384787235065f529d81f53826c0f9d34ebd52c1643250e64d1911faea633cc3b

Analysis

max time kernel
93s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 00:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
Size

12KB
MD5

4edb786a77b0bab6829d8a6b570d60f0
SHA1

11f5d60f4acc562fcf145d9886cdcbd8539885a2
SHA256

384787235065f529d81f53826c0f9d34ebd52c1643250e64d1911faea633cc3b
SHA512

45230eee011f32f75ff775c83d92a219ac9576567e3254fc479385ec121dbd0caca1f04648dd7c5ff5def568971f97c38cfc328fd5074f98f9bd91ae3cdc3805
SSDEEP

384:GL7li/2zNq2DcEQvdQcJKLTp/NK9xaPA:g9MCQ9cPA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
5032	tmp40C3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	tmp40C3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4740	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	87
PID 2104 wrote to memory of 4740	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	87
PID 2104 wrote to memory of 4740	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	87
PID 4740 wrote to memory of 5008	4740	vbc.exe	89
PID 4740 wrote to memory of 5008	4740	vbc.exe	89
PID 4740 wrote to memory of 5008	4740	vbc.exe	89
PID 2104 wrote to memory of 5032	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	90
PID 2104 wrote to memory of 5032	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	90
PID 2104 wrote to memory of 5032	2104	4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gewrzlfr\gewrzlfr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5DF3EAC966BC428DB02DC1725244492.TMP"
    3⤵
    PID:5008
- C:\Users\Admin\AppData\Local\Temp\tmp40C3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp40C3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5032

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De844484JN8pnJK9DHZ5jb9czVUCUyt4HjTkzgn2rp3m91H2h9p6qAZZCjUcsJIFjTK1INPwmqbVcomDDMu_2uq77RCGBqrOWCZoXR5rTtLRUz3ZppjpwO2TBU7XHVkSOkJViIRX-XFoiXm4MmRWBlLDx3g7X3BvqIPEzTzR5HLkFWSYPkw%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZhY3RpdmV0YWIlM2R0YWJzJTNhZmFxaGVhZGVycmVnaW9uMyUyNk9DSUQlM2RjbW01dndjam93ag%26rlid%3D96604a7c6744153f3d2f2c14ce61e77c&TIME=20240611T194541Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De844484JN8pnJK9DHZ5jb9czVUCUyt4HjTkzgn2rp3m91H2h9p6qAZZCjUcsJIFjTK1INPwmqbVcomDDMu_2uq77RCGBqrOWCZoXR5rTtLRUz3ZppjpwO2TBU7XHVkSOkJViIRX-XFoiXm4MmRWBlLDx3g7X3BvqIPEzTzR5HLkFWSYPkw%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZhY3RpdmV0YWIlM2R0YWJzJTNhZmFxaGVhZGVycmVnaW9uMyUyNk9DSUQlM2RjbW01dndjam93ag%26rlid%3D96604a7c6744153f3d2f2c14ce61e77c&TIME=20240611T194541Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=045209D68B3968B13AF21D4B8AD96932; domain=.bing.com; expires=Tue, 08-Jul-2025 00:07:44 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E82607AF7EBE4C1EA77767AA2FE25E46 Ref B: LON04EDGE1014 Ref C: 2024-06-13T00:07:44Z
date: Thu, 13 Jun 2024 00:07:43 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De844484JN8pnJK9DHZ5jb9czVUCUyt4HjTkzgn2rp3m91H2h9p6qAZZCjUcsJIFjTK1INPwmqbVcomDDMu_2uq77RCGBqrOWCZoXR5rTtLRUz3ZppjpwO2TBU7XHVkSOkJViIRX-XFoiXm4MmRWBlLDx3g7X3BvqIPEzTzR5HLkFWSYPkw%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZhY3RpdmV0YWIlM2R0YWJzJTNhZmFxaGVhZGVycmVnaW9uMyUyNk9DSUQlM2RjbW01dndjam93ag%26rlid%3D96604a7c6744153f3d2f2c14ce61e77c&TIME=20240611T194541Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De844484JN8pnJK9DHZ5jb9czVUCUyt4HjTkzgn2rp3m91H2h9p6qAZZCjUcsJIFjTK1INPwmqbVcomDDMu_2uq77RCGBqrOWCZoXR5rTtLRUz3ZppjpwO2TBU7XHVkSOkJViIRX-XFoiXm4MmRWBlLDx3g7X3BvqIPEzTzR5HLkFWSYPkw%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZhY3RpdmV0YWIlM2R0YWJzJTNhZmFxaGVhZGVycmVnaW9uMyUyNk9DSUQlM2RjbW01dndjam93ag%26rlid%3D96604a7c6744153f3d2f2c14ce61e77c&TIME=20240611T194541Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=045209D68B3968B13AF21D4B8AD96932; _EDGE_S=SID=0024E734EF4E6059048EF3A9EEED6160

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=7-wjwSM9SwxCitap7UI9dO2-aKkOr98LerAtFYvL87c; domain=.bing.com; expires=Tue, 08-Jul-2025 00:07:45 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B2146CBA1D974425ADC1849B0EBB1B09 Ref B: LON04EDGE1014 Ref C: 2024-06-13T00:07:44Z
date: Thu, 13 Jun 2024 00:07:44 GMT
GET

https://www.bing.com/aes/c.gif?RG=b339c1dbe8d549faae3685c7ad5a8b74&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T194541Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373

Remote address:

23.62.61.194:443

Request

GET /aes/c.gif?RG=b339c1dbe8d549faae3685c7ad5a8b74&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T194541Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=045209D68B3968B13AF21D4B8AD96932

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B16ABA7260CB417F96BAD88689CD74B8 Ref B: AMS04EDGE1620 Ref C: 2024-06-13T00:07:44Z
content-length: 0
date: Thu, 13 Jun 2024 00:07:44 GMT
set-cookie: _EDGE_S=SID=0024E734EF4E6059048EF3A9EEED6160; path=/; httponly; domain=bing.com
set-cookie: MUIDB=045209D68B3968B13AF21D4B8AD96932; path=/; httponly; expires=Tue, 08-Jul-2025 00:07:44 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1718237264.811224
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

91.90.14.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.90.14.23.in-addr.arpa

IN PTR

Response

91.90.14.23.in-addr.arpa

IN PTR

a23-14-90-91deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

Remote address:

23.62.61.194:443

Request

GET /th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=045209D68B3968B13AF21D4B8AD96932; _EDGE_S=SID=0024E734EF4E6059048EF3A9EEED6160; MUIDB=045209D68B3968B13AF21D4B8AD96932
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 5773
date: Thu, 13 Jun 2024 00:07:45 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1718237265.811386
DNS

194.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.61.62.23.in-addr.arpa

IN PTR

Response

194.61.62.23.in-addr.arpa

IN PTR

a23-62-61-194deploystaticakamaitechnologiescom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De844484JN8pnJK9DHZ5jb9czVUCUyt4HjTkzgn2rp3m91H2h9p6qAZZCjUcsJIFjTK1INPwmqbVcomDDMu_2uq77RCGBqrOWCZoXR5rTtLRUz3ZppjpwO2TBU7XHVkSOkJViIRX-XFoiXm4MmRWBlLDx3g7X3BvqIPEzTzR5HLkFWSYPkw%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZhY3RpdmV0YWIlM2R0YWJzJTNhZmFxaGVhZGVycmVnaW9uMyUyNk9DSUQlM2RjbW01dndjam93ag%26rlid%3D96604a7c6744153f3d2f2c14ce61e77c&TIME=20240611T194541Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

tls, http2

2.6kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De844484JN8pnJK9DHZ5jb9czVUCUyt4HjTkzgn2rp3m91H2h9p6qAZZCjUcsJIFjTK1INPwmqbVcomDDMu_2uq77RCGBqrOWCZoXR5rTtLRUz3ZppjpwO2TBU7XHVkSOkJViIRX-XFoiXm4MmRWBlLDx3g7X3BvqIPEzTzR5HLkFWSYPkw%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZhY3RpdmV0YWIlM2R0YWJzJTNhZmFxaGVhZGVycmVnaW9uMyUyNk9DSUQlM2RjbW01dndjam93ag%26rlid%3D96604a7c6744153f3d2f2c14ce61e77c&TIME=20240611T194541Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De844484JN8pnJK9DHZ5jb9czVUCUyt4HjTkzgn2rp3m91H2h9p6qAZZCjUcsJIFjTK1INPwmqbVcomDDMu_2uq77RCGBqrOWCZoXR5rTtLRUz3ZppjpwO2TBU7XHVkSOkJViIRX-XFoiXm4MmRWBlLDx3g7X3BvqIPEzTzR5HLkFWSYPkw%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZhY3RpdmV0YWIlM2R0YWJzJTNhZmFxaGVhZGVycmVnaW9uMyUyNk9DSUQlM2RjbW01dndjam93ag%26rlid%3D96604a7c6744153f3d2f2c14ce61e77c&TIME=20240611T194541Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373&muid=57578D2216C305ECD49867D03367A2A2

HTTP Response

204
23.62.61.194:443

https://www.bing.com/aes/c.gif?RG=b339c1dbe8d549faae3685c7ad5a8b74&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T194541Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=b339c1dbe8d549faae3685c7ad5a8b74&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T194541Z&adUnitId=11730597&localId=w:57578D22-16C3-05EC-D498-67D03367A2A2&deviceId=6755470482742373

HTTP Response

200
23.62.61.194:443

https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

tls, http2

1.7kB
11.2kB
21
16

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

91.90.14.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

91.90.14.23.in-addr.arpa
8.8.8.8:53

194.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

194.61.62.23.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7665274363a0be54977172a3009859ed

SHA1
a56cdcd8bf95094f4bd0da74a600a9ae75d198bf

SHA256
3f8067875728b43b5b6325920d67c59a8228d309208851e1ef9d928ef4cd1243

SHA512
610821b24b1a68874563bcd997b9bec2811d6fdbede2cb86f773da142ccc14c30294f52c9a74c3e5c06f259a22189831388a2496507fc32ab4e043de13b3d1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp

Filesize
1KB

MD5
e36c597863214be11400dd6cfed8e53e

SHA1
d2d2e1f059c52ae85ced5f6633b98cf23263c425

SHA256
548ba3ac7f217ef845d7271f30532a2971e6c6be8feff7f455ee63bae1e8492d

SHA512
dd00600f4459e3a5ebec3ca85da88620cc9777958804630586719a469c0377fd31563f5558081966747aec6b0830ac4f70377a5b06265d047c317ee4d7b612e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewrzlfr\gewrzlfr.0.vb

Filesize
2KB

MD5
583d0003540c746f3a0bdf53d7165256

SHA1
ffe6abe3906c630b7e4c2bdacab8665b2d7fa97e

SHA256
f0355d615a41ed84cdc8f72a395038c1c4da76f4aa47a8df29f2cdd8384c3a53

SHA512
5e6ed0d1744c10ba499c40eb05741b1aae7d2a8ed4abd1a2251fa78a1da8f36ebf37df9d72ebfc8f55e6d2764403ce9e22d4e5179366d920071eddb4c112612f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewrzlfr\gewrzlfr.cmdline

Filesize
273B

MD5
774c32d1e6b8b3f39717effe472f40c4

SHA1
f629990c03921a7aa7dfa1c651abc85aa9134c3d

SHA256
5b77c56ccef6dfa0964c5d5646d32f5a0e2aeaf57fc3dcce3f1c9007d6d4e0d5

SHA512
e5cbc45e29381131b39c54621ca88a8fe415ff8876b895390ee698cd89566e7ceb305991009b5400088e56cdbb260cc7d0d80a51206a647a0478a4af00561e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40C3.tmp.exe

Filesize
12KB

MD5
3f2bcd0db5c4d81f345be3550755631b

SHA1
eaca9621df5045e0eaf762f6431111ae7a3d443f

SHA256
2fbf14d82e3bf6660f69f1b6434a14fe8fabc0294abee395707b3c0314fef864

SHA512
350c2a1d79bf33adf6f1d0d9c3c7dd4f18ff0c66f179db739915785f90b831255e416631bf3b6308fed5f3ed7cf08402fb0629d5423e60b8cb4c5e8433e8de90

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5DF3EAC966BC428DB02DC1725244492.TMP

Filesize
1KB

MD5
90b063e776c8f8555c2d9d0523bc6d7f

SHA1
d4e4a53425e27b47389465d437b23db4b487ae2a

SHA256
9c3b9987f24ed16543b52cf2b5c41bbb47a57db7954b901b688518abe30cc89b

SHA512
72a7bde739a8e974dec6e71bc1d1f53ca5145b438918a29e24d7a01bd04958d928a8b92c6e9497914ca93a7bb6aa822d9382aaf18c3dd9a1e19a5eb46af84e0b

Download Submit
memory/2104-8-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2104-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/2104-2-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/2104-1-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2104-24-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/5032-25-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/5032-26-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download
memory/5032-27-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/5032-28-0x00000000049E0000-0x0000000004A72000-memory.dmp

Filesize
584KB

Download
memory/5032-30-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.