74d605f499761efb73eb2e3b38b54383bf3c80511984a9908ff8eee23dc66f78

Analysis

max time kernel
155s
max time network
274s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/01/2025, 12:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

System.Buffers.dll
Size

20KB
MD5

ecdfe8ede869d2ccc6bf99981ea96400
SHA1

2f410a0396bc148ed533ad49b6415fb58dd4d641
SHA256

accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
SHA512

5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741
SSDEEP

384:/rMdp9yXOfPfAxR5zwWvYW8a2cyHRN7vCvlbLg:/rMcXP6N6e

Score

1^/10

Malware Config

Signatures

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\System.Buffers.dll,#1
1⤵
PID:1256

Network

DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

8.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.153.16.2.in-addr.arpa

IN PTR

Response

8.153.16.2.in-addr.arpa

IN PTR

a2-16-153-8deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

fd.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

fd.api.iris.microsoft.com

IN A

Response

fd.api.iris.microsoft.com

IN CNAME

fd-api-iris.trafficmanager.net

fd-api-iris.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com

IN A

20.103.156.88
GET

https://fd.api.iris.microsoft.com/v4/api/selection?&asid=EDC20E3BBE2843EFA39B90920917F58F&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204381&lo=37272&tsu=37272

Remote address:

20.103.156.88:443

Request

GET /v4/api/selection?&asid=EDC20E3BBE2843EFA39B90920917F58F&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204381&lo=37272&tsu=37272 HTTP/2.0
host: fd.api.iris.microsoft.com
accept-encoding: gzip, deflate
x-sdk-hw-token: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AASHtGc0elW8XxV55SLMSLuhgRzs5E9HEWzaJCfBHMWFdoOyRNvX6i3fq2ZbYJNgHPtIpFAHg8RZwnuTs6UnkDQ/bqA0wkDfad0GLcvzQc9bxv0YREhMlGGE/URBfI68/TaowFXnB7WjxD5BcdpqJVj2/vO7QA7cHfxMJpfWujI+2N/b8Z6Uks41On8I/Z0DZurHeHu1xJ4bCBXtkK0Wi1swt4xvMSRdnYmv6M3gHZYWxPu60TBVy00NWFpCvfyCW9GoFUXmqpInsnE5Co8MuXtWAXQa4q06W00GmUv4cH1Zx035WdHNeEm5gblIa9QdpOZ4DA003vgy3UrNiy5XN5cwQZgAAEPeFV4Opz3XGqeUe15HrsKuwAVD9N7rhi0Md2OekA9JFjPbxifMNxD07xqNFbnrwsDugNDWWITvCBGfmH22TuRKMmSVKYkRntkhWcld3SN84kbKCdqAptSFUAjF2M9UmNsaDYkj/vHqdUZPg+QNhf8pfzw1g29bfkWTGPk/aE8Rapd+j1DezbQHS+3/EzxboBO8xBFDINYpYP/DsgL442boUWQYogUjIMxGMOC0XSWZ3ivfxyAtcy2NYa34oJOwjwcIIvJVPSFjQYq5fu7SdtuudSb478W0LtNtMfNlVJ9WLwZ1q0YGewzZFXkrHxmMWi4z/zy2jUj6hPQ67nJfyDxdfSbhBrWp7JSsdaTmI3WKj+DCfLQKTCLbASjEBK5BL9EShyps4pZkMny/8Ak5cat4xxeHM9HRinTaL8Hc0GYOL+LYT1bkckJObLeu07QKl47UqLzp6QEG2hlClkKFT5q+L5zD+StO8+hHAC6B9q71k/YfXffKKlt9jAYfX3o6AZhs3zIVoUi5Gk4OnNymVKISVgFw2jxfMze7hZEEPNEv4Y0PsPfEjdhYvecf+3Ln6pYtjVC6TrvIgdddOEKv/umYR7doB&p=

Response

HTTP/2.0 200

cache-control: no-store, no-cache
pragma: no-cache
content-length: 131
content-type: application/json; charset=utf-8
expires: Mon, 01 Jan 0001 00:00:00 GMT
server: Microsoft-IIS/10.0
arc-rsp-dbg: [{"DcoPlusDebug":"Status: Ok"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}]
accept-ch: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version
x-aspnet-version: 4.0.30319
x-powered-by: ASP.NET
strict-transport-security: max-age=31536000; includeSubDomains
date: Mon, 06 Jan 2025 12:11:18 GMT
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR
DNS

2.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.173.189.20.in-addr.arpa

IN PTR

Response

20.103.156.88:443

https://fd.api.iris.microsoft.com/v4/api/selection?&asid=EDC20E3BBE2843EFA39B90920917F58F&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204381&lo=37272&tsu=37272

tls, http2

2.7kB
7.5kB
18
13

HTTP Request

GET https://fd.api.iris.microsoft.com/v4/api/selection?&asid=EDC20E3BBE2843EFA39B90920917F58F&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1733929060&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A50ACBC7D-7476-6380-3B6C-0B9AD8F9FA09&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204381&lo=37272&tsu=37272

HTTP Response

200
52.111.236.22:443

322 B
7

8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

8.153.16.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

8.153.16.2.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

fd.api.iris.microsoft.com

dns

71 B
196 B
1
1

DNS Request

fd.api.iris.microsoft.com

DNS Response

20.103.156.88
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

29.243.111.52.in-addr.arpa

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

2.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.173.189.20.in-addr.arpa

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.