Analysis

  • max time kernel
    125s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 13:00 UTC

General

  • Target

    PI24000032.exe

  • Size

    1.2MB

  • MD5

    4ea21bce2e927e066bd726b8d38a2adc

  • SHA1

    a4d7a0820e72d4cdd3e0d882593c69983ad6e043

  • SHA256

    9c2a88e6231afc32955d617333a563b8961175a3ea9f01a97140aa6707ef7272

  • SHA512

    4c3016090b9f917c929b4c08f62cbb923eec32ae06f6ba42a4323f98c8dfedbf38e675c1787d752ad0f03cde72e01c47d15000200a08dc34d7729403bac5b1ac

  • SSDEEP

    24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8av0NzEdqf3LyFPQ7leIJ:5TvC/MTQYxsWR7av0NwQf3L6Y7le

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PI24000032.exe
    "C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"
      2⤵
        PID:4044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 192
          3⤵
          • Program crash
          PID:3800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4044 -ip 4044
      1⤵
        PID:312
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
        1⤵
          PID:944

        Network

        • flag-us
          DNS
          g.bing.com
          Remote address:
          8.8.8.8:53
          Request
          g.bing.com
          IN A
          Response
          g.bing.com
          IN CNAME
          g-bing-com.dual-a-0034.a-msedge.net
          g-bing-com.dual-a-0034.a-msedge.net
          IN CNAME
          dual-a-0034.a-msedge.net
          dual-a-0034.a-msedge.net
          IN A
          13.107.21.237
          dual-a-0034.a-msedge.net
          IN A
          204.79.197.237
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=
          Remote address:
          13.107.21.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MUID=11756F0593BA664529477BD7920167BA; domain=.bing.com; expires=Sat, 30-Aug-2025 13:00:55 GMT; path=/; SameSite=None; Secure; Priority=High;
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 77EE251283C74783A8832AEA3E10822F Ref B: LON04EDGE0915 Ref C: 2024-08-05T13:00:55Z
          date: Mon, 05 Aug 2024 13:00:55 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=
          Remote address:
          13.107.21.237:443
          Request
          GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=11756F0593BA664529477BD7920167BA
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MSPTC=BJyI-QS0xNGMuM6BaoWMC_KlmYCT_kamPp452RDn4e0; domain=.bing.com; expires=Sat, 30-Aug-2025 13:00:55 GMT; path=/; Partitioned; secure; SameSite=None
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: C758F8FB6C0D4A6980EEA9650AC83ED6 Ref B: LON04EDGE0915 Ref C: 2024-08-05T13:00:55Z
          date: Mon, 05 Aug 2024 13:00:55 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=
          Remote address:
          13.107.21.237:443
          Request
          GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid= HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=11756F0593BA664529477BD7920167BA; MSPTC=BJyI-QS0xNGMuM6BaoWMC_KlmYCT_kamPp452RDn4e0
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 5AD72C830DCB4D089013AE8FD15FAEF8 Ref B: LON04EDGE0915 Ref C: 2024-08-05T13:00:55Z
          date: Mon, 05 Aug 2024 13:00:55 GMT
        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          64.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          64.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          237.21.107.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          237.21.107.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          25.140.123.92.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          25.140.123.92.in-addr.arpa
          IN PTR
          Response
          25.140.123.92.in-addr.arpa
          IN PTR
          a92-123-140-25deploystaticakamaitechnologiescom
        • flag-us
          DNS
          88.156.103.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.156.103.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          103.169.127.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          103.169.127.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          56.126.166.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          56.126.166.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          217.135.221.88.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          217.135.221.88.in-addr.arpa
          IN PTR
          Response
          217.135.221.88.in-addr.arpa
          IN PTR
          a88-221-135-217deploystaticakamaitechnologiescom
        • flag-us
          DNS
          14.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.227.111.52.in-addr.arpa
          IN PTR
          Response
        • 13.107.21.237:443
          https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=
          tls, http2
          2.0kB
          9.3kB
          22
          19

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=

          HTTP Response

          204
        • 8.8.8.8:53
          g.bing.com
          dns
          56 B
          151 B
          1
          1

          DNS Request

          g.bing.com

          DNS Response

          13.107.21.237
          204.79.197.237

        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
          90 B
          1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          64.159.190.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          64.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          237.21.107.13.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          237.21.107.13.in-addr.arpa

        • 8.8.8.8:53
          25.140.123.92.in-addr.arpa
          dns
          72 B
          137 B
          1
          1

          DNS Request

          25.140.123.92.in-addr.arpa

        • 8.8.8.8:53
          88.156.103.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          88.156.103.20.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          103.169.127.40.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          103.169.127.40.in-addr.arpa

        • 8.8.8.8:53
          56.126.166.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          56.126.166.20.in-addr.arpa

        • 8.8.8.8:53
          217.135.221.88.in-addr.arpa
          dns
          73 B
          139 B
          1
          1

          DNS Request

          217.135.221.88.in-addr.arpa

        • 8.8.8.8:53
          14.227.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          14.227.111.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\aut5520.tmp

          Filesize

          280KB

          MD5

          3e87a8823c6f4231f6cfc1fdc08dae11

          SHA1

          9773a563be5d99db6d9ebee374b70aaea13691b8

          SHA256

          44096e8052b7c31a31f65ef79bcdcdc4a446f969b38e56f2cc2505993ab133cf

          SHA512

          bf5a4d88a5dfffb6f5c4bca70c6b01133281824edf745f9d4ceedf7cdba7e8a0387ff852a2e03e4bda35f8164d0be789b7a47734932e3e03d9251239d8ea07c6

        • memory/1092-13-0x0000000002730000-0x0000000002734000-memory.dmp

          Filesize

          16KB

        • memory/4044-14-0x0000000000520000-0x0000000000566000-memory.dmp

          Filesize

          280KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.