Overview

overview

10

Static

static

3

241fc92010...0N.exe

windows7-x64

10

241fc92010...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/08/2024, 00:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    241fc92010656375a2457ba4428b31e0N.exe

  • Size

    91KB

  • MD5

    241fc92010656375a2457ba4428b31e0

  • SHA1

    ef39db03d0880f5860e5cb33071eeda755018405

  • SHA256

    391f2de6b0d739e93649703e08bd8aa5489eacff99789c903633fa24a97c746b

  • SHA512

    9701eef800338ee2edc68109069ae0fe8ba554860e1375ec697a997dee320c8d1539f45e4eae44a7ddd852eb05d2c9fdcd9f291dbd53bc58f25c8b4223da3538

  • SSDEEP

    1536:4aiqH1s+kCtrA2UMT0mTFibDKa1Xk+SezSOY6Ukg2dTtzy:51B31bdBob2QXbSezI6UPl

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 43 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\241fc92010656375a2457ba4428b31e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\241fc92010656375a2457ba4428b31e0N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    PID:3224

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=3A5AE1E9BD7D6C83264AF539BC9D6DFA; domain=.bing.com; expires=Thu, 28-Aug-2025 00:27:09 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FD8C548DBF544566AEB5F7C0BF52AFE2 Ref B: LON04EDGE1215 Ref C: 2024-08-03T00:27:09Z
    date: Sat, 03 Aug 2024 00:27:08 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3A5AE1E9BD7D6C83264AF539BC9D6DFA
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=8cHflpPP8ArsxycK1wtG2sJY-cJcjRS1hTxP6EUtn4w; domain=.bing.com; expires=Thu, 28-Aug-2025 00:27:09 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: EEA296902A9B4832A7F30BA23EE1CEF4 Ref B: LON04EDGE1215 Ref C: 2024-08-03T00:27:09Z
    date: Sat, 03 Aug 2024 00:27:08 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3A5AE1E9BD7D6C83264AF539BC9D6DFA; MSPTC=8cHflpPP8ArsxycK1wtG2sJY-cJcjRS1hTxP6EUtn4w
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2C8E87EAB25C4334BB93B491658C8E86 Ref B: LON04EDGE1215 Ref C: 2024-08-03T00:27:09Z
    date: Sat, 03 Aug 2024 00:27:09 GMT
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 836390
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: DC54D25655AA469AA244530AC067EB0B Ref B: LON04EDGE0911 Ref C: 2024-08-03T00:27:09Z
    date: Sat, 03 Aug 2024 00:27:09 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid=
    tls, http2
    2.0kB
     9.3kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1ae2573ac72b47fabc0413cbc8df7d2d&localId=w:E1FD06B2-9179-2377-8934-278C10EE140A&deviceId=6896205358121058&anid=

    HTTP Response

    204
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    tls, http2
    31.6kB
     871.5kB
     637
    633

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     170 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\xdccPrograms\7zFM.exe
    Filesize

    930KB

    MD5

    41e68af1212e06985e13f287ffb0aa47

    SHA1

    9eac9f884e328daefd135ec1a6ec39a64f766a1f

    SHA256

    b640c539ce1831b85365338b2c5076c43469d503caf6e429ec1d1e9566d7d0f6

    SHA512

    c7fc36e1cdbb6de9cbc3ce6c7637fb66a63da5bf5cb9a87eed4da7401750be89993b7cc5e5d1290a038d4551e2a478bd74c8d2f54efe4cb3ee08119aebe78869

    Download Submit

  • memory/3224-19-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-20-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-21-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-22-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-23-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-24-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-25-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-26-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-27-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-30-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3224-31-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.