Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 10:09

General

  • Target

    Bank Swift and SOA PRN0072003410853_pdf.exe

  • Size

    737KB

  • MD5

    eb15bbefe683ef09c1c5c1bf5068dd71

  • SHA1

    0b613412103c088372fb19656152d21d6a5db027

  • SHA256

    8250c1a738d87ed5e8f7d743fa4b523a8c662c568f97b05de5712e9f2c39c647

  • SHA512

    efc5e6c51a7d815294bf6de694803165c7e56e456e1cf350539e0299f66af3d5dc346bd5d98df151f51ee4fd35dccad98a113d22354f6cae4cbf0d31d823c45f

  • SSDEEP

    12288:xlYZmcRHOys4LnDPb/RNXcIYSBZZKS2vHll7Q9hSCjJgroHaPdl7Fh:UmcdOt4LrXcAvKSErsOk+rddd3

Malware Config

Signatures

  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Disables Task Manager via registry modification
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072003410853_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072003410853_pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072003410853_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Bank Swift and SOA PRN0072003410853_pdf.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2084

Network

  • flag-us
    DNS
    drive.google.com
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.google.com
    IN A
    Response
    drive.google.com
    IN A
    142.250.180.14
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    142.250.180.14:443
    Request
    GET /uc?export=download&id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: drive.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Wed, 04 Dec 2024 10:09:19 GMT
    Location: https://drive.usercontent.google.com/download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: script-src 'nonce-s1JI65-AxbmZSslP5hU9nQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.3
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    142.250.200.3:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 04 Dec 2024 09:55:22 GMT
    Expires: Wed, 04 Dec 2024 10:45:22 GMT
    Cache-Control: public, max-age=3000
    Age: 837
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    o.pki.goog
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.3
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    142.250.200.3:80
    Request
    GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 471
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Wed, 04 Dec 2024 09:11:49 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 3450
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    142.250.200.3:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Wed, 04 Dec 2024 10:04:30 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 290
  • flag-us
    DNS
    drive.usercontent.google.com
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.179.225
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=download
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=download HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="MpHhVeIlFEHfKlgPEXadm63.bin"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 94272
    Last-Modified: Tue, 03 Dec 2024 22:48:36 GMT
    X-GUploader-UploadID: AFiumC4SZswhMEmuP4mlsMsaArNnS5ae27_TYEWllhM3SGuWqZiIIqIy2HW1HTM3PW0DvY4hLeT9GQF6-w
    Date: Wed, 04 Dec 2024 10:09:23 GMT
    Expires: Wed, 04 Dec 2024 10:09:23 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=KfVVVg==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    checkip.dyndns.org
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    158.101.44.242
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    132.226.247.73
  • flag-de
    GET
    http://checkip.dyndns.org/
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 04 Dec 2024 10:09:24 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 207b96fa2587ff783cd6320eb5e8e066
  • flag-de
    GET
    http://checkip.dyndns.org/
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    193.122.6.168:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Response
    HTTP/1.1 200 OK
    Date: Wed, 04 Dec 2024 10:09:25 GMT
    Content-Type: text/html
    Content-Length: 106
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
    X-Request-ID: 6299fbbdd82634fc38eefbebc8bee1e7
  • flag-us
    DNS
    reallyfreegeoip.org
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    8.8.8.8:53
    Request
    reallyfreegeoip.org
    IN A
    Response
    reallyfreegeoip.org
    IN A
    172.67.177.134
    reallyfreegeoip.org
    IN A
    104.21.67.152
  • flag-us
    GET
    https://reallyfreegeoip.org/xml/181.215.176.83
    Bank Swift and SOA PRN0072003410853_pdf.exe
    Remote address:
    172.67.177.134:443
    Request
    GET /xml/181.215.176.83 HTTP/1.1
    Host: reallyfreegeoip.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 04 Dec 2024 10:09:25 GMT
    Content-Type: text/xml
    Content-Length: 356
    Connection: keep-alive
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 1794419
    Last-Modified: Wed, 13 Nov 2024 15:42:26 GMT
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=08zAOxQUmiHadV3ZVOrx2kDL7yw0X3%2BXRdfYFPA5bOMhN2szHensnJdNcvNSc4tV%2BuHsqSbEJdpQgKtUHzIxxKO9HQehY9aXB%2FEDUWkcugnQOaGknX6NrCf5WaJU%2BeLN6aqEEFWz"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8ecb0034df11ef13-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=28900&min_rtt=26419&rtt_var=9861&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2867&recv_bytes=374&delivery_rate=112028&cwnd=253&unsent_bytes=0&cid=e050353946343ab8&ts=94&x=0"
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    88.221.134.83
    a1363.dscg.akamai.net
    IN A
    88.221.134.146
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    88.221.134.83:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
    Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
    ETag: 0x8DCDDD1E3AF2C76
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 37b0a847-001e-003a-4dc7-0f4d92000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 04 Dec 2024 10:09:50 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    95.100.245.144
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    95.100.245.144:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: PjrtHAukbJio72s77Ag5mA==
    Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
    ETag: 0x8DCFA0366D6C4CA
    x-ms-request-id: aa584fbb-e01e-0040-08ef-2b50d2000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Wed, 04 Dec 2024 10:09:50 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV831e3ab4.0
    ms-cv-esi: CASMicrosoftCV831e3ab4.0
    X-RTag: RT
  • 142.250.180.14:443
    https://drive.google.com/uc?export=download&id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE
    tls, http
    Bank Swift and SOA PRN0072003410853_pdf.exe
    986 B
    9.0kB
    10
    11

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE

    HTTP Response

    303
  • 142.250.200.3:80
    http://c.pki.goog/r/r1.crl
    http
    Bank Swift and SOA PRN0072003410853_pdf.exe
    348 B
    1.7kB
    5
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.200.3:80
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH
    http
    Bank Swift and SOA PRN0072003410853_pdf.exe
    782 B
    1.6kB
    7
    4

    HTTP Request

    GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

    HTTP Response

    200
  • 142.250.179.225:443
    https://drive.usercontent.google.com/download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=download
    tls, http
    Bank Swift and SOA PRN0072003410853_pdf.exe
    2.7kB
    109.0kB
    47
    84

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1EgOCsf99trjG0lF1RtEiwaQ8OHNr6iEE&export=download

    HTTP Response

    200
  • 193.122.6.168:80
    http://checkip.dyndns.org/
    http
    Bank Swift and SOA PRN0072003410853_pdf.exe
    548 B
    818 B
    6
    4

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 172.67.177.134:443
    https://reallyfreegeoip.org/xml/181.215.176.83
    tls, http
    Bank Swift and SOA PRN0072003410853_pdf.exe
    684 B
    4.4kB
    7
    7

    HTTP Request

    GET https://reallyfreegeoip.org/xml/181.215.176.83

    HTTP Response

    200
  • 88.221.134.83:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
    1.7kB
    4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 95.100.245.144:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    445 B
    2.0kB
    5
    5

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 8.8.8.8:53
    drive.google.com
    dns
    Bank Swift and SOA PRN0072003410853_pdf.exe
    62 B
    78 B
    1
    1

    DNS Request

    drive.google.com

    DNS Response

    142.250.180.14

  • 8.8.8.8:53
    c.pki.goog
    dns
    Bank Swift and SOA PRN0072003410853_pdf.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.200.3

  • 8.8.8.8:53
    o.pki.goog
    dns
    Bank Swift and SOA PRN0072003410853_pdf.exe
    56 B
    107 B
    1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.200.3

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    Bank Swift and SOA PRN0072003410853_pdf.exe
    74 B
    90 B
    1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.179.225

  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    Bank Swift and SOA PRN0072003410853_pdf.exe
    64 B
    176 B
    1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    193.122.6.168
    132.226.8.169
    158.101.44.242
    193.122.130.0
    132.226.247.73

  • 8.8.8.8:53
    reallyfreegeoip.org
    dns
    Bank Swift and SOA PRN0072003410853_pdf.exe
    65 B
    97 B
    1
    1

    DNS Request

    reallyfreegeoip.org

    DNS Response

    172.67.177.134
    104.21.67.152

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
    162 B
    1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    88.221.134.83
    88.221.134.146

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
    230 B
    1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    95.100.245.144

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsdB3B7.tmp\System.dll

    Filesize

    11KB

    MD5

    fc90dfb694d0e17b013d6f818bce41b0

    SHA1

    3243969886d640af3bfa442728b9f0dff9d5f5b0

    SHA256

    7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

    SHA512

    324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

  • memory/2084-19-0x0000000077AB0000-0x0000000077C59000-memory.dmp

    Filesize

    1.7MB

  • memory/2084-39-0x00000000004B0000-0x0000000001512000-memory.dmp

    Filesize

    16.4MB

  • memory/2084-40-0x00000000004B0000-0x0000000001512000-memory.dmp

    Filesize

    16.4MB

  • memory/2084-41-0x0000000077AB0000-0x0000000077C59000-memory.dmp

    Filesize

    1.7MB

  • memory/2084-42-0x00000000004B0000-0x00000000004CE000-memory.dmp

    Filesize

    120KB

  • memory/2148-15-0x0000000003690000-0x0000000004C57000-memory.dmp

    Filesize

    21.8MB

  • memory/2148-16-0x0000000077AB1000-0x0000000077BB2000-memory.dmp

    Filesize

    1.0MB

  • memory/2148-17-0x0000000077AB0000-0x0000000077C59000-memory.dmp

    Filesize

    1.7MB

  • memory/2148-18-0x0000000003690000-0x0000000004C57000-memory.dmp

    Filesize

    21.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.