URL:

https://president-gov-lk.donwloaded.net/a4884a53/file.rtf

Full analysis: https://app.any.run/tasks/191b7471-0ea0-4ffa-a6e7-fc0b93b1a395
Verdict: Malicious activity
Analysis date: January 11, 2025, 01:54:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ta399
apt
Indicators:
MD5:

3EDE9F63E99B0CE334D637F146F2E25B

SHA1:

DBEEE0B38530D242D0C8A464390DA4369DA3256E

SHA256:

B35DBF37C2BB3B99EBE5DE97BCC48A2CC8293A93A76ED80043DB943B4E5E7720

SSDEEP:

3:N8TAQRIJEJk3pAuvEEIALBDn:2BRIJgkZAuvMu1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to the CnC server

      • msedge.exe (PID: 7172)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
7172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --webtransport-developer-mode --no-appcompat-clear --mojo-platform-channel-handle=2496 --field-trial-handle=2204,i,13280900864495260754,3672259324373187194,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
16
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\08475354-460e-417f-a4ff-0a8054e435f7.tmpbinary
MD5:6A4651D6B89E00E81842109F9A389FB4
SHA256:F6BDC004532B857CA0DB520E239CFA7D25FE6E0A55DA8A99C7BFC5428DC99320
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\fefe7a58-9bdc-4130-b7eb-408213e92aa0.tmpbinary
MD5:F4AC33A3B337CFBB79D4559D688546CB
SHA256:F036AEFD60FE35A7009D4AB7BC97C8893EB9A02257A688D31FF7979959A87FBB
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000101binary
MD5:311F1298863858C8334BD7A8A0E34014
SHA256:846351F83ED17838A1DE223EAD4E9900D1E127B3243695DAF5A4988E965C44CC
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF295fbc.TMPbinary
MD5:D2615E0C4F6C46045EDB3EAA0ACE252A
SHA256:48EFA073914F67BCCE305DECBC121BE7FA6D343982BE00A666B4C5FB6A30A7A9
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF295ced.TMPbinary
MD5:D0453075479429FE52D8FB780A7DA8E9
SHA256:574112CCCB36E004E93B2BCBBA7F6CEB8FF3B12E3E462BEF80F1B57044E035B1
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fdcompressed
MD5:C50EBD6E363286CAF2DD5DE7F1EFC5FD
SHA256:8E3C2E5DC9BA13A5A4554CC67AC750EBB7E0431FD092680CFBB31322E7AA5A0D
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecuritybinary
MD5:6A4651D6B89E00E81842109F9A389FB4
SHA256:F6BDC004532B857CA0DB520E239CFA7D25FE6E0A55DA8A99C7BFC5428DC99320
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fccompressed
MD5:9B7D4DE3951C366D11F76B3C00504A88
SHA256:F12BCBDCDC48F467AEB1AD0D70E08D4DA0B0B5C2BD3B37AA2D783276716CEA07
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000fbcompressed
MD5:9B7D4DE3951C366D11F76B3C00504A88
SHA256:F12BCBDCDC48F467AEB1AD0D70E08D4DA0B0B5C2BD3B37AA2D783276716CEA07
7172msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ffcompressed
MD5:5D6ED888DB457F7DDBEACA62F5130AEB
SHA256:6D4D9AEA629A08244E93BA3EB068F22343467DD3F19D0A7572FE5933C0F993EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
46
DNS requests
54
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
18.173.154.91:443
https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
unknown
GET
200
15.197.130.221:443
https://president-gov-lk.donwloaded.net/track.php?domain=donwloaded.net&toggle=browserjs&uid=MTczNjU2MDQ5MC4xMTk5OmI0NzUzZjMyNzE4OGUyZGExYzc2YTAxMDYzNzYxNzI4MjFhZGFiOWRhZWMxOWE2NjRlZjEzOTk0ZDYzNTdjMDQ6Njc4MWNmNmExZDQ3Zg%3D%3D
unknown
GET
302
2.23.181.156:443
https://go.microsoft.com/fwlink/?linkid=2133855&bucket=18
unknown
GET
200
18.173.154.125:443
https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
unknown
binary
104 Kb
POST
200
54.75.69.192:443
https://obseu.netgreencolumn.com/mon
unknown
POST
200
204.79.197.239:443
https://edge.microsoft.com/componentupdater/api/v1/update?cup2key=7:_dkN5zFpoZ0tXEg278m7_sUUrUpFZ7T1bJf5xHMdRYA&cup2hreq=1c572621de855a323abf04f8381b93322c76254151089864bffb6923d33bf0a6
unknown
text
18.4 Kb
whitelisted
GET
200
54.192.196.140:443
https://d38psrni17bvxu.cloudfront.net/themes/cleanPeppermintBlack_657d9013/img/arrows.png
unknown
image
11.1 Kb
whitelisted
POST
200
3.248.162.96:443
https://obseu.netgreencolumn.com/mon
unknown
GET
200
13.107.246.45:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=commonConfig&IsStable=false
unknown
binary
481 b
whitelisted
GET
200
13.107.246.45:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=topSite&IsStable=false
unknown
binary
497 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3080
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
224.0.0.251:5353
unknown
5476
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7316
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7172
msedge.exe
15.197.130.221:443
president-gov-lk.donwloaded.net
AMAZON-02
US
malicious
7172
msedge.exe
142.250.185.228:443
www.google.com
whitelisted
7172
msedge.exe
18.173.154.125:443
euob.netgreencolumn.com
US
unknown
7172
msedge.exe
54.192.196.228:443
d38psrni17bvxu.cloudfront.net
AMAZON-02
US
whitelisted
7172
msedge.exe
13.107.246.45:443
xpaywalletcdn.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
president-gov-lk.donwloaded.net
  • 15.197.130.221
malicious
euob.netgreencolumn.com
  • 18.173.154.125
  • 18.173.154.91
  • 18.173.154.128
  • 18.173.154.79
unknown
d38psrni17bvxu.cloudfront.net
  • 54.192.196.228
  • 54.192.196.49
  • 54.192.196.107
  • 54.192.196.140
whitelisted
www.google.com
  • 142.250.185.228
whitelisted
xpaywalletcdn.azureedge.net
  • 13.107.246.45
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
obseu.netgreencolumn.com
  • 34.251.101.162
  • 54.75.69.192
  • 3.248.162.96
unknown
syndicatedsearch.goog
  • 172.217.18.14
unknown
partner.googleadservices.com
  • 142.250.184.194
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI)
A Network Trojan was detected
ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net)
A Network Trojan was detected
ET MALWARE TA399 SideWinder APT CnC Domain in DNS Lookup (president-gov-lk .donwloaded .net)
Misc Attack
ET Threatview.io High Confidence Cobalt Strike C2 IP group 5
A Network Trojan was detected
ET MALWARE Observed TA399/Sidewinder APT Domain (president-gov-lk .donwloaded .net in TLS SNI)
Misc Attack
ET Threatview.io High Confidence Cobalt Strike C2 IP group 4
No debug info