The hypothesis is that the detected URLs are malicious executable files used by adversaries to deliver payloads and compromise endpoints. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they cause widespread damage.
IOC Summary
Threat: exe Total URLs: 10 Active URLs: 9
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://196.251.107.130/RUN_x64.exe | online | malware_download | 2026-05-08 |
hxxp://196.251.107.130/RUN_x32.exe | online | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/RIuBqY6b3GgC.exe | offline | malware_download | 2026-05-08 |
hxxp://id89652.cfd/uploads/4WYz1GcVBwZd.exe | online | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/V2BIqXDFGxz4.exe | online | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/XvQVQruNPnzM.exe | online | malware_download | 2026-05-08 |
hxxp://id89652.cfd/uploads/aYImqF0B9zN4.exe | online | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/aYImqF0B9zN4.exe | online | malware_download | 2026-05-08 |
hxxp://62.60.226.159/uploads/4WYz1GcVBwZd.exe | online | malware_download | 2026-05-08 |
hxxp://id89652.cfd/uploads/XvQVQruNPnzM.exe | online | malware_download | 2026-05-08 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: exe
let malicious_domains = dynamic(["id89652.cfd", "196.251.107.130", "62.60.226.159"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["id89652.cfd", "196.251.107.130", "62.60.226.159"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a legitimate .exe file from a trusted source (e.g., Microsoft Update) to patch a known vulnerability.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or windowsupdate.com in the URL field.
Scenario: A scheduled job is running a legitimate software update tool (e.g., Chocolatey, Scoop, or WSUS) that downloads .exe files as part of its routine maintenance.
Filter/Exclusion: Exclude URLs containing chocolatey.org, scoop.sh, or wsus in the URL field.
Scenario: A user is manually running a trusted executable (e.g., 7-Zip, WinRAR, or Notepad++) that is flagged due to its .exe extension.
Filter/Exclusion: Exclude URLs containing 7-zip.org, winrar.com, or notepad-plus-plus.org in the URL field.
Scenario: A legitimate system diagnostic tool (e.g., Process Monitor, Sysinternals, or Process Explorer) is being downloaded from Microsoft’s official site.
Filter/Exclusion: Exclude URLs containing sysinternals.com or download.microsoft.com in the URL field.
Scenario: A backup or synchronization tool (e.g., Veeam, SyncBack, or Robocopy) is being executed, and its installer or update file is flagged due to the .exe extension.
Filter/Exclusion: Exclude URLs containing veeam.com, syncback.com, or robocopy.exe in the URL field.