mystic | 47889c48da4c5e390f10c04d8390b2c5d9f68bec127bf0e18bbe686b9079b922

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 17:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe
Size

884KB
MD5

855fcc3b4e6345267720d10a2c70bb2a
SHA1

2136ff618093894c720d287da6933cd9f971eb7b
SHA256

114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd
SHA512

850c7c93d8566718d64807f7a3bdc75a42808b5fa939adc1876e14264402d2ed9af2edd72fe8c81b53fc4cde9717f18742d1e523e37d5e552bc58a5ae55a1b43
SSDEEP

12288:sMrPy90LSw11aIzsQWakywt2w/4+imJi1m+nhSKgICaY1gixnKGCwaz:zyPwAyjw/4+UM+nhSR/xdxKwaz

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/1492-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/1492-24-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/1492-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023421-26.dat	family_redline
behavioral2/memory/3752-28-0x0000000000C80000-0x0000000000CBE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2556	MT5qJ9oR.exe
4376	Zd4dI6hb.exe
4412	1nm68zs5.exe
3752	2Bt639Gj.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	MT5qJ9oR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Zd4dI6hb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4412 set thread context of 1492	4412	1nm68zs5.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1828	4412	WerFault.exe	86

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2556	4608	114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe	83
PID 4608 wrote to memory of 2556	4608	114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe	83
PID 4608 wrote to memory of 2556	4608	114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe	83
PID 2556 wrote to memory of 4376	2556	MT5qJ9oR.exe	85
PID 2556 wrote to memory of 4376	2556	MT5qJ9oR.exe	85
PID 2556 wrote to memory of 4376	2556	MT5qJ9oR.exe	85
PID 4376 wrote to memory of 4412	4376	Zd4dI6hb.exe	86
PID 4376 wrote to memory of 4412	4376	Zd4dI6hb.exe	86
PID 4376 wrote to memory of 4412	4376	Zd4dI6hb.exe	86
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4412 wrote to memory of 1492	4412	1nm68zs5.exe	88
PID 4376 wrote to memory of 3752	4376	Zd4dI6hb.exe	94
PID 4376 wrote to memory of 3752	4376	Zd4dI6hb.exe	94
PID 4376 wrote to memory of 3752	4376	Zd4dI6hb.exe	94

C:\Users\Admin\AppData\Local\Temp\114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe
"C:\Users\Admin\AppData\Local\Temp\114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MT5qJ9oR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MT5qJ9oR.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zd4dI6hb.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zd4dI6hb.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1nm68zs5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1nm68zs5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 596
        5⤵
        Program crash
        
        PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Bt639Gj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Bt639Gj.exe
      4⤵
      Executes dropped EXE
      PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4412 -ip 4412
1⤵
PID:3104

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

152.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.107.17.2.in-addr.arpa

IN PTR

Response

152.107.17.2.in-addr.arpa

IN PTR

a2-17-107-152deploystaticakamaitechnologiescom
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9959483B63D847129AF203ABC828BFD1 Ref B: LON04EDGE0607 Ref C: 2024-05-23T17:44:04Z
date: Thu, 23 May 2024 17:44:04 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=065466BF754563BF0209723774FE62AA; domain=.bing.com; expires=Tue, 17-Jun-2025 17:44:05 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9EE5A1E4C2B748EF8E16F7CEC21CAFBD Ref B: LON04EDGE0814 Ref C: 2024-05-23T17:44:05Z
date: Thu, 23 May 2024 17:44:05 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=065466BF754563BF0209723774FE62AA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Zeq47aMT7v7YuAHs2oE-snKjQizg05fOIb1DrhVaZ8M; domain=.bing.com; expires=Tue, 17-Jun-2025 17:44:05 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D0293C98BC9641A7B18508C55C60693E Ref B: LON04EDGE0814 Ref C: 2024-05-23T17:44:05Z
date: Thu, 23 May 2024 17:44:05 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=065466BF754563BF0209723774FE62AA; MSPTC=Zeq47aMT7v7YuAHs2oE-snKjQizg05fOIb1DrhVaZ8M

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 132BB38DCF174D8D8A7AF9701CFE4F79 Ref B: LON04EDGE0814 Ref C: 2024-05-23T17:44:05Z
date: Thu, 23 May 2024 17:44:05 GMT
DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

88.221.83.187:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=065466BF754563BF0209723774FE62AA; MSPTC=Zeq47aMT7v7YuAHs2oE-snKjQizg05fOIb1DrhVaZ8M
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 23 May 2024 17:44:07 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b753dd58.1716486247.2ff782c
DNS

187.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.83.221.88.in-addr.arpa

IN PTR

Response

187.83.221.88.in-addr.arpa

IN PTR

a88-221-83-187deploystaticakamaitechnologiescom
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

216.183.117.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

216.183.117.104.in-addr.arpa

IN PTR

Response

216.183.117.104.in-addr.arpa

IN PTR

a104-117-183-216deploystaticakamaitechnologiescom
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3EBEF69B1CCC44DBBCC3184319FE8670 Ref B: LON04EDGE1120 Ref C: 2024-05-23T17:45:38Z
date: Thu, 23 May 2024 17:45:38 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 43F8ABFF564B4B62B086656CD851E367 Ref B: LON04EDGE1120 Ref C: 2024-05-23T17:45:38Z
date: Thu, 23 May 2024 17:45:38 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 61E263BF6EEB4359843E863FB65D0E0A Ref B: LON04EDGE1120 Ref C: 2024-05-23T17:45:38Z
date: Thu, 23 May 2024 17:45:38 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A61386042EB74074BE28C359BA95F8B3 Ref B: LON04EDGE1120 Ref C: 2024-05-23T17:45:38Z
date: Thu, 23 May 2024 17:45:38 GMT
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

24.0kB
690.3kB
506
503

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200
204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

tls, http2

2.0kB
9.2kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=83bc35dae031447ea7eb75628807a9a2&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

HTTP Response

204
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
88.221.83.187:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.4kB
17
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
160 B
5
4
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
160 B
5
4
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

96.8kB
2.8MB
2033
2030

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5
77.91.124.55:19071

2Bt639Gj.exe

260 B
200 B
5
5

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

152.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

152.107.17.2.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

187.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

187.83.221.88.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

216.183.117.104.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

216.183.117.104.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MT5qJ9oR.exe

Filesize
590KB

MD5
7d078e4654e3887b35fd41cbdb718c16

SHA1
28a3591931321957546885595e10e5843b03035e

SHA256
c28a1c57327eca80c02605472120fd83c9f149ac5b1ec3cd3a58b7a9b5fcf5e7

SHA512
a772a3f38bd58826bd836bacf4e4665926dbe9d6e8695e0a341d02f38b1fa77b3fae50a80363513eb39019a6d6a3e4d121b5fbe586198acdf774bf83810030dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zd4dI6hb.exe

Filesize
417KB

MD5
56fded080c66021ac50b25309e1613d9

SHA1
1ee55b0ed361f8f5ba47cb44886a7d927cf2aed4

SHA256
fb3dc4b6c37fd27ad5a55dde3efd31a977ad0c6866501a068a5defde94d7846c

SHA512
f41756785f9bc0cd2ffcc514a447d78799d6d4fe7e0cd0744fe1a733488aa736f0a8e0dc4a3ea53c45e335b9369f7a482a6f780505261db0f62c96d72700066e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1nm68zs5.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Bt639Gj.exe

Filesize
231KB

MD5
65c000e38557467a66783401df6eb287

SHA1
788d94fa3e85f9941b0bc3c2b0ab7a92298c0de2

SHA256
215b3652b24b8ae5168647242c20229c74a50a7acc61385ca606e64a43cd32b7

SHA512
0b89761b0f7c1a6e5b2ed6f7cfb44d264609ab76c405119246b0d85c97371eb315a9fa59e856caa50ebfb53baff1f1f15a31155bf67ac6e3647bf408edd694fd

Download Submit
memory/1492-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1492-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1492-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3752-29-0x0000000008030000-0x00000000085D4000-memory.dmp

Filesize
5.6MB

Download
memory/3752-28-0x0000000000C80000-0x0000000000CBE000-memory.dmp

Filesize
248KB

Download
memory/3752-30-0x0000000007B40000-0x0000000007BD2000-memory.dmp

Filesize
584KB

Download
memory/3752-31-0x0000000005140000-0x000000000514A000-memory.dmp

Filesize
40KB

Download
memory/3752-32-0x0000000008C00000-0x0000000009218000-memory.dmp

Filesize
6.1MB

Download
memory/3752-33-0x00000000085E0000-0x00000000086EA000-memory.dmp

Filesize
1.0MB

Download
memory/3752-34-0x0000000007C90000-0x0000000007CA2000-memory.dmp

Filesize
72KB

Download
memory/3752-35-0x0000000007CF0000-0x0000000007D2C000-memory.dmp

Filesize
240KB

Download
memory/3752-36-0x0000000007E30000-0x0000000007E7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.