redline | ca441cc9e69c9106b68d24f81e5bfa4a6cccf701fd348d0f609d13e02e80e122 | Triage

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 17:44 UTC

Sharing

Report Analysis Logs

General

Target

2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe
Size

316KB
MD5

882d286f0c6f245572eb0481657d90db
SHA1

21e9879f7ccd03b084bf8376a7facdfb03ee1040
SHA256

2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026
SHA512

d4936c477106ed874097dac7c040bf8db82fe942771c654c30d7d6e427588bf5eb1c0d00db75c03c588de20477db426d3651deb8776f30a5176f46238bf702e0
SSDEEP

6144:Koy+bnr+jp0yN90QEq6vZrMgX3eYK41E8OBURKaJCd:wMr3y90YmN3rKWOmEawd

Score

10^/10

redline debro evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8923991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8923991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8923991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8923991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8923991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8923991.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0007000000023436-45.dat	family_redline
behavioral3/memory/3220-48-0x0000000000150000-0x000000000017E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4400	k8923991.exe
3220	l0524916.exe

Windows security modification 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8923991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8923991.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4400	k8923991.exe
4400	k8923991.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	k8923991.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 4400	696	2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe	82
PID 696 wrote to memory of 4400	696	2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe	82
PID 696 wrote to memory of 4400	696	2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe	82
PID 696 wrote to memory of 3220	696	2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe	89
PID 696 wrote to memory of 3220	696	2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe	89
PID 696 wrote to memory of 3220	696	2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe	89

C:\Users\Admin\AppData\Local\Temp\2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe
"C:\Users\Admin\AppData\Local\Temp\2489ba0556a2d308110025f336bb741c15538f7a7711d47ebb9765ce58c94026.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8923991.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8923991.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0524916.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0524916.exe
  2⤵
  - Executes dropped EXE
  PID:3220

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8I_62ilfleUAZgLlOscMxIjVUCUztyMdzki6mBmAVqK2NsFdPDVDff1CLpKjFeHmGMPLHAQEXfj7k11jHhzncwvlT2RkNZqSZeIcJRjEkVv_-DIGa-xktVMr80u4Kuf12GYHhvs_dtP9MFp-PAVL0wygS0buOEyaey_bFa-2R1xdxAsoG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc25b353a56ad146652e853010df8f0e7&TIME=20240508T110109Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8I_62ilfleUAZgLlOscMxIjVUCUztyMdzki6mBmAVqK2NsFdPDVDff1CLpKjFeHmGMPLHAQEXfj7k11jHhzncwvlT2RkNZqSZeIcJRjEkVv_-DIGa-xktVMr80u4Kuf12GYHhvs_dtP9MFp-PAVL0wygS0buOEyaey_bFa-2R1xdxAsoG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc25b353a56ad146652e853010df8f0e7&TIME=20240508T110109Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3FEE3A222E9864042D502E5C2F7865FF; domain=.bing.com; expires=Sat, 07-Jun-2025 17:44:32 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 46C36C8D198F4C2FA49E7CB6FB12F7EA Ref B: LON04EDGE1205 Ref C: 2024-05-13T17:44:32Z
date: Mon, 13 May 2024 17:44:32 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8I_62ilfleUAZgLlOscMxIjVUCUztyMdzki6mBmAVqK2NsFdPDVDff1CLpKjFeHmGMPLHAQEXfj7k11jHhzncwvlT2RkNZqSZeIcJRjEkVv_-DIGa-xktVMr80u4Kuf12GYHhvs_dtP9MFp-PAVL0wygS0buOEyaey_bFa-2R1xdxAsoG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc25b353a56ad146652e853010df8f0e7&TIME=20240508T110109Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8I_62ilfleUAZgLlOscMxIjVUCUztyMdzki6mBmAVqK2NsFdPDVDff1CLpKjFeHmGMPLHAQEXfj7k11jHhzncwvlT2RkNZqSZeIcJRjEkVv_-DIGa-xktVMr80u4Kuf12GYHhvs_dtP9MFp-PAVL0wygS0buOEyaey_bFa-2R1xdxAsoG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc25b353a56ad146652e853010df8f0e7&TIME=20240508T110109Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3FEE3A222E9864042D502E5C2F7865FF; _EDGE_S=SID=387E6974CE646164046F7D0ACF0860B3

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=3WLEbCEiOgEFhShQQ3A863GUihognowV9lkXLSLU-PA; domain=.bing.com; expires=Sat, 07-Jun-2025 17:44:32 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AB934521E84C447EB7B2A850F94C85CC Ref B: LON04EDGE1205 Ref C: 2024-05-13T17:44:32Z
date: Mon, 13 May 2024 17:44:32 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
GET

https://www.bing.com/aes/c.gif?RG=6bc71a80608f4a18b028affff1cfde27&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T110109Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

Remote address:

23.62.61.185:443

Request

GET /aes/c.gif?RG=6bc71a80608f4a18b028affff1cfde27&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T110109Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3FEE3A222E9864042D502E5C2F7865FF

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1F3859033E7F48BC9DEEC9536831D50A Ref B: BRU30EDGE0506 Ref C: 2024-05-13T17:44:32Z
content-length: 0
date: Mon, 13 May 2024 17:44:32 GMT
set-cookie: _EDGE_S=SID=387E6974CE646164046F7D0ACF0860B3; path=/; httponly; domain=bing.com
set-cookie: MUIDB=3FEE3A222E9864042D502E5C2F7865FF; path=/; httponly; expires=Sat, 07-Jun-2025 17:44:32 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b53d3e17.1715622272.d54275d
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

249.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

249.197.17.2.in-addr.arpa

IN PTR

Response

249.197.17.2.in-addr.arpa

IN PTR

a2-17-197-249deploystaticakamaitechnologiescom
DNS

185.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

185.61.62.23.in-addr.arpa

IN PTR

Response

185.61.62.23.in-addr.arpa

IN PTR

a23-62-61-185deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.185:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=3FEE3A222E9864042D502E5C2F7865FF; _EDGE_S=SID=387E6974CE646164046F7D0ACF0860B3; MSPTC=3WLEbCEiOgEFhShQQ3A863GUihognowV9lkXLSLU-PA; MUIDB=3FEE3A222E9864042D502E5C2F7865FF
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Mon, 13 May 2024 17:44:33 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b53d3e17.1715622273.d542b9d
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

94.143.109.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

94.143.109.104.in-addr.arpa

IN PTR

Response

94.143.109.104.in-addr.arpa

IN PTR

a104-109-143-94deploystaticakamaitechnologiescom
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8I_62ilfleUAZgLlOscMxIjVUCUztyMdzki6mBmAVqK2NsFdPDVDff1CLpKjFeHmGMPLHAQEXfj7k11jHhzncwvlT2RkNZqSZeIcJRjEkVv_-DIGa-xktVMr80u4Kuf12GYHhvs_dtP9MFp-PAVL0wygS0buOEyaey_bFa-2R1xdxAsoG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc25b353a56ad146652e853010df8f0e7&TIME=20240508T110109Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8I_62ilfleUAZgLlOscMxIjVUCUztyMdzki6mBmAVqK2NsFdPDVDff1CLpKjFeHmGMPLHAQEXfj7k11jHhzncwvlT2RkNZqSZeIcJRjEkVv_-DIGa-xktVMr80u4Kuf12GYHhvs_dtP9MFp-PAVL0wygS0buOEyaey_bFa-2R1xdxAsoG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc25b353a56ad146652e853010df8f0e7&TIME=20240508T110109Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8I_62ilfleUAZgLlOscMxIjVUCUztyMdzki6mBmAVqK2NsFdPDVDff1CLpKjFeHmGMPLHAQEXfj7k11jHhzncwvlT2RkNZqSZeIcJRjEkVv_-DIGa-xktVMr80u4Kuf12GYHhvs_dtP9MFp-PAVL0wygS0buOEyaey_bFa-2R1xdxAsoG%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dc25b353a56ad146652e853010df8f0e7&TIME=20240508T110109Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204
23.62.61.185:443

https://www.bing.com/aes/c.gif?RG=6bc71a80608f4a18b028affff1cfde27&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T110109Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

tls, http2

1.4kB
5.3kB
16
10

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=6bc71a80608f4a18b028affff1cfde27&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T110109Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

HTTP Response

200
23.62.61.185:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
17
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
185.161.248.75:4132

l0524916.exe

260 B
5
185.161.248.75:4132

l0524916.exe

260 B
5
185.161.248.75:4132

l0524916.exe

260 B
5
185.161.248.75:4132

l0524916.exe

260 B
5
185.161.248.75:4132

l0524916.exe

260 B
5
185.161.248.75:4132

l0524916.exe

208 B
4

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

249.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

249.197.17.2.in-addr.arpa
8.8.8.8:53

185.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

185.61.62.23.in-addr.arpa
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

94.143.109.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

94.143.109.104.in-addr.arpa
8.8.8.8:53

240.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

240.197.17.2.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k8923991.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0524916.exe

Filesize
168KB

MD5
8f65373eda715e309f92cc1ef793c240

SHA1
82037b874405f43ca271d87a2a48e71a758bb872

SHA256
c24505fd7cce9e106532ee16169a635209ed84d7985a1b622690c87fbd1043e4

SHA512
34a1f94d14b509924ff6baaddb81cb6f64a415c85bdb697cdb5cdde8cd84deb6a91230e952e434906a071ef4a8f993909c61004f5a8e29a1bc5644059fd9248b

Download Submit
memory/3220-56-0x0000000074530000-0x00000000745DB000-memory.dmp

Filesize
684KB

Download
memory/3220-55-0x0000000004DF0000-0x0000000004E3C000-memory.dmp

Filesize
304KB

Download
memory/3220-54-0x0000000004C70000-0x0000000004CAC000-memory.dmp

Filesize
240KB

Download
memory/3220-53-0x0000000074530000-0x00000000745DB000-memory.dmp

Filesize
684KB

Download
memory/3220-52-0x0000000004C10000-0x0000000004C22000-memory.dmp

Filesize
72KB

Download
memory/3220-51-0x0000000004CE0000-0x0000000004DEA000-memory.dmp

Filesize
1.0MB

Download
memory/3220-50-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/3220-49-0x0000000004970000-0x0000000004976000-memory.dmp

Filesize
24KB

Download
memory/3220-48-0x0000000000150000-0x000000000017E000-memory.dmp

Filesize
184KB

Download
memory/3220-47-0x0000000074530000-0x00000000745DB000-memory.dmp

Filesize
684KB

Download
memory/4400-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-43-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-23-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-19-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-15-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-12-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-40-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-41-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-13-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-17-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-21-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4400-11-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/4400-10-0x0000000004BD0000-0x0000000005174000-memory.dmp

Filesize
5.6MB

Download
memory/4400-9-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-8-0x0000000002170000-0x000000000218E000-memory.dmp

Filesize
120KB

Download
memory/4400-7-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download