Overview

overview

3

Static

static

1

MegaDownloader.exe

windows7-x64

1

MegaDownloader.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    65s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-03-2023 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MegaDownloader.exe

  • Size

    2.1MB

  • MD5

    02d50582f3216d59744f80b407ba0b70

  • SHA1

    6b1124e414f5151aae7f8fe515ceea019d276e89

  • SHA256

    dd2e64e27b2a982fd08365c37a26953c28fd386ec075c47cc05101c2b2660d2b

  • SHA512

    5b2078704f0c8d807cc8132ec343824288af900fd7441626ff7d0d59c4208a4ba3e287dc4d2d113abfb605f7392a80c50697c8f8ebaa21e1e4dcc8c40e75996c

  • SSDEEP

    49152:lRRRcFpfwKDNhjWlkd1C8rzN5BEH8dTpn5gP1YWmaYHNS:MpfNjWlg4WXKcT5gP1LkNS

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MegaDownloader.exe
    "C:\Users\Admin\AppData\Local\Temp\MegaDownloader.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://goo.gl/IHgwV
      2⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb31ce46f8,0x7ffb31ce4708,0x7ffb31ce4718
        3⤵
          PID:2516
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1231963115973408046,9072770951516996579,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
          3⤵
            PID:3824
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1231963115973408046,9072770951516996579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
            3⤵
              PID:920
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1231963115973408046,9072770951516996579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
              3⤵
                PID:4856
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1231963115973408046,9072770951516996579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
                3⤵
                  PID:4860
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1231963115973408046,9072770951516996579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
                  3⤵
                    PID:2656
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1231963115973408046,9072770951516996579,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
                    3⤵
                      PID:1556
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1231963115973408046,9072770951516996579,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
                      3⤵
                        PID:4340
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1231963115973408046,9072770951516996579,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
                        3⤵
                          PID:5008
                    • C:\Windows\system32\wbem\WmiApSrv.exe
                      C:\Windows\system32\wbem\WmiApSrv.exe
                      1⤵
                        PID:1496
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1996

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          462f3c1360a4b5e319363930bc4806f6

                          SHA1

                          9ba5e43d833c284b89519423f6b6dab5a859a8d0

                          SHA256

                          fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

                          SHA512

                          5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          d2642245b1e4572ba7d7cd13a0675bb8

                          SHA1

                          96456510884685146d3fa2e19202fd2035d64833

                          SHA256

                          3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

                          SHA512

                          99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                          Filesize

                          48B

                          MD5

                          e2156aa6efb8e6965295ecef51f38eeb

                          SHA1

                          9261f9528bd9bd466cafc75f46dceef07f012789

                          SHA256

                          e3df57c6da12a1cae87bd6394288763d51495dbcc2bdcb630a16e6086307373b

                          SHA512

                          0135dc40792a1f8e3b5e05dccdde7cd037c19962c5e3d8b80181d5818d7d1c04e8030ca65046c3249b198acf055e50a782a7339cdf9024181818cd57fa374818

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                          Filesize

                          768B

                          MD5

                          b4731960d609e3daa8c27fa082608101

                          SHA1

                          60edc23a9bf660233a5b751b5c6c7c13745f36b1

                          SHA256

                          81ac5f3e1f602f52612c9bccc5f440474d1443c8a9793264409d217a663cf574

                          SHA512

                          b4a8af2755e02f002af42f3ad761e81cd2cfb2f9d210b5458429e1ea25806ed34cb8130f980a54664f266020a75e5229bbf06dfdad3cf8f786d9e8cf9461d7a3

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
                          Filesize

                          70KB

                          MD5

                          e5e3377341056643b0494b6842c0b544

                          SHA1

                          d53fd8e256ec9d5cef8ef5387872e544a2df9108

                          SHA256

                          e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                          SHA512

                          83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
                          Filesize

                          2KB

                          MD5

                          9b796cf9c600477fd67b2df26bcdf0ff

                          SHA1

                          261c8256fa9b00cc8f2cc821d9d901705a4cd5a9

                          SHA256

                          5c00fd49ed4ffae4da808bc08d0446503bf0a0f5760f7f5b7c5e9a1ab521859d

                          SHA512

                          88c4599c209780edfd36b7b2862bf57da28c0d87699eb8519caad19666f54ab2ace969d7596b82258c7d24743ed59cf8c00d8814f7c97862ef49132e680b67a4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                          Filesize

                          360B

                          MD5

                          413fe25ef9326958ebe562af7c397e42

                          SHA1

                          04f2b5ccd07f4ba4aff4b4d584d35adbef558e89

                          SHA256

                          60f386b3d9447d684ec36b04ef2a21ac5bd65ed5e5c762d893d3f63a4e77dd41

                          SHA512

                          6d9e5551abe11cbf295af499becd72626e66bab56a6e5e3ac3c43fd2e1539b76ae959da0d0bf6ec7b4a9111fbf72f87073a40d31c2d78e5fdc4b3bece2f555a9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          4KB

                          MD5

                          ee7245de9b5c289cd03e13f2904a6412

                          SHA1

                          8a209e3a3ffca855437ec1a00b873636e939132c

                          SHA256

                          cca483fb990bb876073731465333ba86f9b168e658bcd596e0f60155efda1f87

                          SHA512

                          98ab8104c0cdaf72ead682fc501c9f7902d517ae9020675abe86c40b470341a54854ecfe6dfa580d50a107692e7cd72b99c327b44a2fa0da1f7f5fa297517e18

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          6KB

                          MD5

                          28ed22bbcd65248337a6ad0e9d6c577f

                          SHA1

                          8364a92734f6bc79fa0af21ba36eab6d17062791

                          SHA256

                          9797616deaf4c8ff1e6bb00bd5a182716d016fc7659b3b35c8ce44284ea0cc8b

                          SHA512

                          b6279cda1259a63ba92a295679387b451d99efc90c52e5e96fd170d87680a1c7be969ee9a1847cc9216b8b49536cda6e6c0680266298e4d92dcc4329c881ad5c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                          Filesize

                          24KB

                          MD5

                          130644a5f79b27202a13879460f2c31a

                          SHA1

                          29e213847a017531e849139c7449bce6b39cb2fa

                          SHA256

                          1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

                          SHA512

                          fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
                          Filesize

                          41B

                          MD5

                          5af87dfd673ba2115e2fcf5cfdb727ab

                          SHA1

                          d5b5bbf396dc291274584ef71f444f420b6056f1

                          SHA256

                          f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                          SHA512

                          de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
                          Filesize

                          16B

                          MD5

                          46295cac801e5d4857d09837238a6394

                          SHA1

                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                          SHA256

                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                          SHA512

                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                          Filesize

                          9KB

                          MD5

                          e8bc596aec557dbbf400e8497b8689ae

                          SHA1

                          e32f39c19733ef646780dfb0d7375e0f4de49f90

                          SHA256

                          65f68a5c30714d8da8386d403bc70e9f608a163d0df72ae2ed8dc5a301defa97

                          SHA512

                          4669d2adebcec22b9c73a07cafb3b047a129d03f0ebc34e521958e0fdd94b20ea89238a66ffd0afb188635e0927949e4ffa2745893bae9b4bba53fd87c568f9a

                          Download Submit

                        • memory/3824-174-0x00007FFB55820000-0x00007FFB55821000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4928-147-0x000000001CB00000-0x000000001CB10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4928-148-0x000000001CB00000-0x000000001CB10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4928-155-0x000000001CB00000-0x000000001CB10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4928-156-0x000000001CB00000-0x000000001CB10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4928-134-0x000000001CB00000-0x000000001CB10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4928-133-0x0000000000AE0000-0x0000000000B42000-memory.dmp

                          Filesize

                          392KB

                          Download

                        • memory/4928-146-0x000000001B6E0000-0x000000001B82E000-memory.dmp

                          Filesize

                          1.3MB

                          Download

                        • memory/4928-154-0x000000001B6E0000-0x000000001B82E000-memory.dmp

                          Filesize

                          1.3MB

                          Download

                        • memory/4928-153-0x000000001CB00000-0x000000001CB10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4928-151-0x0000000022790000-0x00000000227E0000-memory.dmp

                          Filesize

                          320KB

                          Download

                        • memory/4928-464-0x000000001CB00000-0x000000001CB10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4928-467-0x000000001B6E0000-0x000000001B82E000-memory.dmp

                          Filesize

                          1.3MB

                          Download

                        • memory/4928-468-0x000000001CB00000-0x000000001CB10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4928-470-0x000000001B6E0000-0x000000001B82E000-memory.dmp

                          Filesize

                          1.3MB

                          Download