1d8cc8c85fd50970a0ef65159e56380971a1f80b2887477f7050a1edd9c6402c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 18:52 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
Size

4.1MB
MD5

18670970356b20561ac15a6edf5efdd0
SHA1

a55cdfb2a5b2f18c624e612900220605c1cee147
SHA256

1d8cc8c85fd50970a0ef65159e56380971a1f80b2887477f7050a1edd9c6402c
SHA512

135e69385454ae791a642ff7d626fa62ca8eb352b6f8b3f35eb45e0e92409a173c60477b5ee6063faa555241743dc25e7d09dad8ac989152524175bbc9c12f9b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1088	ecdevbod.exe
4636	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8K\\devoptisys.exe"	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBME\\optidevloc.exe"	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe
1088	ecdevbod.exe
1088	ecdevbod.exe
4636	devoptisys.exe
4636	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1088	1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	87
PID 1972 wrote to memory of 1088	1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	87
PID 1972 wrote to memory of 1088	1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	87
PID 1972 wrote to memory of 4636	1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	88
PID 1972 wrote to memory of 4636	1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	88
PID 1972 wrote to memory of 4636	1972	18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\18670970356b20561ac15a6edf5efdd0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Intelproc8K\devoptisys.exe
  C:\Intelproc8K\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4636

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3A3C8F7DAE40649830759BFFAFA065AF; domain=.bing.com; expires=Wed, 11-Jun-2025 18:52:33 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E38727C2A06E40C0ADFBB46C6AAC1D85 Ref B: LON04EDGE1116 Ref C: 2024-05-17T18:52:33Z
date: Fri, 17 May 2024 18:52:32 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A3C8F7DAE40649830759BFFAFA065AF; _EDGE_S=SID=0A8DAC64AD89642A2901B8E6AC816590

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=JD0hKJeh71ZvnY2nvWlxGxSdJC-WA-7GQnJxpourKfw; domain=.bing.com; expires=Wed, 11-Jun-2025 18:52:33 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8891E620D203488E8C9799E3DD3B94AC Ref B: LON04EDGE1116 Ref C: 2024-05-17T18:52:33Z
date: Fri, 17 May 2024 18:52:33 GMT
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR
DNS

68.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=645eda02647f44b39391c838454a1557&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133640Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

Remote address:

23.62.61.115:443

Request

GET /aes/c.gif?RG=645eda02647f44b39391c838454a1557&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133640Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3A3C8F7DAE40649830759BFFAFA065AF

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 588C3319DA5B4C4E9BF590220EAF0503 Ref B: AMS04EDGE3010 Ref C: 2024-05-17T18:52:33Z
content-length: 0
date: Fri, 17 May 2024 18:52:33 GMT
set-cookie: _EDGE_S=SID=0A8DAC64AD89642A2901B8E6AC816590; path=/; httponly; domain=bing.com
set-cookie: MUIDB=3A3C8F7DAE40649830759BFFAFA065AF; path=/; httponly; expires=Wed, 11-Jun-2025 18:52:33 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.6f3d3e17.1715971953.fe633c0
DNS

115.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

115.61.62.23.in-addr.arpa

IN PTR

Response

115.61.62.23.in-addr.arpa

IN PTR

a23-62-61-115deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.115:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=3A3C8F7DAE40649830759BFFAFA065AF; _EDGE_S=SID=0A8DAC64AD89642A2901B8E6AC816590; MSPTC=JD0hKJeh71ZvnY2nvWlxGxSdJC-WA-7GQnJxpourKfw; MUIDB=3A3C8F7DAE40649830759BFFAFA065AF
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Fri, 17 May 2024 18:52:35 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.6f3d3e17.1715971955.fe63901
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

45.19.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.19.74.20.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 616DD6E04B644C4E847AA6A122540FA2 Ref B: LON04EDGE0710 Ref C: 2024-05-17T18:53:51Z
date: Fri, 17 May 2024 18:53:50 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1C99CAA4E8C341ED9992AD0ECE6951D4 Ref B: LON04EDGE0710 Ref C: 2024-05-17T18:53:51Z
date: Fri, 17 May 2024 18:53:50 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 21CE96F048CC45CCAD5A06CE080A2321 Ref B: LON04EDGE0710 Ref C: 2024-05-17T18:53:51Z
date: Fri, 17 May 2024 18:53:50 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E6ECE08D3A624D23AD01F43497AE9449 Ref B: LON04EDGE0710 Ref C: 2024-05-17T18:53:51Z
date: Fri, 17 May 2024 18:53:50 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

tls, http2

2.6kB
10.4kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204
23.62.61.115:443

https://www.bing.com/aes/c.gif?RG=645eda02647f44b39391c838454a1557&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133640Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

tls, http2

1.4kB
5.3kB
16
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=645eda02647f44b39391c838454a1557&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133640Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

HTTP Response

200
23.62.61.115:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
16
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

73.9kB
2.1MB
1541
1538

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

146 B
159 B
2
1

DNS Request

228.249.119.40.in-addr.arpa

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

68.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

68.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

115.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

115.61.62.23.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

45.19.74.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

45.19.74.20.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc8K\devoptisys.exe

Filesize
4.1MB

MD5
de32ff47a74be0211e499fa40dfcb08f

SHA1
d36250b86c6442abbf0ba381858254d69a782020

SHA256
de37ebb5f57e9e46fa8f53d9bb51e4619df4f47e9b7c56aa094d83839bde70e7

SHA512
eb71a867b007e9a33ffd972f7f87c03a83390b37eddbbb8b0f3fae291a2ef08a1c07f8fe7b76af623b5949b6dda273dfbb8b7fe407aef1cc71d04826159f7380

Download Submit
C:\KaVBME\optidevloc.exe

Filesize
2.6MB

MD5
aad022df65f734d5afc8c07a184825c5

SHA1
5367a3cc5ba23830228f334c99317f9306b7fb55

SHA256
68d89f98ff076ff9b83ce8f075519991f2c76dab08c1c74c7adc5cb931590d4e

SHA512
699d17b5bc022fed0ef58615767a1e3b1246fb2be039ccf247a3f8fdd3b1798b5262c06dca85f3d61dab498df8ab430c19c1d12107c5f131311b756de81dc748

Download Submit
C:\KaVBME\optidevloc.exe

Filesize
4.1MB

MD5
9fbc92c843408d830bdd6c2690b4264a

SHA1
6163394cd17852573555552c344499156e6a53a6

SHA256
4f36a8b324ff873c0720564f1868bfae71934ff3cd1cda46e6b4c5819a09c85d

SHA512
6eb3d3f428615a7327a7a7c2d224a12968287e514eabbaef3c476ad3e1697c6dd1faeea41af4454ff6d37903044294000f658c2f39270c12727c41966989ec93

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
211B

MD5
2375a7d8cf510d103f53d874fe780abf

SHA1
e624657ced77bc0a71313a20d5797f669e214299

SHA256
07f8d85da7ef9c63f8b462470d7bd46adea2dfb9e985dddcf0b79f97af484282

SHA512
b33dd6f1233d764d916c387ab8d491d196ad9fe593fac780f07375ff81d1b3de47491c36365353e2901ca64d4b465ab0988391454b8394161b9428be0482ba14

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
179B

MD5
ce3dad3d22aee83ae8758a6c04d7a72d

SHA1
635862986d79f460fb22fece58bbfbea27718935

SHA256
3af4be897af4f061081c153cbbde783e3dc530c72459c21bc44dfa66fa44fe0a

SHA512
25b8d9fc5c64984d815c4f82a6393d31243da334790f626b851a9389b59126388350978260b4a0d47a2bf966a3ec922fe42f58ad6863d5df49caa0e788c1a22a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
4.1MB

MD5
d9f8c263d29c4eaeffa2cead566d8c5a

SHA1
398c6d0ce1b16bba80a6afe1763da0515316c20c

SHA256
6a41e9d516009897930ca09f9e773c93d09e2c4ef2ada1aafefeb680c698db48

SHA512
32b84128c3020ca2c58eaf11809e08a4fabc1c8e208d37167e7c08f781a9241e809f6fc7030df179452498f026c795bb4b630701691c0a5a6fcfd30f0e386583

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.