mystic | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 19:04 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe
Size

645KB
MD5

5c7efd9ec3e27bb93244365f3ccf6bd7
SHA1

8cff2506763935140038ddfd27738d40ebf05eab
SHA256

eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352
SHA512

ea7f94292cb9c024af86dd3176afb4daa7940d2fc6c3616bbba3d9493251273ab921916a04f6a5fd629a5204199ea9dac8948bd03a5031333773e695bf32ac20
SSDEEP

12288:6cMrEy90nyAH07CUhQWRNJcN7MOApGiBg4D/ovR18txF7y+bR6Vq:64y13eUhiPA8iBDxF7+o

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral16/memory/4776-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral16/memory/4776-19-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral16/memory/4776-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
2916	bO1Oi36.exe
2516	1QD06VA8.exe
772	2GQ9959.exe
4920	3La00TE.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bO1Oi36.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 4496	2516	1QD06VA8.exe	85
PID 772 set thread context of 4776	772	2GQ9959.exe	90

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
432	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3La00TE.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3La00TE.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3La00TE.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4496	AppLaunch.exe
4496	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2916	2748	eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe	82
PID 2748 wrote to memory of 2916	2748	eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe	82
PID 2748 wrote to memory of 2916	2748	eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe	82
PID 2916 wrote to memory of 2516	2916	bO1Oi36.exe	83
PID 2916 wrote to memory of 2516	2916	bO1Oi36.exe	83
PID 2916 wrote to memory of 2516	2916	bO1Oi36.exe	83
PID 2516 wrote to memory of 4496	2516	1QD06VA8.exe	85
PID 2516 wrote to memory of 4496	2516	1QD06VA8.exe	85
PID 2516 wrote to memory of 4496	2516	1QD06VA8.exe	85
PID 2516 wrote to memory of 4496	2516	1QD06VA8.exe	85
PID 2516 wrote to memory of 4496	2516	1QD06VA8.exe	85
PID 2516 wrote to memory of 4496	2516	1QD06VA8.exe	85
PID 2516 wrote to memory of 4496	2516	1QD06VA8.exe	85
PID 2516 wrote to memory of 4496	2516	1QD06VA8.exe	85
PID 2916 wrote to memory of 772	2916	bO1Oi36.exe	86
PID 2916 wrote to memory of 772	2916	bO1Oi36.exe	86
PID 2916 wrote to memory of 772	2916	bO1Oi36.exe	86
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 772 wrote to memory of 4776	772	2GQ9959.exe	90
PID 2748 wrote to memory of 4920	2748	eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe	91
PID 2748 wrote to memory of 4920	2748	eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe	91
PID 2748 wrote to memory of 4920	2748	eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe	91

C:\Users\Admin\AppData\Local\Temp\eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe
"C:\Users\Admin\AppData\Local\Temp\eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bO1Oi36.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bO1Oi36.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QD06VA8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QD06VA8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2GQ9959.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2GQ9959.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3La00TE.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3La00TE.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4920

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:432

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=06B911FC91D260ED3D10057B90326130; domain=.bing.com; expires=Mon, 16-Jun-2025 19:04:24 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 85FDAC6C2AA14E0BA279816454030730 Ref B: LON04EDGE1115 Ref C: 2024-05-22T19:04:24Z
date: Wed, 22 May 2024 19:04:23 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=06B911FC91D260ED3D10057B90326130; _EDGE_S=SID=2F23F067E8616A803E13E4E0E9676B40

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=f-LWzzRZFC3DR47UQVWyB1siEpjORFRtFbwgDT-0n70; domain=.bing.com; expires=Mon, 16-Jun-2025 19:04:24 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 321826A53AFA4B2DA29456363E0E1641 Ref B: LON04EDGE1115 Ref C: 2024-05-22T19:04:24Z
date: Wed, 22 May 2024 19:04:24 GMT
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=645eda02647f44b39391c838454a1557&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133640Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

Remote address:

23.62.61.72:443

Request

GET /aes/c.gif?RG=645eda02647f44b39391c838454a1557&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133640Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=06B911FC91D260ED3D10057B90326130

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CDD304A1874E43D49681F12ED1785840 Ref B: LON212050701011 Ref C: 2024-05-22T19:04:24Z
content-length: 0
date: Wed, 22 May 2024 19:04:24 GMT
set-cookie: _EDGE_S=SID=2F23F067E8616A803E13E4E0E9676B40; path=/; httponly; domain=bing.com
set-cookie: MUIDB=06B911FC91D260ED3D10057B90326130; path=/; httponly; expires=Mon, 16-Jun-2025 19:04:24 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.443d3e17.1716404664.2577bc2b
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.72:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=06B911FC91D260ED3D10057B90326130; _EDGE_S=SID=2F23F067E8616A803E13E4E0E9676B40; MSPTC=f-LWzzRZFC3DR47UQVWyB1siEpjORFRtFbwgDT-0n70; MUIDB=06B911FC91D260ED3D10057B90326130
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Wed, 22 May 2024 19:04:26 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.443d3e17.1716404666.2577bfee
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

72.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.61.62.23.in-addr.arpa

IN PTR

Response

72.61.62.23.in-addr.arpa

IN PTR

a23-62-61-72deploystaticakamaitechnologiescom
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 484248F8AB5F468C9FFE059DD50B5C82 Ref B: LON04EDGE0714 Ref C: 2024-05-22T19:05:59Z
date: Wed, 22 May 2024 19:05:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C3CE776A657647D3B399C9F837A1E863 Ref B: LON04EDGE0714 Ref C: 2024-05-22T19:05:59Z
date: Wed, 22 May 2024 19:05:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A7E70EFA0DC64BBEAEAED60EA77436CC Ref B: LON04EDGE0714 Ref C: 2024-05-22T19:05:59Z
date: Wed, 22 May 2024 19:05:58 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CECAEAA6A5AE43C4B5138545FCE4983E Ref B: LON04EDGE0714 Ref C: 2024-05-22T19:05:59Z
date: Wed, 22 May 2024 19:05:58 GMT
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

11.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.179.89.13.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

tls, http2

2.5kB
9.0kB
19
16

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8IS-MMz1hPySSe40RR68GnzVUCUw72HvHgEgrcb-BJpT7py1Is5a9OxOHia7NPP3-unor4dFVeT1ifcUuVZiFvlJvU3PXV68LNLRwsOlrUBaka0mVZ_iemGPU4FLyqsIsnCn2D5huYke26XRHUjOFK_kE8r6rmZhwqb4hejahWYuxTbut%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Dd4249e4a2b14110c4549f86186bdcff3&TIME=20240426T133640Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189&muid=DA7A91E17E56FC56DF5DE341A69C2E55

HTTP Response

204
23.62.61.72:443

https://www.bing.com/aes/c.gif?RG=645eda02647f44b39391c838454a1557&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133640Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

tls, http2

1.5kB
5.3kB
17
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=645eda02647f44b39391c838454a1557&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T133640Z&adUnitId=11730597&localId=w:DA7A91E1-7E56-FC56-DF5D-E341A69C2E55&deviceId=6966564702298189

HTTP Response

200
23.62.61.72:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.7kB
6.4kB
18
13

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

75.0kB
2.1MB
1545
1541

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

72.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

72.61.62.23.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

11.179.89.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

11.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3La00TE.exe

Filesize
30KB

MD5
d84569a706b9c209fe691fb20af40afe

SHA1
2fd9b3710be51ee7318be4b905cf17447331cc73

SHA256
8225d0527e3a0ad5fd83412ed5d2c026ed2677b3f8f221160d64e5bbbe492838

SHA512
c346a73bb0710f520524e3b0680f14c9e53428842850c000d5a1d02fcfda0014f57d619e295ad3b45bb31724e6edb69229e77d1ab73a082620ab0ba1cdc9feee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bO1Oi36.exe

Filesize
521KB

MD5
7f35d65926d1b28d7e70210e085c6caf

SHA1
461a90b25f1c893a50394ec5f7765761892a40f1

SHA256
c55be9f930e9865d003860a3f6389c6e3e70dd04879076d6c654387c79e7cfae

SHA512
e1d511dde2beb736c7f745bcc72ac30827ef82e4fe6d4410701b735e45c2ad56483fea01ddcda331e9420c4d6c76eab1170a64ed6acabd72f8ca3765d3158c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QD06VA8.exe

Filesize
878KB

MD5
010bf0c94334d77fdcd5ebf4c268a1f2

SHA1
dbbf0d948f8eb38a89081c350ed15a6d5237b234

SHA256
5cbe4f941a16573029af6f3d4339e987280ad08f7fe84aae64627c182fe95fcd

SHA512
033ba8a967f16a25245fa384d132fdb1b8b0ad28620987a81824261317c19dcdf1e7a935ea3d901596f9a4030cebeff27379ad745d920f47c300a4ddb2460e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2GQ9959.exe

Filesize
1.1MB

MD5
b14d236952119c720e5dd5981abcf5ac

SHA1
5fe5e42551f0339ee787f0e14c4b0d347031cbcc

SHA256
587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

SHA512
dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

Download Submit
memory/4496-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4776-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4920-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.