Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 10:09
Static task
static1
Behavioral task
behavioral1
Sample
Bank Swift and SOA PRN0072003410853_pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bank Swift and SOA PRN0072003410853_pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Bank Swift and SOA PRN0072003410853_pdf.exe
-
Size
737KB
-
MD5
eb15bbefe683ef09c1c5c1bf5068dd71
-
SHA1
0b613412103c088372fb19656152d21d6a5db027
-
SHA256
8250c1a738d87ed5e8f7d743fa4b523a8c662c568f97b05de5712e9f2c39c647
-
SHA512
efc5e6c51a7d815294bf6de694803165c7e56e456e1cf350539e0299f66af3d5dc346bd5d98df151f51ee4fd35dccad98a113d22354f6cae4cbf0d31d823c45f
-
SSDEEP
12288:xlYZmcRHOys4LnDPb/RNXcIYSBZZKS2vHll7Q9hSCjJgroHaPdl7Fh:UmcdOt4LrXcAvKSErsOk+rddd3
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Disables Task Manager via registry modification
-
Loads dropped DLL 2 IoCs
pid Process 2148 Bank Swift and SOA PRN0072003410853_pdf.exe 2148 Bank Swift and SOA PRN0072003410853_pdf.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 drive.google.com 5 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2084 Bank Swift and SOA PRN0072003410853_pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2148 Bank Swift and SOA PRN0072003410853_pdf.exe 2084 Bank Swift and SOA PRN0072003410853_pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2148 set thread context of 2084 2148 Bank Swift and SOA PRN0072003410853_pdf.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bank Swift and SOA PRN0072003410853_pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bank Swift and SOA PRN0072003410853_pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2148 Bank Swift and SOA PRN0072003410853_pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2084 Bank Swift and SOA PRN0072003410853_pdf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2084 2148 Bank Swift and SOA PRN0072003410853_pdf.exe 30 PID 2148 wrote to memory of 2084 2148 Bank Swift and SOA PRN0072003410853_pdf.exe 30 PID 2148 wrote to memory of 2084 2148 Bank Swift and SOA PRN0072003410853_pdf.exe 30 PID 2148 wrote to memory of 2084 2148 Bank Swift and SOA PRN0072003410853_pdf.exe 30 PID 2148 wrote to memory of 2084 2148 Bank Swift and SOA PRN0072003410853_pdf.exe 30 PID 2148 wrote to memory of 2084 2148 Bank Swift and SOA PRN0072003410853_pdf.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072003410853_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072003410853_pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072003410853_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072003410853_pdf.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
Network
-
Remote address:8.8.8.8:53Requestdrive.google.comIN AResponsedrive.google.comIN A142.250.180.14
-
GEThttps://drive.google.com/uc?export=download&id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEEBank Swift and SOA PRN0072003410853_pdf.exeRemote address:142.250.180.14:443RequestGET /uc?export=download&id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: drive.google.com
Cache-Control: no-cache
ResponseHTTP/1.1 303 See Other
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 04 Dec 2024 10:09:19 GMT
Location: https://drive.usercontent.google.com/download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: script-src 'nonce-s1JI65-AxbmZSslP5hU9nQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.200.3
-
Remote address:142.250.200.3:80RequestGET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 04 Dec 2024 09:55:22 GMT
Expires: Wed, 04 Dec 2024 10:45:22 GMT
Cache-Control: public, max-age=3000
Age: 837
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requesto.pki.googIN AResponseo.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.200.3
-
GEThttp://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3DBank Swift and SOA PRN0072003410853_pdf.exeRemote address:142.250.200.3:80RequestGET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Wed, 04 Dec 2024 09:11:49 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 3450
-
GEThttp://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBHBank Swift and SOA PRN0072003410853_pdf.exeRemote address:142.250.200.3:80RequestGET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog
ResponseHTTP/1.1 200 OK
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Wed, 04 Dec 2024 10:04:30 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 290
-
Remote address:8.8.8.8:53Requestdrive.usercontent.google.comIN AResponsedrive.usercontent.google.comIN A142.250.179.225
-
GEThttps://drive.usercontent.google.com/download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=downloadBank Swift and SOA PRN0072003410853_pdf.exeRemote address:142.250.179.225:443RequestGET /download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=download HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: drive.usercontent.google.com
ResponseHTTP/1.1 200 OK
Content-Security-Policy: sandbox
Content-Security-Policy: default-src 'none'
Content-Security-Policy: frame-ancestors 'none'
X-Content-Security-Policy: sandbox
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="MpHhVeIlFEHfKlgPEXadm63.bin"
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
Access-Control-Allow-Methods: GET,HEAD,OPTIONS
Accept-Ranges: bytes
Content-Length: 94272
Last-Modified: Tue, 03 Dec 2024 22:48:36 GMT
X-GUploader-UploadID: AFiumC4SZswhMEmuP4mlsMsaArNnS5ae27_TYEWllhM3SGuWqZiIIqIy2HW1HTM3PW0DvY4hLeT9GQF6-w
Date: Wed, 04 Dec 2024 10:09:23 GMT
Expires: Wed, 04 Dec 2024 10:09:23 GMT
Cache-Control: private, max-age=0
X-Goog-Hash: crc32c=KfVVVg==
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-
Remote address:8.8.8.8:53Requestcheckip.dyndns.orgIN AResponsecheckip.dyndns.orgIN CNAMEcheckip.dyndns.comcheckip.dyndns.comIN A193.122.6.168checkip.dyndns.comIN A132.226.8.169checkip.dyndns.comIN A158.101.44.242checkip.dyndns.comIN A193.122.130.0checkip.dyndns.comIN A132.226.247.73
-
Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 207b96fa2587ff783cd6320eb5e8e066
-
Remote address:193.122.6.168:80RequestGET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
Host: checkip.dyndns.org
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 106
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 6299fbbdd82634fc38eefbebc8bee1e7
-
Remote address:8.8.8.8:53Requestreallyfreegeoip.orgIN AResponsereallyfreegeoip.orgIN A172.67.177.134reallyfreegeoip.orgIN A104.21.67.152
-
Remote address:172.67.177.134:443RequestGET /xml/181.215.176.83 HTTP/1.1
Host: reallyfreegeoip.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 356
Connection: keep-alive
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 1794419
Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=08zAOxQUmiHadV3ZVOrx2kDL7yw0X3%2BXRdfYFPA5bOMhN2szHensnJdNcvNSc4tV%2BuHsqSbEJdpQgKtUHzIxxKO9HQehY9aXB%2FEDUWkcugnQOaGknX6NrCf5WaJU%2BeLN6aqEEFWz"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ecb0034df11ef13-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=28900&min_rtt=26419&rtt_var=9861&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2867&recv_bytes=374&delivery_rate=112028&cwnd=253&unsent_bytes=0&cid=e050353946343ab8&ts=94&x=0"
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A88.221.134.83a1363.dscg.akamai.netIN A88.221.134.146
-
Remote address:88.221.134.83:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
ETag: 0x8DCDDD1E3AF2C76
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 37b0a847-001e-003a-4dc7-0f4d92000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 04 Dec 2024 10:09:50 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A95.100.245.144
-
Remote address:95.100.245.144:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: aa584fbb-e01e-0040-08ef-2b50d2000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 04 Dec 2024 10:09:50 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV831e3ab4.0
ms-cv-esi: CASMicrosoftCV831e3ab4.0
X-RTag: RT
-
142.250.180.14:443https://drive.google.com/uc?export=download&id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEEtls, httpBank Swift and SOA PRN0072003410853_pdf.exe986 B 9.0kB 10 11
HTTP Request
GET https://drive.google.com/uc?export=download&id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEEHTTP Response
303 -
348 B 1.7kB 5 4
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
200 -
142.250.200.3:80http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBHhttpBank Swift and SOA PRN0072003410853_pdf.exe782 B 1.6kB 7 4
HTTP Request
GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3DHTTP Response
200HTTP Request
GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBHHTTP Response
200 -
142.250.179.225:443https://drive.usercontent.google.com/download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=downloadtls, httpBank Swift and SOA PRN0072003410853_pdf.exe2.7kB 109.0kB 47 84
HTTP Request
GET https://drive.usercontent.google.com/download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=downloadHTTP Response
200 -
548 B 818 B 6 4
HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200HTTP Request
GET http://checkip.dyndns.org/HTTP Response
200 -
172.67.177.134:443https://reallyfreegeoip.org/xml/181.215.176.83tls, httpBank Swift and SOA PRN0072003410853_pdf.exe684 B 4.4kB 7 7
HTTP Request
GET https://reallyfreegeoip.org/xml/181.215.176.83HTTP Response
200 -
399 B 1.7kB 4 4
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
445 B 2.0kB 5 5
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200
-
62 B 78 B 1 1
DNS Request
drive.google.com
DNS Response
142.250.180.14
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.200.3
-
56 B 107 B 1 1
DNS Request
o.pki.goog
DNS Response
142.250.200.3
-
74 B 90 B 1 1
DNS Request
drive.usercontent.google.com
DNS Response
142.250.179.225
-
64 B 176 B 1 1
DNS Request
checkip.dyndns.org
DNS Response
193.122.6.168132.226.8.169158.101.44.242193.122.130.0132.226.247.73
-
65 B 97 B 1 1
DNS Request
reallyfreegeoip.org
DNS Response
172.67.177.134104.21.67.152
-
63 B 162 B 1 1
DNS Request
crl.microsoft.com
DNS Response
88.221.134.8388.221.134.146
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
95.100.245.144
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fc90dfb694d0e17b013d6f818bce41b0
SHA13243969886d640af3bfa442728b9f0dff9d5f5b0
SHA2567fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6