e66152b53fb851769c3abac3e5b9211275e4111dc24b5d3871737ef3ad8a7289

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 16:38 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe
Size

43KB
MD5

86abfd3571bc76f3c54cc5f61d275cd0
SHA1

fb7ee0ceb0e5f2046e3dc35400b9da76d56315eb
SHA256

e66152b53fb851769c3abac3e5b9211275e4111dc24b5d3871737ef3ad8a7289
SHA512

daab8acb0a46da03fabc56f8a2d2034306aa738dab20e54c7894642230e0897464f6330931c32885a07a4d0e9f0b7a02809cfb56f8d9a87aec5fb17913b4137d
SSDEEP

768:b/yC4GyNM01GuQMNXw2PSjHPbSuYlW8PAekQk:b/pYayGig5HjS3NPAekR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	retln.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 2900	4160	86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe	92
PID 4160 wrote to memory of 2900	4160	86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe	92
PID 4160 wrote to memory of 2900	4160	86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe	92

C:\Users\Admin\AppData\Local\Temp\86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\86abfd3571bc76f3c54cc5f61d275cd0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\retln.exe
  "C:\Users\Admin\AppData\Local\Temp\retln.exe"
  2⤵
  - Executes dropped EXE
  PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:8
1⤵
PID:2296

Network

DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

34.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.56.20.217.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

58.99.105.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.99.105.20.in-addr.arpa

IN PTR

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.56:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 06 Jun 2024 16:39:10 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.343d3e17.1717691950.589fea7
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

56.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.61.62.23.in-addr.arpa

IN PTR

Response

56.61.62.23.in-addr.arpa

IN PTR

a23-62-61-56deploystaticakamaitechnologiescom
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

105.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.83.221.88.in-addr.arpa

IN PTR

Response

105.83.221.88.in-addr.arpa

IN PTR

a88-221-83-105deploystaticakamaitechnologiescom
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

123.10.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.10.44.20.in-addr.arpa

IN PTR

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239385734239_1FZK43O4G75P8OXYJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239385734239_1FZK43O4G75P8OXYJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 447956
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6AACA91B0C57423EACF5D435D2672FF2 Ref B: LON04EDGE1018 Ref C: 2024-06-06T16:40:56Z
date: Thu, 06 Jun 2024 16:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 770657
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BB08546DDDB04FC49952EB3E0E9E3904 Ref B: LON04EDGE1018 Ref C: 2024-06-06T16:40:56Z
date: Thu, 06 Jun 2024 16:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 835660
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 889679C1BBCE472A8E2CC0804FA41A8F Ref B: LON04EDGE1018 Ref C: 2024-06-06T16:40:56Z
date: Thu, 06 Jun 2024 16:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370639329_16GDTY03HO5SY2UBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239370639329_16GDTY03HO5SY2UBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 637660
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7F6F569DD9EB4A5F8C50D5C66FD3C4E2 Ref B: LON04EDGE1018 Ref C: 2024-06-06T16:40:56Z
date: Thu, 06 Jun 2024 16:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 634564
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B6B6247829654BD1A7D3BF2F55C75E79 Ref B: LON04EDGE1018 Ref C: 2024-06-06T16:40:56Z
date: Thu, 06 Jun 2024 16:40:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239385734245_139410YUSZG979RFN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239385734245_139410YUSZG979RFN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 435390
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 11E80CD38F1945A28345F9AFEF7CC87B Ref B: LON04EDGE1018 Ref C: 2024-06-06T16:40:57Z
date: Thu, 06 Jun 2024 16:40:56 GMT
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response
DNS

storage-cabinets.info

retln.exe

Remote address:

8.8.8.8:53

Request

storage-cabinets.info

IN A

Response

23.62.61.56:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.3kB
17
11

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239385734245_139410YUSZG979RFN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

137.2kB
3.9MB
2844
2840

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239385734239_1FZK43O4G75P8OXYJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370639330_1D80T5H13WVAODNQ8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370639329_16GDTY03HO5SY2UBG&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239385734245_139410YUSZG979RFN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14

8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

34.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

34.56.20.217.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

58.99.105.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

58.99.105.20.in-addr.arpa
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

134 B
292 B
2
2

DNS Request

storage-cabinets.info

DNS Request

storage-cabinets.info
8.8.8.8:53

56.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

56.61.62.23.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

105.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

105.83.221.88.in-addr.arpa
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

123.10.44.20.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

123.10.44.20.in-addr.arpa
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
346 B
2
2

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

201 B
146 B
3
1

DNS Request

storage-cabinets.info

DNS Request

storage-cabinets.info

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info
8.8.8.8:53

storage-cabinets.info

dns

retln.exe

67 B
146 B
1
1

DNS Request

storage-cabinets.info

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\retln.exe

Filesize
43KB

MD5
68e89124a595ad021d51463dc0143434

SHA1
6e57d2d843ccf142f5ab542985fa6e1a12077a8c

SHA256
3475d71108b60b6c1103b5c08a7a60885eb4341d66091ed0e6cb7257b1865b50

SHA512
1d788f3968a8eb2f86003a9bfc1acaed6edcfcb6f27f2fcaeb89cd2420e421487a4ec65644561d7c318bfd36b14bddfd042cacacd1760b386846c20f3e1c8357

Download Submit
memory/2900-25-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/4160-0-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/4160-8-0x0000000002150000-0x0000000002156000-memory.dmp

Filesize
24KB

Download
memory/4160-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.