healer | dd49e60a45e3962b98b32d0ae9a1256ae1e60ba2b696a005fe221e32f96d996b | Triage

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 15:13 UTC

Sharing

Report Analysis Logs

General

Target

db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe
Size

481KB
MD5

b983bbfa2e93dade84538209720f5e08
SHA1

6aa74f2b866844d1b5fe626d72e29ff27ffe095f
SHA256

db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3
SHA512

11e6207c8144315a15dfd8c7e486a2fff3d0d77a9c860e775ef8f5c50f4f61b12ab57fc5e61a3d821676857e701ff2c221aa11832987fca344a2ed861d58158a
SSDEEP

12288:pMrPy90u/cEIpe3ZHY+YtBEn1C3xvimDfHWu2BI95:uyD/mepfK2WvdLH6m5

Score

10^/10

healer redline mihan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes

auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral22/memory/3160-15-0x0000000002010000-0x000000000202A000-memory.dmp	healer
behavioral22/memory/3160-18-0x0000000002510000-0x0000000002528000-memory.dmp	healer
behavioral22/memory/3160-48-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-46-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-44-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-42-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-40-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-38-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-36-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-34-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-32-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-30-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-28-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-26-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-24-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-22-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-21-0x0000000002510000-0x0000000002522000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9410822.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9410822.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral22/files/0x000700000002348a-53.dat	family_redline
behavioral22/memory/4464-54-0x0000000000150000-0x0000000000180000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1696	v0380562.exe
3160	a9410822.exe
4464	b0566205.exe

Windows security modification 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9410822.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0380562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3160	a9410822.exe
3160	a9410822.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	a9410822.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 1696	4496	db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe	83
PID 4496 wrote to memory of 1696	4496	db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe	83
PID 4496 wrote to memory of 1696	4496	db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe	83
PID 1696 wrote to memory of 3160	1696	v0380562.exe	84
PID 1696 wrote to memory of 3160	1696	v0380562.exe	84
PID 1696 wrote to memory of 3160	1696	v0380562.exe	84
PID 1696 wrote to memory of 4464	1696	v0380562.exe	94
PID 1696 wrote to memory of 4464	1696	v0380562.exe	94
PID 1696 wrote to memory of 4464	1696	v0380562.exe	94

C:\Users\Admin\AppData\Local\Temp\db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe
"C:\Users\Admin\AppData\Local\Temp\db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0380562.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0380562.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9410822.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9410822.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0566205.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0566205.exe
    3⤵
    - Executes dropped EXE
    PID:4464

Network

DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

98.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

98.58.20.217.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83KWSj698BcQBetGy3YK2aTVUCUwPSnPDHbWPZ5vqlVaujCnVzQM5sbHaiDndTJlJ27onRtNE0JLB_1kSVS0_qtwUlw9Kqn2UsoK7VcPHP7o3G-R0nrqC4vtcvk21GB9g0W5ns-9oc6W5LzM3Om61s6GCEOgJIRMKpLzGVu_ZSg8GWgxF%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddc4f388e648018d16b8d5ea5caaa066f&TIME=20240426T133813Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83KWSj698BcQBetGy3YK2aTVUCUwPSnPDHbWPZ5vqlVaujCnVzQM5sbHaiDndTJlJ27onRtNE0JLB_1kSVS0_qtwUlw9Kqn2UsoK7VcPHP7o3G-R0nrqC4vtcvk21GB9g0W5ns-9oc6W5LzM3Om61s6GCEOgJIRMKpLzGVu_ZSg8GWgxF%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddc4f388e648018d16b8d5ea5caaa066f&TIME=20240426T133813Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=216D1F1BC4796483333A0B60C55E658E; domain=.bing.com; expires=Wed, 04-Jun-2025 15:14:19 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8AF1BF2E6B0347D89C6FF66C51109FBF Ref B: LON04EDGE0606 Ref C: 2024-05-10T15:14:19Z
date: Fri, 10 May 2024 15:14:19 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83KWSj698BcQBetGy3YK2aTVUCUwPSnPDHbWPZ5vqlVaujCnVzQM5sbHaiDndTJlJ27onRtNE0JLB_1kSVS0_qtwUlw9Kqn2UsoK7VcPHP7o3G-R0nrqC4vtcvk21GB9g0W5ns-9oc6W5LzM3Om61s6GCEOgJIRMKpLzGVu_ZSg8GWgxF%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddc4f388e648018d16b8d5ea5caaa066f&TIME=20240426T133813Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83KWSj698BcQBetGy3YK2aTVUCUwPSnPDHbWPZ5vqlVaujCnVzQM5sbHaiDndTJlJ27onRtNE0JLB_1kSVS0_qtwUlw9Kqn2UsoK7VcPHP7o3G-R0nrqC4vtcvk21GB9g0W5ns-9oc6W5LzM3Om61s6GCEOgJIRMKpLzGVu_ZSg8GWgxF%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddc4f388e648018d16b8d5ea5caaa066f&TIME=20240426T133813Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=216D1F1BC4796483333A0B60C55E658E; _EDGE_S=SID=017F3FB0925468D92E7D2BCB939469C1

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=FlzrlYeKOZnrctYigK0VmzPOgXCuOOntmfn-pnuCd04; domain=.bing.com; expires=Wed, 04-Jun-2025 15:14:20 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6EA8C85C2230438C9402CBED177F4965 Ref B: LON04EDGE0606 Ref C: 2024-05-10T15:14:20Z
date: Fri, 10 May 2024 15:14:19 GMT
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=62e0fbdf87d24992b655c7424454d506&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133813Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

Remote address:

23.62.61.99:443

Request

GET /aes/c.gif?RG=62e0fbdf87d24992b655c7424454d506&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133813Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=216D1F1BC4796483333A0B60C55E658E

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E08E1F10F9414FC29237DDC508D85B95 Ref B: DUS30EDGE0316 Ref C: 2024-05-10T15:14:20Z
content-length: 0
date: Fri, 10 May 2024 15:14:20 GMT
set-cookie: _EDGE_S=SID=017F3FB0925468D92E7D2BCB939469C1; path=/; httponly; domain=bing.com
set-cookie: MUIDB=216D1F1BC4796483333A0B60C55E658E; path=/; httponly; expires=Wed, 04-Jun-2025 15:14:20 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5f3d3e17.1715354060.18e5480
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

99.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.61.62.23.in-addr.arpa

IN PTR

Response

99.61.62.23.in-addr.arpa

IN PTR

a23-62-61-99deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239339860315_1WVX6SNAJCPCC9OTR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.99:443

Request

GET /th?id=OADD2.10239339860315_1WVX6SNAJCPCC9OTR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=216D1F1BC4796483333A0B60C55E658E; _EDGE_S=SID=017F3FB0925468D92E7D2BCB939469C1; MSPTC=FlzrlYeKOZnrctYigK0VmzPOgXCuOOntmfn-pnuCd04; MUIDB=216D1F1BC4796483333A0B60C55E658E
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1180
date: Fri, 10 May 2024 15:14:21 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5f3d3e17.1715354061.18e580a
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

142.53.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.53.16.96.in-addr.arpa

IN PTR

Response

142.53.16.96.in-addr.arpa

IN PTR

a96-16-53-142deploystaticakamaitechnologiescom
DNS

142.53.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.53.16.96.in-addr.arpa

IN PTR
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 382817
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E2709C6128D640C7A46BCB1A347E85C4 Ref B: LON04EDGE0611 Ref C: 2024-05-10T15:15:59Z
date: Fri, 10 May 2024 15:15:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 499516
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7528453533FD4980A3B9BE613E97B2CE Ref B: LON04EDGE0611 Ref C: 2024-05-10T15:15:59Z
date: Fri, 10 May 2024 15:15:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 464243
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 15D28B4644F3434FA3BDD9E241E235DB Ref B: LON04EDGE0611 Ref C: 2024-05-10T15:15:59Z
date: Fri, 10 May 2024 15:15:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 476246
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CC993E8F90AC478B8B1810025FCF398F Ref B: LON04EDGE0611 Ref C: 2024-05-10T15:15:59Z
date: Fri, 10 May 2024 15:15:58 GMT
DNS

11.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.179.89.13.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83KWSj698BcQBetGy3YK2aTVUCUwPSnPDHbWPZ5vqlVaujCnVzQM5sbHaiDndTJlJ27onRtNE0JLB_1kSVS0_qtwUlw9Kqn2UsoK7VcPHP7o3G-R0nrqC4vtcvk21GB9g0W5ns-9oc6W5LzM3Om61s6GCEOgJIRMKpLzGVu_ZSg8GWgxF%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddc4f388e648018d16b8d5ea5caaa066f&TIME=20240426T133813Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83KWSj698BcQBetGy3YK2aTVUCUwPSnPDHbWPZ5vqlVaujCnVzQM5sbHaiDndTJlJ27onRtNE0JLB_1kSVS0_qtwUlw9Kqn2UsoK7VcPHP7o3G-R0nrqC4vtcvk21GB9g0W5ns-9oc6W5LzM3Om61s6GCEOgJIRMKpLzGVu_ZSg8GWgxF%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddc4f388e648018d16b8d5ea5caaa066f&TIME=20240426T133813Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De83KWSj698BcQBetGy3YK2aTVUCUwPSnPDHbWPZ5vqlVaujCnVzQM5sbHaiDndTJlJ27onRtNE0JLB_1kSVS0_qtwUlw9Kqn2UsoK7VcPHP7o3G-R0nrqC4vtcvk21GB9g0W5ns-9oc6W5LzM3Om61s6GCEOgJIRMKpLzGVu_ZSg8GWgxF%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Ddc4f388e648018d16b8d5ea5caaa066f&TIME=20240426T133813Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644&muid=3EBA0D95A4930C635584F13F751694E4

HTTP Response

204
23.62.61.99:443

https://www.bing.com/aes/c.gif?RG=62e0fbdf87d24992b655c7424454d506&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133813Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=62e0fbdf87d24992b655c7424454d506&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133813Z&adUnitId=11730597&localId=w:3EBA0D95-A493-0C63-5584-F13F751694E4&deviceId=6966564702259644

HTTP Response

200
23.62.61.99:443

https://www.bing.com/th?id=OADD2.10239339860315_1WVX6SNAJCPCC9OTR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.5kB
17
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239339860315_1WVX6SNAJCPCC9OTR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
217.196.96.101:4132

b0566205.exe

260 B
5
217.196.96.101:4132

b0566205.exe

260 B
5
217.196.96.101:4132

b0566205.exe

260 B
5
217.196.96.101:4132

b0566205.exe

260 B
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
15
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

59.5kB
1.7MB
1255
1255

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
15
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
15
14
217.196.96.101:4132

b0566205.exe

260 B
5
217.196.96.101:4132

b0566205.exe

208 B
4

8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

98.58.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

98.58.20.217.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

99.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

99.61.62.23.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

142.53.16.96.in-addr.arpa

dns

142 B
135 B
2
1

DNS Request

142.53.16.96.in-addr.arpa

DNS Request

142.53.16.96.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

360 B
158 B
5
1

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53
8.8.8.8:53

11.179.89.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

11.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0380562.exe

Filesize
309KB

MD5
78289d64bca8cf7001a2833b55f2d498

SHA1
46803bfbbd092741d0ead6461ad85e4411b8b564

SHA256
8e1e0b35af10cacf9588932c603d7913d923bf0337f00201cb01275d6f6bb94a

SHA512
2fd00e508126efa27032ad5590bed9f12c113ee0a9fd852fe8b71eab4180022d724233c7936440fa3e3ea25f017ee2d3f6b08b40523b955a6129a07629058b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9410822.exe

Filesize
180KB

MD5
e20b8db65254032c64dcbba10e2538e3

SHA1
6b9dce92ff8582993c93807070d22b3e51cedbe5

SHA256
6238e60d08e87649202d276796980664795c96d4cdb610debab0c18928323885

SHA512
d2e6fe43d7c9bde6bb14556655a9a3cb71343b623209ec5b84d669030f57bc2f40fc929a54add3ce58460350a1dc41da55e98989f2805c241b490346debb8e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0566205.exe

Filesize
168KB

MD5
9ca4be4159a6d2a62bf4c67fdd2f47f7

SHA1
6a6fd283228d81238b60a4fe86d4ccea44f6dc62

SHA256
4f48de5e12e4d0cf4bde18b729a8399f9b81ed39b18276e6ecbaac2da20e8af6

SHA512
87866bb49c961b9624d137e8cf6c2308b2c998acb12886ccc63213b8f6f4478bc1f0d234906a1df04ff082d458354c50143c9843bf0535b20d40bee616ba6076

Download Submit
memory/3160-34-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-21-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-18-0x0000000002510000-0x0000000002528000-memory.dmp

Filesize
96KB

Download
memory/3160-16-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/3160-19-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/3160-20-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/3160-48-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-46-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-44-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-42-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-40-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-38-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-36-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-15-0x0000000002010000-0x000000000202A000-memory.dmp

Filesize
104KB

Download
memory/3160-17-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/3160-32-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-14-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/3160-26-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-24-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-22-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-30-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-50-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/3160-28-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4464-55-0x0000000002340000-0x0000000002346000-memory.dmp

Filesize
24KB

Download
memory/4464-54-0x0000000000150000-0x0000000000180000-memory.dmp

Filesize
192KB

Download
memory/4464-57-0x000000000A100000-0x000000000A20A000-memory.dmp

Filesize
1.0MB

Download
memory/4464-58-0x000000000A030000-0x000000000A042000-memory.dmp

Filesize
72KB

Download
memory/4464-59-0x000000000A090000-0x000000000A0CC000-memory.dmp

Filesize
240KB

Download
memory/4464-56-0x000000000A5B0000-0x000000000ABC8000-memory.dmp

Filesize
6.1MB

Download
memory/4464-60-0x0000000004490000-0x00000000044DC000-memory.dmp

Filesize
304KB

Download