36002fb92e38a01f7471fb0e2e2e8d4573dc04c8fe7ee75c65540762dad0d2d4

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 16:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uranium-235.exe
Size

1.5MB
MD5

9b9db745ae002a2ae05a43f60dc5898d
SHA1

e29aba2000e05bb20d972661a45623d928e3239c
SHA256

36002fb92e38a01f7471fb0e2e2e8d4573dc04c8fe7ee75c65540762dad0d2d4
SHA512

c6a51ffe6d6169d30c584c630bf4016d7055ec240a724517750f5e4b209dad62ca22a003b5d9e8805bff6134574d9f81ba8c29aadb27e27b2fab198409648024
SSDEEP

24576:84nXu/QSDTV+Bnvu8tJgbxkDq1SvYlVyi6wp79tUkMDmbsgBnK3HJAMmJsDEyX:8qeNVfXYYqi6e79tUkM4sgBnKXJA/y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	Uranium-235.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uranium Security.lnk	Uranium-235.tmp

Executes dropped EXE 2 IoCs

pid	Process
2464	Uranium-235.tmp
952	Uranium-235.tmp

Loads dropped DLL 2 IoCs

pid	Process
2464	Uranium-235.tmp
952	Uranium-235.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
952	Uranium-235.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 2464	4032	Uranium-235.exe	83
PID 4032 wrote to memory of 2464	4032	Uranium-235.exe	83
PID 4032 wrote to memory of 2464	4032	Uranium-235.exe	83
PID 2464 wrote to memory of 2300	2464	Uranium-235.tmp	86
PID 2464 wrote to memory of 2300	2464	Uranium-235.tmp	86
PID 2464 wrote to memory of 2300	2464	Uranium-235.tmp	86
PID 2300 wrote to memory of 952	2300	Uranium-235.exe	87
PID 2300 wrote to memory of 952	2300	Uranium-235.exe	87
PID 2300 wrote to memory of 952	2300	Uranium-235.exe	87

C:\Users\Admin\AppData\Local\Temp\Uranium-235.exe
"C:\Users\Admin\AppData\Local\Temp\Uranium-235.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\is-HD1CJ.tmp\Uranium-235.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HD1CJ.tmp\Uranium-235.tmp" /SL5="$501A2,870144,780800,C:\Users\Admin\AppData\Local\Temp\Uranium-235.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\Uranium-235.exe
    "C:\Users\Admin\AppData\Local\Temp\Uranium-235.exe" /verysilent /sp-
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\is-FNI7Q.tmp\Uranium-235.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FNI7Q.tmp\Uranium-235.tmp" /SL5="$7006C,870144,780800,C:\Users\Admin\AppData\Local\Temp\Uranium-235.exe" /verysilent /sp-
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:952

Network

DNS

ircftp.net

Uranium-235.tmp

Remote address:

8.8.8.8:53

Request

ircftp.net

IN A

Response

ircftp.net

IN A

103.233.0.127
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
HEAD

http://ircftp.net/avatar.jpg

Uranium-235.tmp

Remote address:

103.233.0.127:80

Request

HEAD /avatar.jpg HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: ircftp.net
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Fri, 14 Jun 2024 16:28:11 GMT
Server: Apache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
HEAD

http://ircftp.net/image.png

Uranium-235.tmp

Remote address:

103.233.0.127:80

Request

HEAD /image.png HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: ircftp.net
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 403 Forbidden

Date: Fri, 14 Jun 2024 16:28:11 GMT
Server: Apache
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
GET

http://ircftp.net/avatar.jpg

Uranium-235.tmp

Remote address:

103.233.0.127:80

Request

GET /avatar.jpg HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: ircftp.net
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Fri, 14 Jun 2024 16:28:12 GMT
Server: Apache
Content-Length: 315
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Bs7BwPu51HaEkKno6goztjVUCUzwp0kt-l_CUtMCgg5MSfGKcDoKSIsiNCnjvmvCC4Q9CAJX7KaJGkiLgdyPlLN918cvM1pKFQkKItUTibS3clMN91OqrYBXJby38RLFsk1Vkth9YllLAdcA7RIxnzl0Oicm0epLiAgnzPXLe0Q8G-Fc%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D6055d261ec8c1944fcf7b40927a4c9c8&TIME=20240611T221015Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Bs7BwPu51HaEkKno6goztjVUCUzwp0kt-l_CUtMCgg5MSfGKcDoKSIsiNCnjvmvCC4Q9CAJX7KaJGkiLgdyPlLN918cvM1pKFQkKItUTibS3clMN91OqrYBXJby38RLFsk1Vkth9YllLAdcA7RIxnzl0Oicm0epLiAgnzPXLe0Q8G-Fc%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D6055d261ec8c1944fcf7b40927a4c9c8&TIME=20240611T221015Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=38FCAA3F1ED464AC3721BEA11F346533; domain=.bing.com; expires=Wed, 09-Jul-2025 16:28:13 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 20060C2CB8754D59BA3F450498884784 Ref B: LON04EDGE1120 Ref C: 2024-06-14T16:28:13Z
date: Fri, 14 Jun 2024 16:28:13 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Bs7BwPu51HaEkKno6goztjVUCUzwp0kt-l_CUtMCgg5MSfGKcDoKSIsiNCnjvmvCC4Q9CAJX7KaJGkiLgdyPlLN918cvM1pKFQkKItUTibS3clMN91OqrYBXJby38RLFsk1Vkth9YllLAdcA7RIxnzl0Oicm0epLiAgnzPXLe0Q8G-Fc%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D6055d261ec8c1944fcf7b40927a4c9c8&TIME=20240611T221015Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Bs7BwPu51HaEkKno6goztjVUCUzwp0kt-l_CUtMCgg5MSfGKcDoKSIsiNCnjvmvCC4Q9CAJX7KaJGkiLgdyPlLN918cvM1pKFQkKItUTibS3clMN91OqrYBXJby38RLFsk1Vkth9YllLAdcA7RIxnzl0Oicm0epLiAgnzPXLe0Q8G-Fc%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D6055d261ec8c1944fcf7b40927a4c9c8&TIME=20240611T221015Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=38FCAA3F1ED464AC3721BEA11F346533; _EDGE_S=SID=3B30688A10C068690D777C1411AC69F2

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=A2wiDmpK9X-PoOxizif2pQdO0N7e9Hf896MtE9C-AMQ; domain=.bing.com; expires=Wed, 09-Jul-2025 16:28:14 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F6D4D7F3FF7346A6A59BFEDFCBCA6F2F Ref B: LON04EDGE1120 Ref C: 2024-06-14T16:28:14Z
date: Fri, 14 Jun 2024 16:28:14 GMT
GET

https://www.bing.com/aes/c.gif?RG=d6c91105aaf24b3a8dfd1ae74953144d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T221015Z&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525

Remote address:

23.62.61.97:443

Request

GET /aes/c.gif?RG=d6c91105aaf24b3a8dfd1ae74953144d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T221015Z&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=38FCAA3F1ED464AC3721BEA11F346533

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 37F521E526C14840A1F5D943AD05EDE5 Ref B: BRU30EDGE0514 Ref C: 2024-06-14T16:28:13Z
content-length: 0
date: Fri, 14 Jun 2024 16:28:14 GMT
set-cookie: _EDGE_S=SID=3B30688A10C068690D777C1411AC69F2; path=/; httponly; domain=bing.com
set-cookie: MUIDB=38FCAA3F1ED464AC3721BEA11F346533; path=/; httponly; expires=Wed, 09-Jul-2025 16:28:14 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1718382493.83f2ce9
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

127.0.233.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.0.233.103.in-addr.arpa

IN PTR

Response

127.0.233.103.in-addr.arpa

IN PTR

vpsirccommy
DNS

97.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.61.62.23.in-addr.arpa

IN PTR

Response

97.61.62.23.in-addr.arpa

IN PTR

a23-62-61-97deploystaticakamaitechnologiescom
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response

103.233.0.127:80

http://ircftp.net/avatar.jpg

http

Uranium-235.tmp

835 B
1.1kB
9
5

HTTP Request

HEAD http://ircftp.net/avatar.jpg

HTTP Response

404

HTTP Request

HEAD http://ircftp.net/image.png

HTTP Response

403

HTTP Request

GET http://ircftp.net/avatar.jpg

HTTP Response

404
13.107.21.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Bs7BwPu51HaEkKno6goztjVUCUzwp0kt-l_CUtMCgg5MSfGKcDoKSIsiNCnjvmvCC4Q9CAJX7KaJGkiLgdyPlLN918cvM1pKFQkKItUTibS3clMN91OqrYBXJby38RLFsk1Vkth9YllLAdcA7RIxnzl0Oicm0epLiAgnzPXLe0Q8G-Fc%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D6055d261ec8c1944fcf7b40927a4c9c8&TIME=20240611T221015Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

tls, http2

2.5kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Bs7BwPu51HaEkKno6goztjVUCUzwp0kt-l_CUtMCgg5MSfGKcDoKSIsiNCnjvmvCC4Q9CAJX7KaJGkiLgdyPlLN918cvM1pKFQkKItUTibS3clMN91OqrYBXJby38RLFsk1Vkth9YllLAdcA7RIxnzl0Oicm0epLiAgnzPXLe0Q8G-Fc%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D6055d261ec8c1944fcf7b40927a4c9c8&TIME=20240611T221015Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8Bs7BwPu51HaEkKno6goztjVUCUzwp0kt-l_CUtMCgg5MSfGKcDoKSIsiNCnjvmvCC4Q9CAJX7KaJGkiLgdyPlLN918cvM1pKFQkKItUTibS3clMN91OqrYBXJby38RLFsk1Vkth9YllLAdcA7RIxnzl0Oicm0epLiAgnzPXLe0Q8G-Fc%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC0zNjUtYmFzaWMtZmFxcyUzZk9DSUQlM2RjbW1sdWMyOWxxOQ%26rlid%3D6055d261ec8c1944fcf7b40927a4c9c8&TIME=20240611T221015Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&muid=12D800F85EB4CAF16CA7FE64B9B0CF8B

HTTP Response

204
23.62.61.97:443

https://www.bing.com/aes/c.gif?RG=d6c91105aaf24b3a8dfd1ae74953144d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T221015Z&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=d6c91105aaf24b3a8dfd1ae74953144d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T221015Z&adUnitId=11730597&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525

HTTP Response

200

8.8.8.8:53

ircftp.net

dns

Uranium-235.tmp

56 B
72 B
1
1

DNS Request

ircftp.net

DNS Response

103.233.0.127
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

240.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

240.197.17.2.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

127.0.233.103.in-addr.arpa

dns

72 B
100 B
1
1

DNS Request

127.0.233.103.in-addr.arpa
8.8.8.8:53

97.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

97.61.62.23.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HD1CJ.tmp\Uranium-235.tmp

Filesize
2.5MB

MD5
89ee4bb1aa0c781baddb9007ad753af3

SHA1
3e6fd6adb92667c6b509bff6bd7e2d491f623d29

SHA256
79bac4c27a7c10dc14db471b09ce1e528ef2df3c249ef0b25b4090d4ba9bd20e

SHA512
dc8032bf7314b552bacf886c28e8d623bacee5e4967e59269179d4b9bf67a90d79883b01a4cbb2b0624a37f54feea5a836aa5f875566f59d2b15f15935811b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JPA3J.tmp\idp.dll

Filesize
228KB

MD5
9a83f220bf8ca569e3cfa654539a47a4

SHA1
9d1fb7087c12512d5f66d9d75f2fbae8e1196544

SHA256
b1c4c9b2dd6a40974fa8789b218b52d967f5ccd1b47e95b4f6bda4b6ce864d0d

SHA512
9b6460aca9720a4762a28e78a0e5f3e7358f73383926caf7f4a071e66c79f1032abd131432387f108de27894c147e2f34f01b094b6688826ce78f007d9dafbc5

Download Submit
memory/952-23-0x00007FFC573B0000-0x00007FFC575A5000-memory.dmp

Filesize
2.0MB

Download
memory/952-35-0x00007FFC573B0000-0x00007FFC575A5000-memory.dmp

Filesize
2.0MB

Download
memory/952-34-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2300-16-0x00007FFC573B0000-0x00007FFC575A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-14-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2300-37-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2464-17-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2464-6-0x00007FFC573B0000-0x00007FFC575A5000-memory.dmp

Filesize
2.0MB

Download
memory/4032-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4032-19-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4032-2-0x00007FFC573B0000-0x00007FFC575A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.