darkcomet | 07f25494ca96661749014ce8a459a3be96b55302fc8d176b291a15f67d9bc7a4

Analysis

max time kernel
77s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 02:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe
Size

703KB
MD5

85a3a19ca7a5f7b39fab7afc83796954
SHA1

7e9a371dcfd218bf516e7e2cb8bfbb2ca4393852
SHA256

07f25494ca96661749014ce8a459a3be96b55302fc8d176b291a15f67d9bc7a4
SHA512

cc894e8b352c55bd6d0f60e14482fca26d4f1db1d0ff0dc6a5ceeb94276a8765a18221cf4af37b2e345dbe53b1c7b2c06ee8281d2a82ffa68595eebd0a1f8aec
SSDEEP

12288:T+RKRkS6YRvN4Qxkgp38Em6Duh5Bdzz5PYMXxk3TFwicANfqVO3mdHysuuWjrfZZ:T+RKRkNYRZtp38R357xsBwjUfqg38HyZ

Score

10^/10

darkcomet darkcomet defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DarkComet

decclanyo.no-ip.org:200

Mutex

DC_MUTEX-6UC8UMN

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
eHBZFHJcBn1u
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

rc4.plain

1
#KCMDDC51#-890

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	svchost.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4896	attrib.exe
2388	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2124	svchost.exe
1528	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2124	svchost.exe
Token: SeSecurityPrivilege	2124	svchost.exe
Token: SeTakeOwnershipPrivilege	2124	svchost.exe
Token: SeLoadDriverPrivilege	2124	svchost.exe
Token: SeSystemProfilePrivilege	2124	svchost.exe
Token: SeSystemtimePrivilege	2124	svchost.exe
Token: SeProfSingleProcessPrivilege	2124	svchost.exe
Token: SeIncBasePriorityPrivilege	2124	svchost.exe
Token: SeCreatePagefilePrivilege	2124	svchost.exe
Token: SeBackupPrivilege	2124	svchost.exe
Token: SeRestorePrivilege	2124	svchost.exe
Token: SeShutdownPrivilege	2124	svchost.exe
Token: SeDebugPrivilege	2124	svchost.exe
Token: SeSystemEnvironmentPrivilege	2124	svchost.exe
Token: SeChangeNotifyPrivilege	2124	svchost.exe
Token: SeRemoteShutdownPrivilege	2124	svchost.exe
Token: SeUndockPrivilege	2124	svchost.exe
Token: SeManageVolumePrivilege	2124	svchost.exe
Token: SeImpersonatePrivilege	2124	svchost.exe
Token: SeCreateGlobalPrivilege	2124	svchost.exe
Token: 33	2124	svchost.exe
Token: 34	2124	svchost.exe
Token: 35	2124	svchost.exe
Token: 36	2124	svchost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 2124	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	89
PID 1908 wrote to memory of 4016	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	91
PID 1908 wrote to memory of 4016	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	91
PID 1908 wrote to memory of 4016	1908	JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe	91
PID 2124 wrote to memory of 2836	2124	svchost.exe	90
PID 2124 wrote to memory of 2836	2124	svchost.exe	90
PID 2124 wrote to memory of 2836	2124	svchost.exe	90
PID 2124 wrote to memory of 1460	2124	svchost.exe	92
PID 2124 wrote to memory of 1460	2124	svchost.exe	92
PID 2124 wrote to memory of 1460	2124	svchost.exe	92
PID 2836 wrote to memory of 2388	2836	cmd.exe	95
PID 2836 wrote to memory of 2388	2836	cmd.exe	95
PID 2836 wrote to memory of 2388	2836	cmd.exe	95
PID 1460 wrote to memory of 4896	1460	cmd.exe	96
PID 1460 wrote to memory of 4896	1460	cmd.exe	96
PID 1460 wrote to memory of 4896	1460	cmd.exe	96
PID 2124 wrote to memory of 1528	2124	svchost.exe	98
PID 2124 wrote to memory of 1528	2124	svchost.exe	98
PID 2124 wrote to memory of 1528	2124	svchost.exe	98

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2388	attrib.exe
4896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85a3a19ca7a5f7b39fab7afc83796954.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4896
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1528
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4016

Network

DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360433543_1F4HJPO10Z3VYH0SK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360433543_1F4HJPO10Z3VYH0SK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 193575
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 83BC3C9EA08F41FE97D572103FD40D93 Ref B: LON04EDGE1207 Ref C: 2025-03-22T02:43:30Z
date: Sat, 22 Mar 2025 02:43:30 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 688476
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2253713962934A16ACC33030DCE40750 Ref B: LON04EDGE1207 Ref C: 2025-03-22T02:43:30Z
date: Sat, 22 Mar 2025 02:43:30 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 195935
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8E8E4ACFC7404C1EAC61E2C90090F1D9 Ref B: LON04EDGE1207 Ref C: 2025-03-22T02:43:30Z
date: Sat, 22 Mar 2025 02:43:30 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360433542_1UJC4903W7XNIUU73&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360433542_1UJC4903W7XNIUU73&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 843567
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 43CAD8934D024CD3AA0BA8D5B3546B8B Ref B: LON04EDGE1207 Ref C: 2025-03-22T02:43:30Z
date: Sat, 22 Mar 2025 02:43:30 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 815230
content-type: image/jpeg
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A0D8AF190B00498683A2C987D73A1309 Ref B: LON04EDGE1207 Ref C: 2025-03-22T02:43:30Z
date: Sat, 22 Mar 2025 02:43:30 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 712130
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6B58C24C43DF469F9041D53085868388 Ref B: LON04EDGE1207 Ref C: 2025-03-22T02:43:30Z
date: Sat, 22 Mar 2025 02:43:30 GMT
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.180.3
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.180.3:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Sat, 22 Mar 2025 02:39:32 GMT
Expires: Sat, 22 Mar 2025 03:29:32 GMT
Age: 263
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

127.9kB
3.6MB
2657
2653

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360433543_1F4HJPO10Z3VYH0SK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360265013_1UVY69FM05I7V26BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360265014_1I9L6MC65FHDFQ9Z7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360433542_1UJC4903W7XNIUU73&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
142.250.180.3:80

http://c.pki.goog/r/r1.crl

http

476 B
394 B
6
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.180.3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cc.vbs

Filesize
378B

MD5
fa87c36e56bb1f03f973d0125e286a09

SHA1
a47c79279865ad55be60eda927f6f0ad45053b7e

SHA256
d79606af3b78ec19255b43ac4050b477ee82b2d0f857c3a691111cd9ea667afd

SHA512
d867d6937551af2e4e9e18160312885be5659c0cd9f1c9ae112f2b6f887a31486700bb43567d6ef9c0070483c1233f5a5746af37c10b2d0fbc957c360318598a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/1908-0-0x00000000751D2000-0x00000000751D3000-memory.dmp

Filesize
4KB

Download
memory/1908-1-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1908-2-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/1908-27-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/2124-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2124-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2124-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2124-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2124-14-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2124-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.