redline | b20d3b5caab986390a57d9b858c330d6fa12fa368809dfc94b90991735dc89d1 | Triage

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 10:00 UTC

Sharing

Report Analysis Logs

General

Target

f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe
Size

488KB
MD5

f43eefd57a11c5a5596c3eefb9898432
SHA1

0af5c7a3ba4038a905aa626808bfa60fc3ec11de
SHA256

f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0
SHA512

d458d3dc0c997f929c5b26f34f9a2ca5df0996aec6ccf907819f711d65d747433bfbe7f0d52b59a0562b528008b2e92c32b3e84ea05471bc53519cc1de158957
SSDEEP

6144:KVy+bnr+sp0yN90QEBSK3101Hn8GH7dyN4Xa6yVrJCae0Kb1E8OB/QKaJlo6LVtC:DMr8y90DSaY8i7MxVwazKlOZLa8CDAj

Score

10^/10

redline debro evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5289717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5289717.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral22/memory/2300-53-0x00000000006A0000-0x00000000006CE000-memory.dmp	family_redline
behavioral22/files/0x0007000000023457-52.dat	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4376	y9098696.exe
1908	k5289717.exe
2300	l4940133.exe

Windows security modification 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5289717.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9098696.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	k5289717.exe
1908	k5289717.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	k5289717.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4376	3132	f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe	85
PID 3132 wrote to memory of 4376	3132	f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe	85
PID 3132 wrote to memory of 4376	3132	f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe	85
PID 4376 wrote to memory of 1908	4376	y9098696.exe	86
PID 4376 wrote to memory of 1908	4376	y9098696.exe	86
PID 4376 wrote to memory of 1908	4376	y9098696.exe	86
PID 4376 wrote to memory of 2300	4376	y9098696.exe	98
PID 4376 wrote to memory of 2300	4376	y9098696.exe	98
PID 4376 wrote to memory of 2300	4376	y9098696.exe	98

C:\Users\Admin\AppData\Local\Temp\f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe
"C:\Users\Admin\AppData\Local\Temp\f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9098696.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9098696.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5289717.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5289717.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4940133.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4940133.exe
    3⤵
    - Executes dropped EXE
    PID:2300

Network

DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-EzFYfBL_ziViZfvv8PB_zVUCUzOE7exioKyqbF4H2PGeoWqi3rfuZ9NJh0LZEUG32aqx1FqNRTs_WgdD5cCl0XNEwpJNrQuXNOeYkSZ-WlZt7L6_RATO2R-ZIbkyuyxtJTHJgJhaV1i39VeCYMz6RwEziigoMSA5lx0V-YhKcnbTvbH%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da1cd838879f318822fbfe5a3caeb6fd0&TIME=20240426T135952Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-EzFYfBL_ziViZfvv8PB_zVUCUzOE7exioKyqbF4H2PGeoWqi3rfuZ9NJh0LZEUG32aqx1FqNRTs_WgdD5cCl0XNEwpJNrQuXNOeYkSZ-WlZt7L6_RATO2R-ZIbkyuyxtJTHJgJhaV1i39VeCYMz6RwEziigoMSA5lx0V-YhKcnbTvbH%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da1cd838879f318822fbfe5a3caeb6fd0&TIME=20240426T135952Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=18D46AF2BB1A609F18C67E8CBA3D6176; domain=.bing.com; expires=Sat, 07-Jun-2025 10:01:06 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E1F9389099CE41B5BD9A8B0B88C8AF6B Ref B: LON04EDGE0618 Ref C: 2024-05-13T10:01:06Z
date: Mon, 13 May 2024 10:01:06 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-EzFYfBL_ziViZfvv8PB_zVUCUzOE7exioKyqbF4H2PGeoWqi3rfuZ9NJh0LZEUG32aqx1FqNRTs_WgdD5cCl0XNEwpJNrQuXNOeYkSZ-WlZt7L6_RATO2R-ZIbkyuyxtJTHJgJhaV1i39VeCYMz6RwEziigoMSA5lx0V-YhKcnbTvbH%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da1cd838879f318822fbfe5a3caeb6fd0&TIME=20240426T135952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-EzFYfBL_ziViZfvv8PB_zVUCUzOE7exioKyqbF4H2PGeoWqi3rfuZ9NJh0LZEUG32aqx1FqNRTs_WgdD5cCl0XNEwpJNrQuXNOeYkSZ-WlZt7L6_RATO2R-ZIbkyuyxtJTHJgJhaV1i39VeCYMz6RwEziigoMSA5lx0V-YhKcnbTvbH%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da1cd838879f318822fbfe5a3caeb6fd0&TIME=20240426T135952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=18D46AF2BB1A609F18C67E8CBA3D6176; _EDGE_S=SID=245A6C3F9BD269E1137E78419AD46834

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=sfKK0CD88jclYgn65IHCbhymo-t8IMuxO8r5pgDsTVs; domain=.bing.com; expires=Sat, 07-Jun-2025 10:01:06 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1E7A7255923A45828F0B84DB11EF9365 Ref B: LON04EDGE0618 Ref C: 2024-05-13T10:01:06Z
date: Mon, 13 May 2024 10:01:06 GMT
GET

https://www.bing.com/aes/c.gif?RG=dd708208a3ba4b05b85b2bb61bfeb447&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135952Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

Remote address:

88.221.83.179:443

Request

GET /aes/c.gif?RG=dd708208a3ba4b05b85b2bb61bfeb447&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135952Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=18D46AF2BB1A609F18C67E8CBA3D6176

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3C1E6545D87F42AC959D828530F0CB81 Ref B: LON212050703007 Ref C: 2024-05-13T10:01:06Z
content-length: 0
date: Mon, 13 May 2024 10:01:06 GMT
set-cookie: _EDGE_S=SID=245A6C3F9BD269E1137E78419AD46834; path=/; httponly; domain=bing.com
set-cookie: MUIDB=18D46AF2BB1A609F18C67E8CBA3D6176; path=/; httponly; expires=Sat, 07-Jun-2025 10:01:06 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.af53dd58.1715594466.35062610
DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

179.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

179.83.221.88.in-addr.arpa

IN PTR

Response

179.83.221.88.in-addr.arpa

IN PTR

a88-221-83-179deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

2.17.107.104:443

Request

GET /th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=18D46AF2BB1A609F18C67E8CBA3D6176; _EDGE_S=SID=245A6C3F9BD269E1137E78419AD46834; MSPTC=sfKK0CD88jclYgn65IHCbhymo-t8IMuxO8r5pgDsTVs; MUIDB=18D46AF2BB1A609F18C67E8CBA3D6176
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1463
date: Mon, 13 May 2024 10:01:08 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.646b1102.1715594468.9f1b77
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

104.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.107.17.2.in-addr.arpa

IN PTR

Response

104.107.17.2.in-addr.arpa

IN PTR

a2-17-107-104deploystaticakamaitechnologiescom
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

139.53.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

139.53.16.96.in-addr.arpa

IN PTR

Response

139.53.16.96.in-addr.arpa

IN PTR

a96-16-53-139deploystaticakamaitechnologiescom
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 499516
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 79F93EEC46114A6BA967C00F5D246B5D Ref B: LON04EDGE1012 Ref C: 2024-05-13T10:02:46Z
date: Mon, 13 May 2024 10:02:46 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 382817
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8B92A4B377124A15983B3C7DC733BC78 Ref B: LON04EDGE1012 Ref C: 2024-05-13T10:02:46Z
date: Mon, 13 May 2024 10:02:46 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 464243
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1BB7EB69A5C141F2AA94BA025C805DDE Ref B: LON04EDGE1012 Ref C: 2024-05-13T10:02:46Z
date: Mon, 13 May 2024 10:02:46 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 476246
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 27ECF921594747B0AA826F6EBA0E5CA6 Ref B: LON04EDGE1012 Ref C: 2024-05-13T10:02:46Z
date: Mon, 13 May 2024 10:02:46 GMT
DNS

28.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.73.42.20.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-EzFYfBL_ziViZfvv8PB_zVUCUzOE7exioKyqbF4H2PGeoWqi3rfuZ9NJh0LZEUG32aqx1FqNRTs_WgdD5cCl0XNEwpJNrQuXNOeYkSZ-WlZt7L6_RATO2R-ZIbkyuyxtJTHJgJhaV1i39VeCYMz6RwEziigoMSA5lx0V-YhKcnbTvbH%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da1cd838879f318822fbfe5a3caeb6fd0&TIME=20240426T135952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

tls, http2

2.5kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-EzFYfBL_ziViZfvv8PB_zVUCUzOE7exioKyqbF4H2PGeoWqi3rfuZ9NJh0LZEUG32aqx1FqNRTs_WgdD5cCl0XNEwpJNrQuXNOeYkSZ-WlZt7L6_RATO2R-ZIbkyuyxtJTHJgJhaV1i39VeCYMz6RwEziigoMSA5lx0V-YhKcnbTvbH%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da1cd838879f318822fbfe5a3caeb6fd0&TIME=20240426T135952Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-EzFYfBL_ziViZfvv8PB_zVUCUzOE7exioKyqbF4H2PGeoWqi3rfuZ9NJh0LZEUG32aqx1FqNRTs_WgdD5cCl0XNEwpJNrQuXNOeYkSZ-WlZt7L6_RATO2R-ZIbkyuyxtJTHJgJhaV1i39VeCYMz6RwEziigoMSA5lx0V-YhKcnbTvbH%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Da1cd838879f318822fbfe5a3caeb6fd0&TIME=20240426T135952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204
88.221.83.179:443

https://www.bing.com/aes/c.gif?RG=dd708208a3ba4b05b85b2bb61bfeb447&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135952Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=dd708208a3ba4b05b85b2bb61bfeb447&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135952Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

HTTP Response

200
2.17.107.104:443

https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.7kB
6.8kB
18
14

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
185.161.248.75:4132

l4940133.exe

260 B
5
185.161.248.75:4132

l4940133.exe

260 B
5
185.161.248.75:4132

l4940133.exe

260 B
5
185.161.248.75:4132

l4940133.exe

260 B
5
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

66.1kB
1.9MB
1371
1367

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
185.161.248.75:4132

l4940133.exe

260 B
5
185.161.248.75:4132

l4940133.exe

208 B
4

8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

179.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

179.83.221.88.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

104.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

104.107.17.2.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

139.53.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

139.53.16.96.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

28.73.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

28.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9098696.exe

Filesize
316KB

MD5
3f28a220d555d7f84763f4fe14c5e30e

SHA1
6844171e7db3af8480e85c49732e8e26c0fea7fc

SHA256
a467111c1a7dd3af8188b3fd8536d689b84b136a58f62e8366f78d309b1bad4b

SHA512
7ede895705631dfabdf2fb5a700495ed6aa265328c9d51edabbccaf8e1ed60661dfabba15c2e667191e02ec9694299fbb88a0a5c236b5590f28c0ec648aef08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5289717.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4940133.exe

Filesize
168KB

MD5
aae32866ea7168f696bbf5708e1f34b3

SHA1
ea4bae2e6d032dd41693f6b0816be1bdf5ab0530

SHA256
936ad9a6d9ad9debf5b12515698968901e4601066119d668b8cba558d9ccd56c

SHA512
85cfbf84831de3ce667f267896c9803eb4a81fcfc0d961ca364f85a237b28aee29e345bed3b6bad8626000045a264db023464da0d79ed3f75a2c5f5461363066

Download Submit
memory/1908-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-20-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-16-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-17-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/1908-19-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/1908-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-44-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-38-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-36-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-15-0x0000000004A00000-0x0000000004A1E000-memory.dmp

Filesize
120KB

Download
memory/1908-18-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-23-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-21-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-49-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-14-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/2300-54-0x0000000002880000-0x0000000002886000-memory.dmp

Filesize
24KB

Download
memory/2300-53-0x00000000006A0000-0x00000000006CE000-memory.dmp

Filesize
184KB

Download
memory/2300-55-0x000000000AB90000-0x000000000B1A8000-memory.dmp

Filesize
6.1MB

Download
memory/2300-57-0x000000000A590000-0x000000000A5A2000-memory.dmp

Filesize
72KB

Download
memory/2300-58-0x000000000A5F0000-0x000000000A62C000-memory.dmp

Filesize
240KB

Download
memory/2300-59-0x0000000004A50000-0x0000000004A9C000-memory.dmp

Filesize
304KB

Download
memory/2300-56-0x000000000A680000-0x000000000A78A000-memory.dmp

Filesize
1.0MB

Download