224da404f85b1f4ea2e95ac0c2d403fa70135ce9ff22246889bababca20241da

Analysis

max time kernel
1480s
max time network
1494s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30/05/2024, 13:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSVCRTExt.dll
Size

1.0MB
MD5

7aa124480e548155d65bae921f391afa
SHA1

23ac725e5a63995d0e27a5841c969486e1d2c3f5
SHA256

224da404f85b1f4ea2e95ac0c2d403fa70135ce9ff22246889bababca20241da
SHA512

7d02132340b35551a474e55c4e5e5e7f0839a1294b017abf0e2c6d7fd45e8d2235608c2bf4233e7e6957155a932c9f1f8a14dd1c36bd567a1c66861586b8a363
SSDEEP

24576:05nJIDlyEgORmiRly2oQ9dMGpuFU6DfCq1:05+cQFAgdRgFUGfCq1

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3872	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3180	1188	regsvr32.exe	79
PID 1188 wrote to memory of 3180	1188	regsvr32.exe	79
PID 1188 wrote to memory of 3180	1188	regsvr32.exe	79

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MSVCRTExt.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\MSVCRTExt.dll
  2⤵
  PID:3180

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2980

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:872

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4792

Network

DNS

222.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.197.79.204.in-addr.arpa

IN PTR

Response
DNS

cxcs.microsoft.net

Remote address:

8.8.8.8:53

Request

cxcs.microsoft.net

IN A

Response

cxcs.microsoft.net

IN CNAME

cxcs.microsoft.net.edgekey.net

cxcs.microsoft.net.edgekey.net

IN CNAME

e3230.b.akamaiedge.net

e3230.b.akamaiedge.net

IN A

104.68.66.114
DNS

114.66.68.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.66.68.104.in-addr.arpa

IN PTR

Response

114.66.68.104.in-addr.arpa

IN PTR

a104-68-66-114deploystaticakamaitechnologiescom
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

ris.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

ris.api.iris.microsoft.com

IN A

Response

ris.api.iris.microsoft.com

IN CNAME

ris-prod.trafficmanager.net

ris-prod.trafficmanager.net

IN CNAME

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

IN A

20.234.120.54
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 555746
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8FBCA736AAF9437F823FD7453A2B5B2E Ref B: LON04EDGE0710 Ref C: 2024-05-30T13:46:54Z
date: Thu, 30 May 2024 13:46:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 638730
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A20DBEC4BF1145669C16073E2222E478 Ref B: LON04EDGE0710 Ref C: 2024-05-30T13:46:54Z
date: Thu, 30 May 2024 13:46:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 85D285F8E6E7470783E7461CE49AEAA0 Ref B: LON04EDGE0710 Ref C: 2024-05-30T13:46:54Z
date: Thu, 30 May 2024 13:46:54 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C844CA1F71C44371975F3A44A119B110 Ref B: LON04EDGE0710 Ref C: 2024-05-30T13:46:54Z
date: Thu, 30 May 2024 13:46:54 GMT
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

ris.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

ris.api.iris.microsoft.com

IN A

Response

ris.api.iris.microsoft.com

IN CNAME

ris-prod.trafficmanager.net

ris-prod.trafficmanager.net

IN CNAME

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

IN A

20.234.120.54

2.18.66.56:443

www.bing.com

tls

10.9kB
121.8kB
115
110
23.62.61.99:443

r.bing.com

tls

51.3kB
1.4MB
1057
1033
23.62.61.99:443

r.bing.com

tls

1.1kB
5.2kB
15
12
23.62.61.99:443

r.bing.com

tls

1.1kB
5.2kB
15
12
23.62.61.99:443

r.bing.com

tls

1.1kB
5.2kB
15
12
23.62.61.99:443

r.bing.com

tls

1.1kB
5.2kB
15
12
23.62.61.99:443

r.bing.com

tls

1.1kB
5.2kB
15
12
104.68.66.114:443

cxcs.microsoft.net

tls

1.5kB
7.4kB
20
16
23.62.61.155:443

www.bing.com

tls

1.9kB
6.4kB
19
12
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
16
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

74.1kB
2.1MB
1537
1534

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.1kB
16
13

8.8.8.8:53

222.197.79.204.in-addr.arpa

dns

487 B
1.1kB
7
7

DNS Request

222.197.79.204.in-addr.arpa

DNS Request

cxcs.microsoft.net

DNS Response

104.68.66.114

DNS Request

114.66.68.104.in-addr.arpa

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

71.159.190.20.in-addr.arpa

DNS Request

ris.api.iris.microsoft.com

DNS Response

20.234.120.54

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

144 B
350 B
2
2

DNS Request

54.120.234.20.in-addr.arpa

DNS Request

ris.api.iris.microsoft.com

DNS Response

20.234.120.54

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e9aa12ff0be6d995ed86f8cf88678158

SHA1
e5ee38fc2ebef0fcbc3059dee29b39f7daf21931

SHA256
f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561

SHA512
95a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.