Analysis

  • max time kernel
    31s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 00:22

Errors

Reason
Machine shutdown

General

  • Target

    rstrui.exe

  • Size

    268KB

  • MD5

    9738d3b78e4c5ba0318d1836ac1742ce

  • SHA1

    c965821ffffb084e5338748cb217da0375be6254

  • SHA256

    5b3e453aa0a3b4ca160b206c2218e196b89c6367d9162874dc38356072cbea9f

  • SHA512

    bc7d866e3eba21563f35509f166f7c24ff9448ba77f592c5682276e0d54d91088cf8946c42369d19432d1321a8cfd4b4d04739dd7d7d22d4a3bf622f76269a12

  • SSDEEP

    6144:D2giB1TuuQl2FRuTsKlpbcUsozcangj2+UvQ/KpmOq:D2gG5c2FR7kNcK3vQ/Kp

Score
1/10

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rstrui.exe
    "C:\Users\Admin\AppData\Local\Temp\rstrui.exe"
    1⤵
      PID:2768
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1872

    Network

    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=0B97A6B50C926CAD24B2B2600D726D7E; domain=.bing.com; expires=Tue, 02-Sep-2025 00:22:55 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 448251029B1D424CA98D546094182A86 Ref B: LON04EDGE1106 Ref C: 2024-08-08T00:22:55Z
      date: Thu, 08 Aug 2024 00:22:54 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=0B97A6B50C926CAD24B2B2600D726D7E
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=f2Y74CBQ6gd4pmF4mUC60yQpecLVNOwXT9ht7YKjn0Q; domain=.bing.com; expires=Tue, 02-Sep-2025 00:22:55 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 29E827F9B53449D9B9943BFA1337FCAE Ref B: LON04EDGE1106 Ref C: 2024-08-08T00:22:55Z
      date: Thu, 08 Aug 2024 00:22:55 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=0B97A6B50C926CAD24B2B2600D726D7E; MSPTC=f2Y74CBQ6gd4pmF4mUC60yQpecLVNOwXT9ht7YKjn0Q
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 302B71C867DE464B9C5F3FAFD28CC72A Ref B: LON04EDGE1106 Ref C: 2024-08-08T00:22:55Z
      date: Thu, 08 Aug 2024 00:22:55 GMT
    • flag-us
      DNS
      136.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      136.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=
      tls, http2
      2.0kB
      9.3kB
      21
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=

      HTTP Response

      204
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      151 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      136.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      136.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
      143 B
      1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.