Analysis
-
max time kernel
31s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2024 00:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
rstrui.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
60 seconds
Errors
Reason
Machine shutdown
General
-
Target
rstrui.exe
-
Size
268KB
-
MD5
9738d3b78e4c5ba0318d1836ac1742ce
-
SHA1
c965821ffffb084e5338748cb217da0375be6254
-
SHA256
5b3e453aa0a3b4ca160b206c2218e196b89c6367d9162874dc38356072cbea9f
-
SHA512
bc7d866e3eba21563f35509f166f7c24ff9448ba77f592c5682276e0d54d91088cf8946c42369d19432d1321a8cfd4b4d04739dd7d7d22d4a3bf622f76269a12
-
SSDEEP
6144:D2giB1TuuQl2FRuTsKlpbcUsozcangj2+UvQ/KpmOq:D2gG5c2FR7kNcK3vQ/Kp
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1872 wbengine.exe Token: SeRestorePrivilege 1872 wbengine.exe Token: SeSecurityPrivilege 1872 wbengine.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0B97A6B50C926CAD24B2B2600D726D7E; domain=.bing.com; expires=Tue, 02-Sep-2025 00:22:55 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 448251029B1D424CA98D546094182A86 Ref B: LON04EDGE1106 Ref C: 2024-08-08T00:22:55Z
date: Thu, 08 Aug 2024 00:22:54 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0B97A6B50C926CAD24B2B2600D726D7E
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=f2Y74CBQ6gd4pmF4mUC60yQpecLVNOwXT9ht7YKjn0Q; domain=.bing.com; expires=Tue, 02-Sep-2025 00:22:55 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 29E827F9B53449D9B9943BFA1337FCAE Ref B: LON04EDGE1106 Ref C: 2024-08-08T00:22:55Z
date: Thu, 08 Aug 2024 00:22:55 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=Remote address:204.79.197.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0B97A6B50C926CAD24B2B2600D726D7E; MSPTC=f2Y74CBQ6gd4pmF4mUC60yQpecLVNOwXT9ht7YKjn0Q
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 302B71C867DE464B9C5F3FAFD28CC72A Ref B: LON04EDGE1106 Ref C: 2024-08-08T00:22:55Z
date: Thu, 08 Aug 2024 00:22:55 GMT
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=tls, http22.0kB 9.3kB 21 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=26faf70a86d04378987a0450261d5507&localId=w:82828431-2DDB-D3A4-0A67-5CF56E102AD4&deviceId=6755468654845740&anid=HTTP Response
204
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa