mystic | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 10:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe
Size

644KB
MD5

a119f408d6f9327beb89d3d0567775eb
SHA1

0a2087df9196da35d1ab399859bb1b0686f334b3
SHA256

fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5
SHA512

f3dbf32f8aabb589f736cddca2ad9f209ad10d06eb51c2334bceb6a17b93f1d18412366d87cc81bc8bf33b0f2cab04651f8703d0b9fc1d5b0cd440d840a3079e
SSDEEP

12288:NMrOy909b5rILTLw/aztAjCM603Ss6Uv5zu4mcxvflBxg+CUb:fy+b9oTc/QWjq0Vzvp9DC2

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral22/memory/1144-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral22/memory/1144-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral22/memory/1144-19-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
1184	cs6Wy28.exe
4796	1Zm28dL2.exe
2536	2kx9856.exe
1400	3OV51GV.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cs6Wy28.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 2076	4796	1Zm28dL2.exe	85
PID 2536 set thread context of 1144	2536	2kx9856.exe	87

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3OV51GV.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3OV51GV.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3OV51GV.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2076	AppLaunch.exe
2076	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1184	5096	fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe	83
PID 5096 wrote to memory of 1184	5096	fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe	83
PID 5096 wrote to memory of 1184	5096	fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe	83
PID 1184 wrote to memory of 4796	1184	cs6Wy28.exe	84
PID 1184 wrote to memory of 4796	1184	cs6Wy28.exe	84
PID 1184 wrote to memory of 4796	1184	cs6Wy28.exe	84
PID 4796 wrote to memory of 2076	4796	1Zm28dL2.exe	85
PID 4796 wrote to memory of 2076	4796	1Zm28dL2.exe	85
PID 4796 wrote to memory of 2076	4796	1Zm28dL2.exe	85
PID 4796 wrote to memory of 2076	4796	1Zm28dL2.exe	85
PID 4796 wrote to memory of 2076	4796	1Zm28dL2.exe	85
PID 4796 wrote to memory of 2076	4796	1Zm28dL2.exe	85
PID 4796 wrote to memory of 2076	4796	1Zm28dL2.exe	85
PID 4796 wrote to memory of 2076	4796	1Zm28dL2.exe	85
PID 1184 wrote to memory of 2536	1184	cs6Wy28.exe	86
PID 1184 wrote to memory of 2536	1184	cs6Wy28.exe	86
PID 1184 wrote to memory of 2536	1184	cs6Wy28.exe	86
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 2536 wrote to memory of 1144	2536	2kx9856.exe	87
PID 5096 wrote to memory of 1400	5096	fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe	88
PID 5096 wrote to memory of 1400	5096	fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe	88
PID 5096 wrote to memory of 1400	5096	fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe	88

C:\Users\Admin\AppData\Local\Temp\fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe
"C:\Users\Admin\AppData\Local\Temp\fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cs6Wy28.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cs6Wy28.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zm28dL2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zm28dL2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2kx9856.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2kx9856.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3OV51GV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3OV51GV.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1400

Network

DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3083CFF92A816D020F6CDB702B616C40; domain=.bing.com; expires=Wed, 18-Jun-2025 10:35:20 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1E80B99C6B414733B31383C476C633A4 Ref B: LON04EDGE1216 Ref C: 2024-05-24T10:35:20Z
date: Fri, 24 May 2024 10:35:19 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3083CFF92A816D020F6CDB702B616C40; _EDGE_S=SID=2508C0FB97126C2420F1D47296456D31

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=oCYgDuzZ2k-gx1iur6eiyZu3hm01NM-euEa-1L3KYCk; domain=.bing.com; expires=Wed, 18-Jun-2025 10:35:20 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 651325FD4B254BDEA60F1CC7829F87FB Ref B: LON04EDGE1216 Ref C: 2024-05-24T10:35:20Z
date: Fri, 24 May 2024 10:35:19 GMT
GET

https://www.bing.com/aes/c.gif?RG=b2f67e4e6dd147acbead8f1cbe0f6193&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

Remote address:

23.62.61.97:443

Request

GET /aes/c.gif?RG=b2f67e4e6dd147acbead8f1cbe0f6193&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3083CFF92A816D020F6CDB702B616C40

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B1ECF71064994102ACD90768429B75D2 Ref B: AMS04EDGE1319 Ref C: 2024-05-24T10:35:20Z
content-length: 0
date: Fri, 24 May 2024 10:35:20 GMT
set-cookie: _EDGE_S=SID=2508C0FB97126C2420F1D47296456D31; path=/; httponly; domain=bing.com
set-cookie: MUIDB=3083CFF92A816D020F6CDB702B616C40; path=/; httponly; expires=Wed, 18-Jun-2025 10:35:20 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1716546920.6fbd006
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

97.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.61.62.23.in-addr.arpa

IN PTR

Response

97.61.62.23.in-addr.arpa

IN PTR

a23-62-61-97deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.97:443

Request

GET /th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=3083CFF92A816D020F6CDB702B616C40; _EDGE_S=SID=2508C0FB97126C2420F1D47296456D31; MSPTC=oCYgDuzZ2k-gx1iur6eiyZu3hm01NM-euEa-1L3KYCk; MUIDB=3083CFF92A816D020F6CDB702B616C40
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 999
date: Fri, 24 May 2024 10:35:22 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1716546922.6fbd56b
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

58.99.105.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.99.105.20.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F031EAE2DC794D50871F4841188CA71C Ref B: LON04EDGE1118 Ref C: 2024-05-24T10:36:57Z
date: Fri, 24 May 2024 10:36:57 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 72E503EFF32A47BBBE18593FB9F28914 Ref B: LON04EDGE1118 Ref C: 2024-05-24T10:36:57Z
date: Fri, 24 May 2024 10:36:57 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 87A2AAF4FE884BFC9BCE7217D2E49DE7 Ref B: LON04EDGE1118 Ref C: 2024-05-24T10:36:57Z
date: Fri, 24 May 2024 10:36:57 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6C855E19E5D249FE8C3F104799B2DBE2 Ref B: LON04EDGE1118 Ref C: 2024-05-24T10:36:57Z
date: Fri, 24 May 2024 10:36:57 GMT
DNS

123.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.10.44.20.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

tls, http2

2.5kB
9.0kB
20
16

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8TMgecry_0hjpDPCi_fed0DVUCUwMV1A-qhAOyRNjopJNk6uos2WKDo0Clqxv6YfkS8ESW-Xai3k4oYjCIhoceclAYoCHQbrFA5euelxTbeA2Ic5X2Uu6dRONbCIPyS60APCTioqXXEf4ZAyJ7peFV9euhPdf061TfGTmm8yn50bAGAF9%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D19b1b5cb59ee1358b359d3e0ff2d17d4&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF

HTTP Response

204
23.62.61.97:443

https://www.bing.com/aes/c.gif?RG=b2f67e4e6dd147acbead8f1cbe0f6193&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=b2f67e4e6dd147acbead8f1cbe0f6193&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266

HTTP Response

200
23.62.61.97:443

https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.3kB
17
13

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

82.1kB
2.4MB
1715
1713

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

97.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

97.61.62.23.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

58.99.105.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

58.99.105.20.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

123.10.44.20.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

123.10.44.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3OV51GV.exe

Filesize
31KB

MD5
49a23df96801ba7195116dbfa9fa07c0

SHA1
90c0849d1cc36b5dd8e764c96ab6e55b81fbfde8

SHA256
6b63d9413653b4952d0cfb06a7f3ffddaa4b002069b7fa038cbb2ea657d79373

SHA512
961b96fc76ddc1ad570934f61d704b2fbc15beb7b353abd1f6c305a951f24cce31bcedca91424f43c329e099ca20c3f7fd5ee6187969ffd019c8e028c44bd55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cs6Wy28.exe

Filesize
520KB

MD5
b7eda3b7b76865c14fb995ebfd9cb9b5

SHA1
299edc32713df4ce5678dd9859250c7afd6349fb

SHA256
68335a6e13fbf631f59a411d5e853e6c2c18ebf3577ab779c6443ee416ed10c6

SHA512
240ac0dc0833ed0fb04042ffbd79e481502d1ad29daa3df03c04e525a96a0302a194e2ebbc9e21e95280fc8f58fdcf9dd7fa59f46e7c91707bfd77bc2c3db09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zm28dL2.exe

Filesize
869KB

MD5
a6f1b23ea809d906c8c1decbc1a295f2

SHA1
1c243e018eda26aa849db9a6e48484acc64510f9

SHA256
045cca3608c945a606676d863cdbbb1bbb017f80b81fa39f6641105f499e6679

SHA512
e2ac435f785bffe854f466c153ea7815df095cbed50b3d37fbc455aa539f378aa25b98398d32c39744702cdda3a0acef1d9216851223208e39d28389c4accd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2kx9856.exe

Filesize
1.0MB

MD5
68dd924448db0dbf3f939e49810fd695

SHA1
78d2d5b0d7ffa616b43beb2ae1c9407450dd96aa

SHA256
c7ec464acd5e71db4ec72c3c2df7cfacdabb5c8d2b8f96dcfb737d9b44e7ac46

SHA512
8db87017ccebd52f450aa2b6b90f64cd197821d2b20977ebb6cdadf866b7282920b256089fe495ee452f94ef9b9bd912eea7ecff4cfb47cf3785eff106ec0835

Download Submit
memory/1144-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1400-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2076-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.