b03987a19b06570e3e22054c4e67bbf13a728a96e312dd6dd8b2701f0b5a5202

Analysis

max time kernel
104s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 23:44 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-20_c088e418868aff006bd4b6482d9e8390_coinminer_ismagent_ryuk_sliver.exe
Size

3.3MB
MD5

c088e418868aff006bd4b6482d9e8390
SHA1

52f8e13c4de11f3d8b8745226d101ca442d6c0e7
SHA256

b03987a19b06570e3e22054c4e67bbf13a728a96e312dd6dd8b2701f0b5a5202
SHA512

4b6fe0f6e0f13c3f8839822cf58ddc8a419be643d2a1404e3c6b176b6c8e5c27b19f47c551bf02294eb2c1b8c0c8cf4ba7fdf824361fe1ca41cba80edf5d7f72
SSDEEP

49152:TX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qt:TlRsZ47/QXoHUOfAoj1x6t

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2280	wmic.exe
Token: SeSecurityPrivilege	2280	wmic.exe
Token: SeTakeOwnershipPrivilege	2280	wmic.exe
Token: SeLoadDriverPrivilege	2280	wmic.exe
Token: SeSystemProfilePrivilege	2280	wmic.exe
Token: SeSystemtimePrivilege	2280	wmic.exe
Token: SeProfSingleProcessPrivilege	2280	wmic.exe
Token: SeIncBasePriorityPrivilege	2280	wmic.exe
Token: SeCreatePagefilePrivilege	2280	wmic.exe
Token: SeBackupPrivilege	2280	wmic.exe
Token: SeRestorePrivilege	2280	wmic.exe
Token: SeShutdownPrivilege	2280	wmic.exe
Token: SeDebugPrivilege	2280	wmic.exe
Token: SeSystemEnvironmentPrivilege	2280	wmic.exe
Token: SeRemoteShutdownPrivilege	2280	wmic.exe
Token: SeUndockPrivilege	2280	wmic.exe
Token: SeManageVolumePrivilege	2280	wmic.exe
Token: 33	2280	wmic.exe
Token: 34	2280	wmic.exe
Token: 35	2280	wmic.exe
Token: 36	2280	wmic.exe
Token: SeIncreaseQuotaPrivilege	2280	wmic.exe
Token: SeSecurityPrivilege	2280	wmic.exe
Token: SeTakeOwnershipPrivilege	2280	wmic.exe
Token: SeLoadDriverPrivilege	2280	wmic.exe
Token: SeSystemProfilePrivilege	2280	wmic.exe
Token: SeSystemtimePrivilege	2280	wmic.exe
Token: SeProfSingleProcessPrivilege	2280	wmic.exe
Token: SeIncBasePriorityPrivilege	2280	wmic.exe
Token: SeCreatePagefilePrivilege	2280	wmic.exe
Token: SeBackupPrivilege	2280	wmic.exe
Token: SeRestorePrivilege	2280	wmic.exe
Token: SeShutdownPrivilege	2280	wmic.exe
Token: SeDebugPrivilege	2280	wmic.exe
Token: SeSystemEnvironmentPrivilege	2280	wmic.exe
Token: SeRemoteShutdownPrivilege	2280	wmic.exe
Token: SeUndockPrivilege	2280	wmic.exe
Token: SeManageVolumePrivilege	2280	wmic.exe
Token: 33	2280	wmic.exe
Token: 34	2280	wmic.exe
Token: 35	2280	wmic.exe
Token: 36	2280	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 2280	3980	2025-03-20_c088e418868aff006bd4b6482d9e8390_coinminer_ismagent_ryuk_sliver.exe	86
PID 3980 wrote to memory of 2280	3980	2025-03-20_c088e418868aff006bd4b6482d9e8390_coinminer_ismagent_ryuk_sliver.exe	86

C:\Users\Admin\AppData\Local\Temp\2025-03-20_c088e418868aff006bd4b6482d9e8390_coinminer_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-20_c088e418868aff006bd4b6482d9e8390_coinminer_ismagent_ryuk_sliver.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3732A3A0981E6F481D47B61599956E47; domain=.bing.com; expires=Tue, 14-Apr-2026 23:44:32 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3BE4C7053B2842EF96AC4CF2C6A146B2 Ref B: FRA31EDGE0213 Ref C: 2025-03-20T23:44:32Z
date: Thu, 20 Mar 2025 23:44:31 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3732A3A0981E6F481D47B61599956E47

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=l1F65dEt1-HVCud33R9ds2tsBsg4Uu7CSy57So4jSvQ; domain=.bing.com; expires=Tue, 14-Apr-2026 23:44:32 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3090FB4BB1FC4FA8A289DAC6CD9D9A5D Ref B: FRA31EDGE0213 Ref C: 2025-03-20T23:44:32Z
date: Thu, 20 Mar 2025 23:44:32 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3732A3A0981E6F481D47B61599956E47; MSPTC=l1F65dEt1-HVCud33R9ds2tsBsg4Uu7CSy57So4jSvQ

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F8DE272461864B9FB3967552503D0222 Ref B: FRA31EDGE0213 Ref C: 2025-03-20T23:44:32Z
date: Thu, 20 Mar 2025 23:44:32 GMT
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.180.3
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.180.3:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Thu, 20 Mar 2025 23:19:16 GMT
Expires: Fri, 21 Mar 2025 00:09:16 GMT
Age: 1577
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204
142.250.180.3:80

http://c.pki.goog/r/r1.crl

http

384 B
355 B
4
3

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.180.3

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.