Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 13:00 UTC
Static task
static1
Behavioral task
behavioral1
Sample
PI24000032.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
PI24000032.exe
Resource
win10v2004-20240802-en
General
-
Target
PI24000032.exe
-
Size
1.2MB
-
MD5
4ea21bce2e927e066bd726b8d38a2adc
-
SHA1
a4d7a0820e72d4cdd3e0d882593c69983ad6e043
-
SHA256
9c2a88e6231afc32955d617333a563b8961175a3ea9f01a97140aa6707ef7272
-
SHA512
4c3016090b9f917c929b4c08f62cbb923eec32ae06f6ba42a4323f98c8dfedbf38e675c1787d752ad0f03cde72e01c47d15000200a08dc34d7729403bac5b1ac
-
SSDEEP
24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8av0NzEdqf3LyFPQ7leIJ:5TvC/MTQYxsWR7av0NwQf3L6Y7le
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1092 set thread context of 4044 1092 PI24000032.exe 93 -
Program crash 1 IoCs
pid pid_target Process procid_target 3800 4044 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PI24000032.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1092 PI24000032.exe 1092 PI24000032.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1092 PI24000032.exe 1092 PI24000032.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1092 PI24000032.exe 1092 PI24000032.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1092 wrote to memory of 4044 1092 PI24000032.exe 93 PID 1092 wrote to memory of 4044 1092 PI24000032.exe 93 PID 1092 wrote to memory of 4044 1092 PI24000032.exe 93 PID 1092 wrote to memory of 4044 1092 PI24000032.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\PI24000032.exe"2⤵PID:4044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1923⤵
- Program crash
PID:3800
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4044 -ip 40441⤵PID:312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:81⤵PID:944
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A13.107.21.237dual-a-0034.a-msedge.netIN A204.79.197.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=11756F0593BA664529477BD7920167BA; domain=.bing.com; expires=Sat, 30-Aug-2025 13:00:55 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 77EE251283C74783A8832AEA3E10822F Ref B: LON04EDGE0915 Ref C: 2024-08-05T13:00:55Z
date: Mon, 05 Aug 2024 13:00:55 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=11756F0593BA664529477BD7920167BA
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=BJyI-QS0xNGMuM6BaoWMC_KlmYCT_kamPp452RDn4e0; domain=.bing.com; expires=Sat, 30-Aug-2025 13:00:55 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C758F8FB6C0D4A6980EEA9650AC83ED6 Ref B: LON04EDGE0915 Ref C: 2024-08-05T13:00:55Z
date: Mon, 05 Aug 2024 13:00:55 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=11756F0593BA664529477BD7920167BA; MSPTC=BJyI-QS0xNGMuM6BaoWMC_KlmYCT_kamPp452RDn4e0
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5AD72C830DCB4D089013AE8FD15FAEF8 Ref B: LON04EDGE0915 Ref C: 2024-08-05T13:00:55Z
date: Mon, 05 Aug 2024 13:00:55 GMT
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.21.107.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
13.107.21.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=tls, http22.0kB 9.3kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c552efb9586452f8f486af1e3daec68&localId=w:C1C7FDA1-57D8-3617-175E-F6F87939E990&deviceId=6755468654767491&anid=HTTP Response
204
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
13.107.21.237204.79.197.237
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
237.21.107.13.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD53e87a8823c6f4231f6cfc1fdc08dae11
SHA19773a563be5d99db6d9ebee374b70aaea13691b8
SHA25644096e8052b7c31a31f65ef79bcdcdc4a446f969b38e56f2cc2505993ab133cf
SHA512bf5a4d88a5dfffb6f5c4bca70c6b01133281824edf745f9d4ceedf7cdba7e8a0387ff852a2e03e4bda35f8164d0be789b7a47734932e3e03d9251239d8ea07c6