URL: | https://president-gov-lk.donwloaded.net/a4884a53/file.rtf |
Full analysis: | https://app.any.run/tasks/0a795546-e2e8-402e-817c-41fbe485046d |
Verdict: | Malicious activity |
Analysis date: | January 11, 2025, 01:13:24 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MD5: | 3EDE9F63E99B0CE334D637F146F2E25B |
SHA1: | DBEEE0B38530D242D0C8A464390DA4369DA3256E |
SHA256: | B35DBF37C2BB3B99EBE5DE97BCC48A2CC8293A93A76ED80043DB943B4E5E7720 |
SSDEEP: | 3:N8TAQRIJEJk3pAuvEEIALBDn:2BRIJgkZAuvMu1 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
7172 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | msedge.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 |
PID | Process | Filename | Type | |
---|---|---|---|---|
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\5a3aa464-c5a1-4c92-bd50-8e0251b7b3a0.tmp | binary | |
MD5:1037F49804138EF377D4A5C8368E4552 | SHA256:F7DB99EEA209F6B21D5AE08CDE64C63C5D3A974B87DEB520045655B7D3E55667 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000100 | compressed | |
MD5:467A7F1BDC8970586094678DAF045479 | SHA256:8935A12B70C3AFB98B947B07AC7A36FE6C4D9FA51C81FB42669AD819CE6970AC | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State | binary | |
MD5:1037F49804138EF377D4A5C8368E4552 | SHA256:F7DB99EEA209F6B21D5AE08CDE64C63C5D3A974B87DEB520045655B7D3E55667 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fc | compressed | |
MD5:961B52F2501F2264669A7427C50A679F | SHA256:0F6ECF18613AAD5CFD5B75C75DD4474472337D1D78377B7379E7D4BE98B78FC3 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fb | compressed | |
MD5:9B7D4DE3951C366D11F76B3C00504A88 | SHA256:F12BCBDCDC48F467AEB1AD0D70E08D4DA0B0B5C2BD3B37AA2D783276716CEA07 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000101 | binary | |
MD5:311F1298863858C8334BD7A8A0E34014 | SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fe | compressed | |
MD5:DB3828A7F6FEFEE6B7A53F46403C75CF | SHA256:4640C20749B7B0E0A5F49FB3F32CA90B05EFF25861343C81594CC126E7CD387E | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF29679c.TMP | binary | |
MD5:D0453075479429FE52D8FB780A7DA8E9 | SHA256:574112CCCB36E004E93B2BCBBA7F6CEB8FF3B12E3E462BEF80F1B57044E035B1 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF2967ab.TMP | binary | |
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A | SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9 | |||
7172 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\f732d1c9-8554-4fc1-a66d-02643b8d35ee.tmp | binary | |
MD5:0E9F8FCCCB54E843853AFF930ABF1F9B | SHA256:43198CE5997D8A720FC76678057EF3E969413ED1510497EB67D2BDB50F809E27 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 15.197.130.221:443 | https://president-gov-lk.donwloaded.net/track.php?domain=donwloaded.net&toggle=browserjs&uid=MTczNjU1ODAxNC4wNzA3OjkxOWJmZDUwNjI2NzhhMzFhN2RlOTlmYjI1MTg0ZDA0NTE0YmVjMzEwODNmNGM5NzA0NTdmNGQ2ZTA5MGFlOTk6Njc4MWM1YmUxMTQxZA%3D%3D | unknown | — | — | — |
— | — | GET | 200 | 15.197.130.221:443 | https://president-gov-lk.donwloaded.net/track.php?domain=donwloaded.net&caf=1&toggle=answercheck&answer=yes&uid=MTczNjU1ODAxNC4wNzA3OjkxOWJmZDUwNjI2NzhhMzFhN2RlOTlmYjI1MTg0ZDA0NTE0YmVjMzEwODNmNGM5NzA0NTdmNGQ2ZTA5MGFlOTk6Njc4MWM1YmUxMTQxZA%3D%3D | unknown | — | — | — |
— | — | GET | 200 | 15.197.130.221:443 | https://president-gov-lk.donwloaded.net/favicon.ico | unknown | — | — | — |
— | — | GET | 200 | 15.197.130.221:443 | https://president-gov-lk.donwloaded.net/a4884a53/file.rtf | unknown | html | 15.0 Kb | malicious |
— | — | GET | 200 | 52.222.236.17:443 | https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js | unknown | binary | 104 Kb | — |
— | — | GET | 201 | 15.197.130.221:443 | https://president-gov-lk.donwloaded.net/ls.php?t=6781c5be&token=47f0c66e4de2b22cc6d56bf79aac902bcdd3967f | unknown | binary | 16 b | malicious |
— | — | GET | 200 | 142.250.186.66:443 | https://partner.googleadservices.com/gampad/cookie.js?domain=president-gov-lk.donwloaded.net&client=dp-teaminternet09_3ph&product=SAS&callback=__sasCookie&cookie_types=v1%2Cv2 | unknown | text | 382 b | whitelisted |
— | — | GET | 200 | 52.222.236.17:443 | https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js | unknown | binary | 104 Kb | — |
— | — | GET | 200 | 18.66.121.190:443 | https://d38psrni17bvxu.cloudfront.net/themes/cleanPeppermintBlack_657d9013/img/arrows.png | unknown | image | 11.1 Kb | whitelisted |
— | — | POST | 200 | 54.75.69.192:443 | https://obseu.netgreencolumn.com/ct | unknown | binary | 3.51 Kb | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
8056 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3080 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5184 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4668 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
7172 | msedge.exe | 15.197.130.221:443 | president-gov-lk.donwloaded.net | AMAZON-02 | US | malicious |
7172 | msedge.exe | 52.222.236.13:443 | euob.netgreencolumn.com | AMAZON-02 | US | unknown |
7172 | msedge.exe | 18.66.121.138:443 | d38psrni17bvxu.cloudfront.net | AMAZON-02 | US | whitelisted |
7172 | msedge.exe | 142.250.185.132:443 | www.google.com | — | — | whitelisted |
7172 | msedge.exe | 13.107.246.45:443 | xpaywalletcdn.azureedge.net | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
president-gov-lk.donwloaded.net |
| malicious |
euob.netgreencolumn.com |
| unknown |
d38psrni17bvxu.cloudfront.net |
| whitelisted |
www.google.com |
| whitelisted |
xpaywalletcdn.azureedge.net |
| whitelisted |
obseu.netgreencolumn.com |
| unknown |
syndicatedsearch.goog |
| unknown |
partner.googleadservices.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc Attack | ET Threatview.io High Confidence Cobalt Strike C2 IP group 5 |
— | — | Misc Attack | ET Threatview.io High Confidence Cobalt Strike C2 IP group 4 |
— | — | A Network Trojan was detected | ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net) |
— | — | A Network Trojan was detected | ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net) |
— | — | A Network Trojan was detected | ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI) |
— | — | A Network Trojan was detected | ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI) |