Overview

overview

6

Static

static

1

URLScan

urlscan

1

https://onionshare.o...

windows10-1703-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-05-2023 22:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://onionshare.org/#download

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://onionshare.org/#download
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2268
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:148483 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4672
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\OnionShare-win64-2.6.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:652
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2196
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0A2262E7226A12483A99A965AB6C1823
    Filesize

    503B

    MD5

    f1b9dae1f72b4bb9249ab2af727767b7

    SHA1

    9e7de4d3a9d9ff27d408da2f73b4beef33efb7ec

    SHA256

    f1d63ff3ffb27b3d98f6dea33d1c8ff1b7c07b139eed16c6f7dd66d76920dd78

    SHA512

    8141b2cc0a3d007349e8f035ac4174933e4ff3852257ff9c93dc2e647ee5847544bfd7f2674ce66e95382129688a78202b97b36582a6f6667d8f7ed2fbac2613

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
    Filesize

    717B

    MD5

    60fe01df86be2e5331b0cdbe86165686

    SHA1

    2a79f9713c3f192862ff80508062e64e8e0b29bd

    SHA256

    c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

    SHA512

    ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4
    Filesize

    1KB

    MD5

    0e9ac3874de3b6958490b0861299081f

    SHA1

    dc9ab84f72b0fdf96a8061f8be5df64f1f5d1c76

    SHA256

    8b33ab6b7897b8f9830bf0ff2300a2de459d308cc9505886a47ffd17636c8762

    SHA512

    8466872618e4df6ddf963a1a0f4f9ccf9ff3d35c9ec397616651f21ecd26c3f0b06bcb1149f88fe470657013afcf99dd759781320b8fa80eed2f2d7bf9f5d6a1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E4160FB650E5091C535216313A4ECD3_48610F82B8236DFE45D3020017730D79
    Filesize

    2KB

    MD5

    4453a796244b7ce10ffeb09e43d9d3b4

    SHA1

    821a34a3c0a9de722a4aca0fce1edf677c8e93ea

    SHA256

    3fd0a7ff030e48fe1c83bcb5e7cb932b3509c31e6cb6604d9d21eb173ad716d1

    SHA512

    a76fd5a899e849effe0b9f0064d4b187e9f0024372feb91e35095734c8e32a84d40f377cdab7bf00e270110ed72a1bcbd8421222ef601bc3e18cfdf360e09a30

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    6bab4c9ad3e95e1fd0029f08eac5ce30

    SHA1

    9a5cc9aa49546e7bb43ac7329a5f7cead8a10543

    SHA256

    c93bdb32f59f9234c077ece327924f7acbabe226f66a54f2e6e258bebfa16dff

    SHA512

    a74b5f18969189869f96b830cb85313031fe147d8df67a637a407a4573e06a40bcd44ab8bc9228daf2ab301d88943bcfa41c7924d8c4d0ce94ac9b24f6e877e9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0A2262E7226A12483A99A965AB6C1823
    Filesize

    548B

    MD5

    6a0b8469722a8c5274ec9efb85d86380

    SHA1

    6335ba54c5166c4dbfb37cc1e93a21b197dc5f4d

    SHA256

    1b4e8f32d3280bef6e47179d8abeedbf713f264aba8503cea5f259ea111bb196

    SHA512

    3807a980173b9878913fcf481f09eb1c1d4a5a33a5074abf9f62addad1b91d56719cd00ca64c9dfc133f4942952e97f1de2d649c69aeffcc5ae3114b7a513e91

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
    Filesize

    192B

    MD5

    47ae737cc1ba50a0ed0fb28f095b9725

    SHA1

    6ff88cf4a88f0375a0bccf6f48fd77cdac32542c

    SHA256

    e1bc4138cf1514d622e32fd2d158ce00823e81afe8e87e18feb8aa8797c175fc

    SHA512

    aa1150893a5b08e26bf816058b8f37d895d6d9eeb7150e48be5f44366ab0d7bea98b5855e31cd9759648caf2f924d62d5189d70f6bf96780af3813e055d82dc2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4
    Filesize

    412B

    MD5

    fe294e8440c20bdfc02e453b3b16e6d7

    SHA1

    7bc501513b20a85a5173ebcc39a73c3d5930260c

    SHA256

    ac3048de6baa98d97a1ad3b362976b6c8e1ac5433b73dbb0cfdad802290c2dcc

    SHA512

    259bffc4792d8908ac71c6664a447fad5bcf62765eb2b7ad02504f6493c69598078b0c7fba5efe2870af2a18140dad616ce31dc2cae4161759b387c5a9c507b7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E4160FB650E5091C535216313A4ECD3_48610F82B8236DFE45D3020017730D79
    Filesize

    416B

    MD5

    5d82e914447ba990593fc9ff4086f0f5

    SHA1

    c6dfa19a8d5ae2ad75c32d58ed3af944c6fee1ea

    SHA256

    1f49aab295b6b9949497d3376432f620581877eed807bce0b7decf90684d043a

    SHA512

    ddf46138c45d455646ea2bd6b71d5dd69c1141d8ff72aa70ce2940ab120dc5e37a9da0196ba8a184fe847f9064c1fd2d0a86428a84a5dd9b77a4624622644097

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    434B

    MD5

    d1d132d638f0048c49c8fba0dfaec226

    SHA1

    26e198809cef7e8d222e2581b75e7ec5d71486f7

    SHA256

    54f479b7b91f7dbda6ce72ac0517361d683be79c3f6c9206a2945bf3cb946f4b

    SHA512

    0d7796ff43a58603e9a9318a16c4a85bfdaa62909f46ba0c5cb8d5fe0cad721128db936ff1193d848718788b0a7ffb0902166a84884f2a6ef68a6a51af2da3f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6FGHNCOX\favicon[1].ico
    Filesize

    4KB

    MD5

    b75ac7b6e28a639ebb44df6b6cd2a76a

    SHA1

    c91ef46c22289df9068d765898a3a4c60b91aa5e

    SHA256

    700c15f181c29ffb347dc6fca2e0b9971e951f6289bb0d64091f71a81feb593b

    SHA512

    087b85f166c0cf41eeae2969e5ba2f854a06b1dcf6a1d8fdbe8128b206ad236da1d1dd28ee25d5191dc401c1c3c3755bc9646a82bcd6e6972f2ede139bd24875

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PC8JD7GN\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\M1SX20Z2.cookie
    Filesize

    607B

    MD5

    c3437cad0c2235b686b4da0bf3f8ac8c

    SHA1

    f898946592789dabc421ebfbf38485f040aa8c0b

    SHA256

    78130c0e8281b66212226644facec8be7a7dc37f1d0b7f84620f05975286e6c4

    SHA512

    fb4dc42e714e2b6d822c564d8cdfc5cebd1d1bfe541908008d0da25628e1a6481a1a9dda4bc6cce9eb28e98c486423a36b26ba423b551e02f4743141d4a87514

    Download Submit

  • C:\Users\Admin\Downloads\OnionShare-win64-2.6.msi.4e3zghw.partial
    Filesize

    88.4MB

    MD5

    a06b173341b5c63e0f2709dc6f94115d

    SHA1

    a5fbe70d017a034af399ba32e687628ad0ae700e

    SHA256

    181d75c3d6d4ca97fd4b1185677aaf325710649db5bd98225958c51b1617c12d

    SHA512

    c4f900712e00e8d98d475b9801be152badb2f3f5d6d8a4c40521668d2dab6ae9ffc30de4df5862d98550b3c17aba837afd14ef8a761041b67cebbc7cb1c9f364

    Download Submit