Analysis

  • max time kernel
    92s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2024, 23:13 UTC

General

  • Target

    8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe

  • Size

    61KB

  • MD5

    4b3b4255694ce418a57b69a25858a510

  • SHA1

    8f6d4bd6db0ab11048123d3720b8b827d3652776

  • SHA256

    8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316

  • SHA512

    67125b61ba1deadba1b3b23cbfa83c7abae23cef50855afaa6d47e1eeb251504a824af8baad2b3a17dab157aefcb191a014bfb70a21a7d69ebcc266b129445e2

  • SSDEEP

    1536:kQpQ5EP0ijnRTXJqCRSE9ruI6ggkgPIdI9Qf5ZM:kQIURTXJqCRSAruI6gMYhC

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2468

Network

  • flag-us
    DNS
    ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
    Au_.exe
    Remote address:
    8.8.8.8:53
    Request
    ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
    IN A
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=15CFD1EDD33E64A9011CC4F8D20F65AD; domain=.bing.com; expires=Wed, 05-Nov-2025 23:13:21 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 266754F23A3B47A4BA298527A481F683 Ref B: LON601060102036 Ref C: 2024-10-11T23:13:21Z
    date: Fri, 11 Oct 2024 23:13:21 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=15CFD1EDD33E64A9011CC4F8D20F65AD
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=l_2Ht1LEM5ivT2INibW58rQSTX1hQyqyzHJSEMH0k2Q; domain=.bing.com; expires=Wed, 05-Nov-2025 23:13:21 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BF95969BB6A3485A992B838299867101 Ref B: LON601060102036 Ref C: 2024-10-11T23:13:21Z
    date: Fri, 11 Oct 2024 23:13:21 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=15CFD1EDD33E64A9011CC4F8D20F65AD; MSPTC=l_2Ht1LEM5ivT2INibW58rQSTX1hQyqyzHJSEMH0k2Q
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9B4061BA171C4BACAFD3D64B56AB87A2 Ref B: LON601060102036 Ref C: 2024-10-11T23:13:21Z
    date: Fri, 11 Oct 2024 23:13:21 GMT
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    142.72.21.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    142.72.21.2.in-addr.arpa
    IN PTR
    Response
    142.72.21.2.in-addr.arpa
    IN PTR
    a2-21-72-142deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=
    tls, http2
    2.0kB
    9.4kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
    dns
    Au_.exe
    92 B
    174 B
    1
    1

    DNS Request

    ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    71.209.201.84.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    71.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    69.209.201.84.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    69.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    142.72.21.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    142.72.21.2.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsh8C64.tmp\inetc.dll

    Filesize

    21KB

    MD5

    92ec4dd8c0ddd8c4305ae1684ab65fb0

    SHA1

    d850013d582a62e502942f0dd282cc0c29c4310e

    SHA256

    5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

    SHA512

    581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

    Filesize

    61KB

    MD5

    4b3b4255694ce418a57b69a25858a510

    SHA1

    8f6d4bd6db0ab11048123d3720b8b827d3652776

    SHA256

    8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316

    SHA512

    67125b61ba1deadba1b3b23cbfa83c7abae23cef50855afaa6d47e1eeb251504a824af8baad2b3a17dab157aefcb191a014bfb70a21a7d69ebcc266b129445e2

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.