Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/07/2024, 05:00 UTC

General

  • Target

    e9385906cc5aea7fd5b55ae0aeaeeddde3a600271218d914f6486395bcb5a6e5.exe

  • Size

    47KB

  • MD5

    c0ae79c9ad6d34f4097303c53db409ae

  • SHA1

    9845e0a1be0ccd9bd6b47ae58df07ee4a1ef465d

  • SHA256

    e9385906cc5aea7fd5b55ae0aeaeeddde3a600271218d914f6486395bcb5a6e5

  • SHA512

    17ffbfc20cc744cd28624649e74f09de290dabc05d5b03a988aeac5a335bc36aaa3ec707fb0a2c5cfbccfaf9af1663ceb0e52adf0191fd20d702222a768e8fb8

  • SSDEEP

    768:W7BlpppARFbhjbhg42LcfpR42LcfpVF/MF/3Nw/Nwk0ifxRfxSqAJPqAJz:W7ZppApBULcfpHLcfpX2/Nw/Nw8fxRfG

Score
9/10

Malware Config

Signatures

  • Renames multiple (5250) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9385906cc5aea7fd5b55ae0aeaeeddde3a600271218d914f6486395bcb5a6e5.exe
    "C:\Users\Admin\AppData\Local\Temp\e9385906cc5aea7fd5b55ae0aeaeeddde3a600271218d914f6486395bcb5a6e5.exe"
    1⤵
    • Drops file in Program Files directory
    PID:2052
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,7761714625659357865,10802238739796857379,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:8
    1⤵
      PID:1824

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      72.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=2E58D17B154C63163ED0C5CE14F762DC; domain=.bing.com; expires=Fri, 01-Aug-2025 05:00:40 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 3C448931DA3F41799B29748AB4C809B8 Ref B: LON04EDGE0812 Ref C: 2024-07-07T05:00:40Z
      date: Sun, 07 Jul 2024 05:00:40 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2E58D17B154C63163ED0C5CE14F762DC
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=7YAwHXb-ShKC8-To5Ajte5WM7kFLZJB5EoV-mmeww2w; domain=.bing.com; expires=Fri, 01-Aug-2025 05:00:40 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E17DC2DB467C44848320D8764EA75239 Ref B: LON04EDGE0812 Ref C: 2024-07-07T05:00:40Z
      date: Sun, 07 Jul 2024 05:00:40 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2E58D17B154C63163ED0C5CE14F762DC; MSPTC=7YAwHXb-ShKC8-To5Ajte5WM7kFLZJB5EoV-mmeww2w
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: C0FD29C196014552B005974476F867D9 Ref B: LON04EDGE0812 Ref C: 2024-07-07T05:00:40Z
      date: Sun, 07 Jul 2024 05:00:40 GMT
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=
      tls, http2
      2.0kB
      9.3kB
      22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=647fb8e76d164f7480cc6351d266fb2c&localId=w:D38C274E-50B6-6B58-0A76-BFA85A08D09D&deviceId=6896204025917092&anid=

      HTTP Response

      204
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      72.32.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      72.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      112 B
      151 B
      2
      1

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      73.144.22.2.in-addr.arpa
      dns
      140 B
      133 B
      2
      1

      DNS Request

      73.144.22.2.in-addr.arpa

      DNS Request

      73.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
      143 B
      1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-661257284-3186977026-4220467887-1000\desktop.ini.tmp

      Filesize

      48KB

      MD5

      76fb93b09445a797351afb37b63940e5

      SHA1

      17bb04274818f43d0a752d11a326f914b80d398e

      SHA256

      12b8284bb6d346982cfd37218c545fc6589582512cda7b2dbb7f9a5b98d17d60

      SHA512

      fa92b783927b4bf73b459ae0a485d0059b30cb96b68ef50a085c52cba9ff60eadbeae33bc733134c58d5ecebfd5ff7aa76c305c9e101159e81b17cf16354c50c

    • C:\Program Files\7-Zip\7-zip.chm.tmp

      Filesize

      160KB

      MD5

      d941883a11cf665beee9b71a7cb8a9bb

      SHA1

      2fcfb512a2356b38f534807bb0432cce79a44b00

      SHA256

      79aa5e74429d10fd399f446dd10895d397a8986d4db8ee8fca69588429d32f55

      SHA512

      a0671c7a27d14372968a6d013ad92e6eec810a7d54600f61d8b685124a650cd8ee695ce2d77fa0e00c13c2677ab798e3f4faa4ef42850814b6e10a55f432e510

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.