Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
06/01/2023, 21:34
General
-
Target
izyb - Linkvertise Downloader_RrW4-d1.exe
-
Size
2.6MB
-
MD5
ebc320a21c5ed81dd2dbf13d4c71addc
-
SHA1
ec09eeb7873520c0f4f1f2ca9a196ef6df4fa36f
-
SHA256
b9b692fd597fd59ddc516e43ab66367263c7ebd7f85c6666d5751729711cca59
-
SHA512
dbfefd704ffe78863e5f12ad73360f578361234a3a1914d6021a0d000ab994e4667255600f9b4052e86a0842d755f7b3ca44fd098bedb644327edf2149989482
-
SSDEEP
49152:4qe3f6ahzD7+H98AHaCfu64HCL+WuTmuKwET:NSiAD7E9vButHCK5NKXT
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\izyb - Linkvertise Downloader_RrW4-d1.exe"C:\Users\Admin\AppData\Local\Temp\izyb - Linkvertise Downloader_RrW4-d1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-U376U.tmp\izyb - Linkvertise Downloader_RrW4-d1.tmp"C:\Users\Admin\AppData\Local\Temp\is-U376U.tmp\izyb - Linkvertise Downloader_RrW4-d1.tmp" /SL5="$8004A,1785071,899584,C:\Users\Admin\AppData\Local\Temp\izyb - Linkvertise Downloader_RrW4-d1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justpaste.it/a6oas3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd3ba546f8,0x7ffd3ba54708,0x7ffd3ba547184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5864 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c4,0x22c,0x7ff673d25460,0x7ff673d25470,0x7ff673d254805⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5112 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1752 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1452,9142811828158228062,16117672850118461556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 /prefetch:84⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
Filesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
Filesize
2.0MB
MD5e1f18a22199c6f6aa5d87b24e5b39ef1
SHA10dcd8f90b575f6f1d10d6789fe769fa26daafd0e
SHA25662c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d
SHA5125a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190
-
Filesize
3.0MB
MD574fad5c6cd2d3af1fa257b5e9531993a
SHA1ab701031918456195cf9a12a8b33f9417a9f6496
SHA2568dc40627fa4c09f7fd6df78e3ad03d7db3767010e15418dba24e63754dcbc59b
SHA51205b107537675cfa43f3cc744c3de9164069816401af9fdb7a82dcb1a021985b97f2ecc56e3ea17151a0dee97b0af175f0883b8fb4cf5c5f7d72a5479c5557edb
-
Filesize
932KB
-
Filesize
932KB
-
Filesize
932KB
-
Filesize
932KB
-
Filesize
60KB