Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a9c23eddb8...18.exe

windows7-x64

10

a9c23eddb8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 05:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe

  • Size

    680KB

  • MD5

    a9c23eddb8ccb3008ef6dcf7500dc833

  • SHA1

    14440dd1c9dcb5ee0aafacd4fa6e4457ac8bf1da

  • SHA256

    70fa8d9e6b819e18967b7e4d8a7fc50030800c9427d66b657dda837a0a434052

  • SHA512

    415d65be32ee25d5b1e1676e005bbb315aced8597e11038c5bcaae0541b15715767bc72f7a22e17eacc0eb1436a04204c6df51344df34a1ad1a2b3b51d65403e

  • SSDEEP

    12288:qClephVMo7IYJAB++2RrxRAjbeNC2v+clES+vYOqH:fOhKpYyB/MrxRAZMES+b+

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3492
    • C:\Users\Admin\AppData\Local\Temp\a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3416
      • C:\Users\Admin\GFW6ssUz.exe
        C:\Users\Admin\GFW6ssUz.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Users\Admin\xiliv.exe
          "C:\Users\Admin\xiliv.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:3744
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del GFW6ssUz.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3824
      • C:\Users\Admin\2kaq.exe
        C:\Users\Admin\2kaq.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Users\Admin\2kaq.exe
          "C:\Users\Admin\2kaq.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4108
        • C:\Users\Admin\2kaq.exe
          "C:\Users\Admin\2kaq.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1764
        • C:\Users\Admin\2kaq.exe
          "C:\Users\Admin\2kaq.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:3096
        • C:\Users\Admin\2kaq.exe
          "C:\Users\Admin\2kaq.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1728
        • C:\Users\Admin\2kaq.exe
          "C:\Users\Admin\2kaq.exe"
          4⤵
          • Executes dropped EXE
          PID:1900
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 80
            5⤵
            • Program crash
            PID:3212
      • C:\Users\Admin\3kaq.exe
        C:\Users\Admin\3kaq.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Users\Admin\AppData\Local\fab7201a\X
          *0*bc*c2115642*31.193.3.240:53
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:316
      • C:\Users\Admin\4kaq.exe
        C:\Users\Admin\4kaq.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Users\Admin\AppData\Roaming\x3wvvuugpgaveju1d1adbxjiyhx22kgy2\svcnost.exe
          "C:\Users\Admin\AppData\Roaming\x3wvvuugpgaveju1d1adbxjiyhx22kgy2\svcnost.exe"
          4⤵
          • Modifies firewall policy service
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops desktop.ini file(s)
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:1240
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del a9c23eddb8ccb3008ef6dcf7500dc833_JaffaCakes118.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1000
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4612
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1900 -ip 1900
    1⤵
      PID:2244

    Network

    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      72.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      com9.us.to
      2kaq.exe
      Remote address:
      8.8.8.8:53
      Request
      com9.us.to
      IN A
      Response
    • flag-us
      DNS
      promos.fling.com
      3kaq.exe
      Remote address:
      8.8.8.8:53
      Request
      promos.fling.com
      IN A
      Response
      promos.fling.com
      IN A
      64.210.151.32
    • flag-us
      GET
      http://promos.fling.com/geo/txt/city.php
      3kaq.exe
      Remote address:
      64.210.151.32:80
      Request
      GET /geo/txt/city.php HTTP/1.0
      Host: promos.fling.com
      Connection: close
      Response
      HTTP/1.1 302 Found
      content-length: 0
      location: https://promos.fling.com/geo/txt/city.php
      cache-control: no-cache
      connection: close
    • flag-us
      DNS
      240.3.193.31.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.3.193.31.in-addr.arpa
      IN PTR
      Response
      240.3.193.31.in-addr.arpa
      IN PTR
      311933240srvlistukfastnet
    • flag-us
      DNS
      32.151.210.64.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      32.151.210.64.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      oszp.ru
      svcnost.exe
      Remote address:
      8.8.8.8:53
      Request
      oszp.ru
      IN A
      Response
      oszp.ru
      IN A
      62.122.170.171
    • flag-nl
      POST
      http://87.75.44.12/stat1.php
      svcnost.exe
      Remote address:
      62.122.170.171:80
      Request
      POST /stat1.php HTTP/1.0
      Host: 87.75.44.12
      User-Agent: Mozilla/4.0 (compatible. MSIE 8.0. Windows NT 5.1)
      Accept-Encoding: gzip,deflate
      Content-Length: 129
      Response
      HTTP/1.1 302 Found
      Server: nginx/1.14.1
      Date: Mon, 19 Aug 2024 05:26:51 GMT
      Content-Type: text/html; charset=UTF-8
      Connection: close
      X-Powered-By: PHP/7.2.24
      Set-Cookie: PHPSESSID=4c7ujoft02bf6qtmc4v68h39bp; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      Location: http://87.75.44.12/site/index
    • flag-us
      DNS
      171.170.122.62.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.170.122.62.in-addr.arpa
      IN PTR
      Response
      171.170.122.62.in-addr.arpa
      IN PTR
      62122170171serverelnet
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 563726
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 29E96861FE6643D1BCD5606BBBDE10A0 Ref B: LON04EDGE0713 Ref C: 2024-08-19T05:27:35Z
      date: Mon, 19 Aug 2024 05:27:35 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388073_119U9LBW9PBGDFL1U&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388073_119U9LBW9PBGDFL1U&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 646893
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 536D84CEE26C411A9F6F55644DCD8DB5 Ref B: LON04EDGE0713 Ref C: 2024-08-19T05:27:35Z
      date: Mon, 19 Aug 2024 05:27:35 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388072_1EV9TE4QEFANKPF6H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388072_1EV9TE4QEFANKPF6H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 626306
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 5A2D61B2A376422A80DCB9B8ECEBC619 Ref B: LON04EDGE0713 Ref C: 2024-08-19T05:27:35Z
      date: Mon, 19 Aug 2024 05:27:35 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 660072
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 521372C66CFB442AA97825F6D711FF78 Ref B: LON04EDGE0713 Ref C: 2024-08-19T05:27:35Z
      date: Mon, 19 Aug 2024 05:27:35 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418599_1G42Z13GRT0FB3ANC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239340418599_1G42Z13GRT0FB3ANC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 632525
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 4F302C7375374081A6817F9904313B46 Ref B: LON04EDGE0713 Ref C: 2024-08-19T05:27:35Z
      date: Mon, 19 Aug 2024 05:27:35 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 633835
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D92E0A796ECD445AA11FB56579867FB8 Ref B: LON04EDGE0713 Ref C: 2024-08-19T05:27:36Z
      date: Mon, 19 Aug 2024 05:27:35 GMT
    • flag-us
      DNS
      10.27.171.150.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.27.171.150.in-addr.arpa
      IN PTR
      Response
    • 64.210.151.32:80
      http://promos.fling.com/geo/txt/city.php
      http
      3kaq.exe
      307 B
       310 B
       5
      4

      HTTP Request

      GET http://promos.fling.com/geo/txt/city.php

      HTTP Response

      302
    • 176.53.17.23:80
      3kaq.exe
      104 B
       80 B
       2
      2
    • 176.53.17.23:80
      3kaq.exe
      104 B
       80 B
       2
      2
    • 217.20.127.234:80
      svcnost.exe
      260 B
       5
    • 217.20.127.32:80
      svcnost.exe
      260 B
       5
    • 62.122.170.171:80
      http://87.75.44.12/stat1.php
      http
      svcnost.exe
      522 B
       580 B
       5
      5

      HTTP Request

      POST http://87.75.44.12/stat1.php

      HTTP Response

      302
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.27.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      170.3kB
       3.9MB
       2841
      2836

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388073_119U9LBW9PBGDFL1U&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388072_1EV9TE4QEFANKPF6H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418599_1G42Z13GRT0FB3ANC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418600_11EQ8QDR6IPB0F4AN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       6.9kB
       15
      13
    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      72.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      72.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      com9.us.to
      dns
      2kaq.exe
      56 B
       115 B
       1
      1

      DNS Request

      com9.us.to

    • 8.8.8.8:53
      promos.fling.com
      dns
      3kaq.exe
      62 B
       78 B
       1
      1

      DNS Request

      promos.fling.com

      DNS Response

      64.210.151.32

    • 31.193.3.240:53
      3kaq.exe
      48 B
       1
    • 31.193.3.240:53
      X
      48 B
       1
    • 8.8.8.8:53
      240.3.193.31.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      240.3.193.31.in-addr.arpa

    • 8.8.8.8:53
      32.151.210.64.in-addr.arpa
      dns
      72 B
       141 B
       1
      1

      DNS Request

      32.151.210.64.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      oszp.ru
      dns
      svcnost.exe
      53 B
       69 B
       1
      1

      DNS Request

      oszp.ru

      DNS Response

      62.122.170.171

    • 8.8.8.8:53
      171.170.122.62.in-addr.arpa
      dns
      73 B
       114 B
       1
      1

      DNS Request

      171.170.122.62.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       170 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      10.27.171.150.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      10.27.171.150.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Process Discovery

    1
    T1057

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\2kaq.exe
      Filesize

      132KB

      MD5

      d7dbb57f65cb963477a8fa11714ec0be

      SHA1

      756d29032644973b9f48980a1e30448206811119

      SHA256

      94242fda567e2b4dc0be9d4ca5370ff0ddee2d25751dd191c3fed995837c10ec

      SHA512

      1db3577abd73c8c8667da426faedf63ad9c7a75462cbeac0be19a525690baaa9f1d8446d3b804abbf24550d73cbefecf6c77c224539e8dd5db37f34f7e975fdc

      Download Submit

    • C:\Users\Admin\3kaq.exe
      Filesize

      277KB

      MD5

      00b72668c42555c6d9e3cee383730fc0

      SHA1

      509a7c39baf2b9a46813c641cca687b37e244d5a

      SHA256

      baaacce5c3f18154d4925ec6568ccf66f4ab9ee5477bd0faf44f08d9397641dd

      SHA512

      1bfa5cd6081a5e8556b452cf4741831da829fcc9e2b51c77c92a4fdacfa1b934d14bc049f8185be09b1447664f55956f69e7fd16a868c9655eb32f9b9ef02e78

      Download Submit

    • C:\Users\Admin\4kaq.exe
      Filesize

      120KB

      MD5

      ee3508d5206de400e5792c826ae71aae

      SHA1

      b448132f604b7e886343b911cc56371a7f251c04

      SHA256

      f6226f935ea3d5ecc4be3ccf6a59caff31ed3e6bd35c5d26fbe3906b4379b35d

      SHA512

      233f72bf8cf5d72b7f7c09bf546220fa0c34511330349fa28ef4c746b19f59696b5e515a7d345862430979800be354ab954aa55f79747a83d601abdf32bd24fb

      Download Submit

    • C:\Users\Admin\AppData\Local\fab7201a\X
      Filesize

      38KB

      MD5

      72de2dadaf875e2fd7614e100419033c

      SHA1

      5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

      SHA256

      c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

      SHA512

      e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\desktop.ini
      Filesize

      9KB

      MD5

      4a27242b307c6a836993353035fafc16

      SHA1

      5fea7a41b8f9071848108015d8a952e6f944eea0

      SHA256

      02fd93f64bda51e1e2991184cac13f077d509712e462c9e44be9cf8e22c06de1

      SHA512

      35e9c87642b82df2bf0a9312bb0e9abfb98282db1e34032a4d0150d82c5e2f2e13150ddc896f1e954f02288a1e696a4306ee595b94b1e404c6ec17bac64c44be

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ntuser.dat
      Filesize

      54KB

      MD5

      7e8e966927e04a35aec644602b8a9e05

      SHA1

      d201b0b41e8701818d60ddbf9f334332a512c4da

      SHA256

      46f18d9fbf63f378d86962cbf24f5ce57ce257555acd4effdcc41c1e2f1adf5c

      SHA512

      246777c79129a5076b71ca5d3f7e59b06d344f6b5e771892ae8ee68c0b5af9207cd1868b1336b49e6a84665309ad379a33ec6c8e72d7ce41de72153637921a51

      Download Submit

    • C:\Users\Admin\GFW6ssUz.exe
      Filesize

      312KB

      MD5

      d0250c92bd9e6c62c0c8227ea7bc0df4

      SHA1

      9a9fd691422b105c5e008764b980d1568c2df957

      SHA256

      ee113e2ee5cd0d396af0e79c2390d059355d24e426886bbacda44d7f39a28007

      SHA512

      99ab659dd56fabf0bd488f754cc7d1b166e1727b5a742d4262062946b5aa79577499fff55e434b6dbe05efa11e9ce2ce58cf68f30e29d9b5580e20de4e974200

      Download Submit

    • C:\Users\Admin\xiliv.exe
      Filesize

      312KB

      MD5

      d40409eb3053209f0faf3a26265574ae

      SHA1

      a3f19235a2859e5d0810c68af897a861acf3f2d0

      SHA256

      a43878b7b764008a9990ac215da3ff368797ff0c4296c8c179d66d01f3006023

      SHA512

      ec2a49c448c31843d12e4c69aed976bbbf76aeee130c55c5d9170f39f0c521d824c78973e033df2eeb5b9ad6ae8613bcc63ff0cdac175697b416ee2c0e3f62c3

      Download Submit

    • memory/1240-101-0x0000000000DB0000-0x0000000000DCD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1240-97-0x0000000000400000-0x0000000000B19000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/1240-102-0x0000000000DB0000-0x0000000000DCD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/1240-120-0x0000000000400000-0x0000000000B19000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/1280-86-0x0000000030670000-0x00000000306C3000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1728-96-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1728-68-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1728-66-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1728-64-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1764-59-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1764-58-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1764-53-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1764-61-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3096-71-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3096-70-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3096-62-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3096-95-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/4108-47-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4108-84-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4108-50-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4108-52-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4840-100-0x0000000000400000-0x0000000000B19000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/4840-91-0x0000000000400000-0x0000000000B19000-memory.dmp

      Filesize

      7.1MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.