URL:

https://president-gov-lk.donwloaded.net/a4884a53/file.rtf

Full analysis: https://app.any.run/tasks/0a795546-e2e8-402e-817c-41fbe485046d
Verdict: Malicious activity
Analysis date: January 11, 2025, 01:13:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ta399
apt
Indicators:
MD5:

3EDE9F63E99B0CE334D637F146F2E25B

SHA1:

DBEEE0B38530D242D0C8A464390DA4369DA3256E

SHA256:

B35DBF37C2BB3B99EBE5DE97BCC48A2CC8293A93A76ED80043DB943B4E5E7720

SSDEEP:

3:N8TAQRIJEJk3pAuvEEIALBDn:2BRIJgkZAuvMu1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to the CnC server

      • msedge.exe (PID: 7172)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
7172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\5a3aa464-c5a1-4c92-bd50-8e0251b7b3a0.tmpbinary
MD5:1037F49804138EF377D4A5C8368E4552
SHA256:F7DB99EEA209F6B21D5AE08CDE64C63C5D3A974B87DEB520045655B7D3E55667
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000100compressed
MD5:467A7F1BDC8970586094678DAF045479
SHA256:8935A12B70C3AFB98B947B07AC7A36FE6C4D9FA51C81FB42669AD819CE6970AC
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent Statebinary
MD5:1037F49804138EF377D4A5C8368E4552
SHA256:F7DB99EEA209F6B21D5AE08CDE64C63C5D3A974B87DEB520045655B7D3E55667
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fccompressed
MD5:961B52F2501F2264669A7427C50A679F
SHA256:0F6ECF18613AAD5CFD5B75C75DD4474472337D1D78377B7379E7D4BE98B78FC3
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fbcompressed
MD5:9B7D4DE3951C366D11F76B3C00504A88
SHA256:F12BCBDCDC48F467AEB1AD0D70E08D4DA0B0B5C2BD3B37AA2D783276716CEA07
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000101binary
MD5:311F1298863858C8334BD7A8A0E34014
SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fecompressed
MD5:DB3828A7F6FEFEE6B7A53F46403C75CF
SHA256:4640C20749B7B0E0A5F49FB3F32CA90B05EFF25861343C81594CC126E7CD387E
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF29679c.TMPbinary
MD5:D0453075479429FE52D8FB780A7DA8E9
SHA256:574112CCCB36E004E93B2BCBBA7F6CEB8FF3B12E3E462BEF80F1B57044E035B1
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF2967ab.TMPbinary
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A
SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\f732d1c9-8554-4fc1-a66d-02643b8d35ee.tmpbinary
MD5:0E9F8FCCCB54E843853AFF930ABF1F9B
SHA256:43198CE5997D8A720FC76678057EF3E969413ED1510497EB67D2BDB50F809E27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
39
DNS requests
38
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
15.197.130.221:443
https://president-gov-lk.donwloaded.net/track.php?domain=donwloaded.net&toggle=browserjs&uid=MTczNjU1ODAxNC4wNzA3OjkxOWJmZDUwNjI2NzhhMzFhN2RlOTlmYjI1MTg0ZDA0NTE0YmVjMzEwODNmNGM5NzA0NTdmNGQ2ZTA5MGFlOTk6Njc4MWM1YmUxMTQxZA%3D%3D
unknown
GET
200
15.197.130.221:443
https://president-gov-lk.donwloaded.net/track.php?domain=donwloaded.net&caf=1&toggle=answercheck&answer=yes&uid=MTczNjU1ODAxNC4wNzA3OjkxOWJmZDUwNjI2NzhhMzFhN2RlOTlmYjI1MTg0ZDA0NTE0YmVjMzEwODNmNGM5NzA0NTdmNGQ2ZTA5MGFlOTk6Njc4MWM1YmUxMTQxZA%3D%3D
unknown
GET
200
15.197.130.221:443
https://president-gov-lk.donwloaded.net/favicon.ico
unknown
GET
200
15.197.130.221:443
https://president-gov-lk.donwloaded.net/a4884a53/file.rtf
unknown
html
15.0 Kb
malicious
GET
200
52.222.236.17:443
https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
unknown
binary
104 Kb
GET
201
15.197.130.221:443
https://president-gov-lk.donwloaded.net/ls.php?t=6781c5be&token=47f0c66e4de2b22cc6d56bf79aac902bcdd3967f
unknown
binary
16 b
malicious
GET
200
142.250.186.66:443
https://partner.googleadservices.com/gampad/cookie.js?domain=president-gov-lk.donwloaded.net&client=dp-teaminternet09_3ph&product=SAS&callback=__sasCookie&cookie_types=v1%2Cv2
unknown
text
382 b
whitelisted
GET
200
52.222.236.17:443
https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
unknown
binary
104 Kb
GET
200
18.66.121.190:443
https://d38psrni17bvxu.cloudfront.net/themes/cleanPeppermintBlack_657d9013/img/arrows.png
unknown
image
11.1 Kb
whitelisted
POST
200
54.75.69.192:443
https://obseu.netgreencolumn.com/ct
unknown
binary
3.51 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
8056
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3080
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5184
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4668
msedge.exe
224.0.0.251:5353
unknown
7172
msedge.exe
15.197.130.221:443
president-gov-lk.donwloaded.net
AMAZON-02
US
malicious
7172
msedge.exe
52.222.236.13:443
euob.netgreencolumn.com
AMAZON-02
US
unknown
7172
msedge.exe
18.66.121.138:443
d38psrni17bvxu.cloudfront.net
AMAZON-02
US
whitelisted
7172
msedge.exe
142.250.185.132:443
www.google.com
whitelisted
7172
msedge.exe
13.107.246.45:443
xpaywalletcdn.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
president-gov-lk.donwloaded.net
  • 15.197.130.221
malicious
euob.netgreencolumn.com
  • 52.222.236.13
  • 52.222.236.26
  • 52.222.236.17
  • 52.222.236.58
unknown
d38psrni17bvxu.cloudfront.net
  • 18.66.121.138
  • 18.66.121.69
  • 18.66.121.190
  • 18.66.121.135
whitelisted
www.google.com
  • 142.250.185.132
whitelisted
xpaywalletcdn.azureedge.net
  • 13.107.246.45
whitelisted
obseu.netgreencolumn.com
  • 54.75.69.192
  • 3.248.162.96
  • 34.251.101.162
unknown
syndicatedsearch.goog
  • 142.250.186.78
unknown
partner.googleadservices.com
  • 142.250.186.66
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET Threatview.io High Confidence Cobalt Strike C2 IP group 5
Misc Attack
ET Threatview.io High Confidence Cobalt Strike C2 IP group 4
A Network Trojan was detected
ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net)
A Network Trojan was detected
ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net)
A Network Trojan was detected
ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI)
A Network Trojan was detected
ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI)
No debug info