Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2024, 23:13 UTC
Static task
static1
Behavioral task
behavioral1
Sample
8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
General
-
Target
8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe
-
Size
61KB
-
MD5
4b3b4255694ce418a57b69a25858a510
-
SHA1
8f6d4bd6db0ab11048123d3720b8b827d3652776
-
SHA256
8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316
-
SHA512
67125b61ba1deadba1b3b23cbfa83c7abae23cef50855afaa6d47e1eeb251504a824af8baad2b3a17dab157aefcb191a014bfb70a21a7d69ebcc266b129445e2
-
SSDEEP
1536:kQpQ5EP0ijnRTXJqCRSE9ruI6ggkgPIdI9Qf5ZM:kQIURTXJqCRSAruI6gMYhC
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2468 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 2468 Au_.exe -
Loads dropped DLL 1 IoCs
pid Process 2468 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023b7a-4.dat nsis_installer_1 behavioral2/files/0x000a000000023b7a-4.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4540 wrote to memory of 2468 4540 8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe 84 PID 4540 wrote to memory of 2468 4540 8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe 84 PID 4540 wrote to memory of 2468 4540 8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe"C:\Users\Admin\AppData\Local\Temp\8d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2468
-
Network
-
Remote address:8.8.8.8:53Requestibf-cmi-1938953175.us-east-1.elb.amazonaws.comIN AResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=15CFD1EDD33E64A9011CC4F8D20F65AD; domain=.bing.com; expires=Wed, 05-Nov-2025 23:13:21 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 266754F23A3B47A4BA298527A481F683 Ref B: LON601060102036 Ref C: 2024-10-11T23:13:21Z
date: Fri, 11 Oct 2024 23:13:21 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=15CFD1EDD33E64A9011CC4F8D20F65AD
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=l_2Ht1LEM5ivT2INibW58rQSTX1hQyqyzHJSEMH0k2Q; domain=.bing.com; expires=Wed, 05-Nov-2025 23:13:21 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BF95969BB6A3485A992B838299867101 Ref B: LON601060102036 Ref C: 2024-10-11T23:13:21Z
date: Fri, 11 Oct 2024 23:13:21 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=Remote address:150.171.27.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=15CFD1EDD33E64A9011CC4F8D20F65AD; MSPTC=l_2Ht1LEM5ivT2INibW58rQSTX1hQyqyzHJSEMH0k2Q
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9B4061BA171C4BACAFD3D64B56AB87A2 Ref B: LON601060102036 Ref C: 2024-10-11T23:13:21Z
date: Fri, 11 Oct 2024 23:13:21 GMT
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request69.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request142.72.21.2.in-addr.arpaIN PTRResponse142.72.21.2.in-addr.arpaIN PTRa2-21-72-142deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
150.171.27.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=tls, http22.0kB 9.4kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f2af5576d15c43a995ef8db96742df4c&localId=w:B1F9B991-31A2-6777-EDEA-FA7B5FB14F41&deviceId=6825841072347551&anid=HTTP Response
204
-
92 B 174 B 1 1
DNS Request
ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.27.10150.171.28.10
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
71.209.201.84.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
69.209.201.84.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
142.72.21.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD592ec4dd8c0ddd8c4305ae1684ab65fb0
SHA1d850013d582a62e502942f0dd282cc0c29c4310e
SHA2565520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
SHA512581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651
-
Filesize
61KB
MD54b3b4255694ce418a57b69a25858a510
SHA18f6d4bd6db0ab11048123d3720b8b827d3652776
SHA2568d0f83026970356c75221aa6a1be2d3a8dc37f17bb6ab31f81458fe95c5c6316
SHA51267125b61ba1deadba1b3b23cbfa83c7abae23cef50855afaa6d47e1eeb251504a824af8baad2b3a17dab157aefcb191a014bfb70a21a7d69ebcc266b129445e2