Overview

overview

7

Static

static

3

ae40c03df9...b2.exe

windows7-x64

7

ae40c03df9...b2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 13:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe

  • Size

    4.1MB

  • MD5

    26de1807603c9ecf46d5ef7374fb5af8

  • SHA1

    13b61aa8fb704da9ef5a78ddbb353c68c43871b9

  • SHA256

    ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2

  • SHA512

    00ae2ffd9a0814c73b646dc410cb1448e412199a1e0c75f3c32eb8461447f7f136d1eefbe8c54b9fa22231d5718f27c86be8d113c978398afc6d861ccdd433a5

  • SSDEEP

    98304:+R0pI/IQlUoMPdmpSpn4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmU5n9klRKN41v

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
    "C:\Users\Admin\AppData\Local\Temp\ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\AdobeC8\devdobec.exe
      C:\AdobeC8\devdobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2960

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=0B887BC73AD46E6C18326F7E3B346F55; domain=.bing.com; expires=Tue, 05-Aug-2025 13:05:35 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 101F58D52B39449C81C68F311C579321 Ref B: LON04EDGE1115 Ref C: 2024-07-11T13:05:35Z
    date: Thu, 11 Jul 2024 13:05:35 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0B887BC73AD46E6C18326F7E3B346F55
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=4W8GzcVdVETVEJtSDnjOaXIDJFbnvs5SLwAFdFLAjYc; domain=.bing.com; expires=Tue, 05-Aug-2025 13:05:35 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 70BBC6B61B9B4FD692C2C0BB02EA76FC Ref B: LON04EDGE1115 Ref C: 2024-07-11T13:05:35Z
    date: Thu, 11 Jul 2024 13:05:35 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=0B887BC73AD46E6C18326F7E3B346F55; MSPTC=4W8GzcVdVETVEJtSDnjOaXIDJFbnvs5SLwAFdFLAjYc
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: DBD4EA312642403E8EB2853EE6725080 Ref B: LON04EDGE1115 Ref C: 2024-07-11T13:05:35Z
    date: Thu, 11 Jul 2024 13:05:35 GMT
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    192.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    192.142.123.92.in-addr.arpa
    IN PTR
    Response
    192.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-192deploystaticakamaitechnologiescom
  • flag-us
    DNS
    203.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    203.142.123.92.in-addr.arpa
    IN PTR
    Response
    203.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-203deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a121115895124c78b45ba9bef7b32c86&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    192.142.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    192.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    203.142.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    203.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeC8\devdobec.exe
    Filesize

    4.1MB

    MD5

    9c6dbe8a37ab2e4ef49111a81295fc80

    SHA1

    b58668e9d010dc990b843f1d7c3a28661a185bc0

    SHA256

    8c2ceb0fb4b11a47098cddaadaa8e4c8fa39cfefff9a5d79038769fe5fc7d6ff

    SHA512

    265f9cef6a2acb7229c611e2263bf490cdcdaaee08dd641fc4dd712034613441e604509e2ff47630752cf6525790a04c65fc75b9959174f9017e5a64d69b95d9

    Download Submit

  • C:\LabZO9\optidevloc.exe
    Filesize

    9KB

    MD5

    dec283c266688d0fa2769bbd6fb2d763

    SHA1

    7ad1c80a070342902df56cac61a926164de382a5

    SHA256

    9962cfc1c28d595d3aaebeb56d7674acd4ccd8ff7f5d9b47cc24abe3ba97adac

    SHA512

    0862767012c22b3f8b4124353aa3e5f2178a86b11016336b7f57cf5ae5358039f4514319047e58c3b111047e1c0ae3985a57242ad2210a172b1c11acf8f254a8

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    207B

    MD5

    afd15cb9e26ce94ff5c1ae02de9f8bb3

    SHA1

    1c94d43ef09a8ee84eef77045b3bd859afbc0b53

    SHA256

    ab1aeaf28a167c15bd764fb985497eee542996f31d4c5cde5b8fd87047de0799

    SHA512

    3b87c0ee1137fb323ef4195d92ab4b4796791d7c538a4429ac824cf19305ad2fa5e167c01bc258a3041f7a843dfe3271b9b80270ae308aea11ad8a4bbdaa2032

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.