory of 1404	388	b3281386.exe	99
PID 388 wrote to memory of 1404	388	b3281386.exe	99
PID 2428 wrote to memory of 2316	2428	6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe	100
PID 2428 wrote to memory of 2316	2428	6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe	100
PID 2428 wrote to memory of 2316	2428	6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe	100
PID 1404 wrote to memory of 4604	1404	danke.exe	101
PID 1404 wrote to memory of 4604	1404	danke.exe	101
PID 1404 wrote to memory of 4604	1404	danke.exe	101
PID 1404 wrote to memory of 1992	1404	danke.exe	103
PID 1404 wrote to memory of 1992	1404	danke.exe	103
PID 1404 wrote to memory of 1992	1404	danke.exe	103
PID 1992 wrote to memory of 4272	1992	cmd.exe	105
PID 1992 wrote to memory of 4272	1992	cmd.exe	105
PID 1992 wrote to memory of 4272	1992	cmd.exe	105
PID 1992 wrote to memory of 3068	1992	cmd.exe	106
PID 1992 wrote to memory of 3068	1992	cmd.exe	106
PID 1992 wrote to memory of 3068	1992	cmd.exe	106
PID 1992 wrote to memory of 2188	1992	cmd.exe	107
PID 1992 wrote to memory of 2188	1992	cmd.exe	107
PID 1992 wrote to memory of 2188	1992	cmd.exe	107
PID 1992 wrote to memory of 5000	1992	cmd.exe	108
PID 1992 wrote to memory of 5000	1992	cmd.exe	108
PID 1992 wrote to memory of 5000	1992	cmd.exe	108
PID 1992 wrote to memory of 3620	1992	cmd.exe	109
PID 1992 wrote to memory of 3620	1992	cmd.exe	109
PID 1992 wrote to memory of 3620	1992	cmd.exe	109
PID 1992 wrote to memory of 2824	1992	cmd.exe	110
PID 1992 wrote to memory of 2824	1992	cmd.exe	110
PID 1992 wrote to memory of 2824	1992	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe
"C:\Users\Admin\AppData\Local\Temp\6d684b37ca877d403cebced125fab4f36a37e290840da5678e0d43fd35796a5c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
      "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4272
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:N"
        6⤵
        
        PID:3068
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:R" /E
        6⤵
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:5000
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:N"
        6⤵
        
        PID:3620
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:R" /E
        6⤵
        
        PID:2824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
1⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:3864

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0B0DB3AB21FF67E0170DA7D020D86651; domain=.bing.com; expires=Wed, 04-Jun-2025 12:30:55 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A4FDD5DEBF6248F78E35077E60039DE5 Ref B: LON04EDGE0720 Ref C: 2024-05-10T12:30:55Z
date: Fri, 10 May 2024 12:30:55 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0B0DB3AB21FF67E0170DA7D020D86651

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=HrzCf5937Ip9CHCu_XSBY-ePbotNo8t1MM5xGp4uWvg; domain=.bing.com; expires=Wed, 04-Jun-2025 12:30:55 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3EC67663913C4C7FA803688444627E05 Ref B: LON04EDGE0720 Ref C: 2024-05-10T12:30:55Z
date: Fri, 10 May 2024 12:30:55 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0B0DB3AB21FF67E0170DA7D020D86651; MSPTC=HrzCf5937Ip9CHCu_XSBY-ePbotNo8t1MM5xGp4uWvg

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8A42FB93C11F4ABBA9F9F27567B1141D Ref B: LON04EDGE0720 Ref C: 2024-05-10T12:30:55Z
date: Fri, 10 May 2024 12:30:55 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

21.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.177.190.20.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.99:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=0B0DB3AB21FF67E0170DA7D020D86651; MSPTC=HrzCf5937Ip9CHCu_XSBY-ePbotNo8t1MM5xGp4uWvg
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Fri, 10 May 2024 12:30:56 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5f3d3e17.1715344256.11bff31
DNS

99.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.61.62.23.in-addr.arpa

IN PTR

Response

99.61.62.23.in-addr.arpa

IN PTR

a23-62-61-99deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

tls, http2

2.0kB
9.2kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=4198041aef6147739f46dd8e772af064&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

HTTP Response

204
23.62.61.99:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.4kB
16
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
77.91.68.3:80

danke.exe

260 B
5
77.91.68.3:80

danke.exe

260 B
5
77.91.68.3:80

danke.exe

260 B
5
77.91.68.3:80

danke.exe

260 B
5
77.91.68.3:80

danke.exe

208 B
4

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

21.177.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.177.190.20.in-addr.arpa
8.8.8.8:53

99.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

99.61.62.23.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c8559996.exe

Filesize
32KB

MD5
499339c2340f225b81aa84b57a06c69f

SHA1
602c6e3a1ca624caa1ec4cc92dfd62ebde523033

SHA256
31c962983a5dcb34c366ea726a6e4defcf6db78d259516edcc1b6336a297bbba

SHA512
a60cedbdb39bec49434526a46369199fa6e41cec24c30764821818e1335fc107123430c61190a265747118e54de289691912c1fa89fc89a79e350813e419838e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4192759.exe

Filesize
235KB

MD5
f6c9e67f472f01eccc2c794be5bc61cf

SHA1
65ca30935f69dd98e136485fa24ecd00dd2afdef

SHA256
079faabeddf8ac54de6accc9d09b63bf543afdcaf395234f1dbfcf46c5d56d99

SHA512
ba9c4a04454db187a5fbfd64068729523b364bf72085e6b08607970e4cad972691dafc125981b52178f4fd8ea0d5314e42e61d7852ed4c912521a5a4809bfac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7507750.exe

Filesize
13KB

MD5
f5773b2b65f54e39abe894025d6c9885

SHA1
3f9d26e35dff7640478119ff8550b6ad5363dfde

SHA256
9788cb0fcb4b0bb8086babe2cf499aec511ce0a867ad0c79e79c5c9d9a57d561

SHA512
27a9015725854d7740536c7d403bd4b01f1baa4e4d6bf195f6b25e9055d58b397303d8aef8d833d761eb1ed62563fe4b7c7a12af0edbf80ba1dea3eb24dfb016

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b3281386.exe

Filesize
226KB

MD5
1ff19e67a2ae75ad45eebf9693ec503d

SHA1
3f3da59265845f64d1f29c92706acf35fb4ab1b5

SHA256
d0ecd3340d3c57da9d342be0aef3027e74adbb8834be7d05c28942eda33f8708

SHA512
9810192a9a0b4410edb1726150f94fdb9091889b656a79cdbe8bb78d2b041c0a173c8f36baa7e52b1d0bb4731fe3a749bc84b3b671a425a0f905a3707f0e9571

Download Submit
memory/1280-14-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1280-15-0x00007FFCC25D3000-0x00007FFCC25D5000-memory.dmp

Filesize
8KB

Download
memory/2316-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2316-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.