Resubmissions

13-05-2023 22:25

230513-2b6tesbg91 10

13-05-2023 22:23

230513-2aznqahe54 5

Analysis

  • max time kernel
    968s
  • max time network
    972s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2023 22:23

General

  • Target

    Full version 2.0.rar

  • Size

    33.4MB

  • MD5

    d27309da2d9955e35ed8857c4e1c3811

  • SHA1

    c401881293f9f490a015a6abe5fa241f3b24bfd9

  • SHA256

    2361f90ff27aa1f3eda6031ab6aa2860bae6bceab468d6ff222d0f1e8bd6c5ab

  • SHA512

    d77871306ff7226234e9dc83156730705e8c0f733fe3262ca0b762b81af7981fea1639e893feb88ae407967d57c1b850951b11bc94f3aaa20bf7670d5a61c709

  • SSDEEP

    786432:hVBJyDMIzgBxGFgVbn0cgzZ1qas1SH3mBL4cW9XP5voU6+h8C:h3JyAbBxsgFn0cgzZ1XHN9hDh8C

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 58 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 20 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Full version 2.0.rar"
    1⤵
    • Modifies registry class
    PID:2276
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1228
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1d21a508hc82fh4089habache33d154b025c
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9af8946f8,0x7ff9af894708,0x7ff9af894718
      2⤵
        PID:1936
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2161296131763939843,16106599361043892722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        2⤵
          PID:3300
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2161296131763939843,16106599361043892722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:952
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2161296131763939843,16106599361043892722,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
          2⤵
            PID:4540
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
          1⤵
            PID:4844
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:3424
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" display.dll,ShowAdapterSettings 0
              1⤵
                PID:576
              • C:\Windows\SysWOW64\DllHost.exe
                C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                1⤵
                  PID:2504
                • C:\Windows\system32\mmc.exe
                  "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
                  1⤵
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  • Checks SCSI registry key(s)
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:708
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:5232

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Discovery

                  System Information Discovery

                  3
                  T1082

                  Query Registry

                  2
                  T1012

                  Peripheral Device Discovery

                  1
                  T1120

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    0820611471c1bb55fa7be7430c7c6329

                    SHA1

                    5ce7a9712722684223aced2522764c1e3a43fbb9

                    SHA256

                    f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

                    SHA512

                    77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
                    Filesize

                    70KB

                    MD5

                    e5e3377341056643b0494b6842c0b544

                    SHA1

                    d53fd8e256ec9d5cef8ef5387872e544a2df9108

                    SHA256

                    e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                    SHA512

                    83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
                    Filesize

                    2KB

                    MD5

                    fea5d470d11a210e1fbb9a25aa38265e

                    SHA1

                    b96f8777b305d9ef56f08fa31e7451b852cbb579

                    SHA256

                    672f8fbed7e6547d4e9531904a4347b934eede50f3ef41705f45750164c7477c

                    SHA512

                    e0dcf7aefd74ebdad9a1de345f7c81fbc94398b8a95de60830cc13f9e3dc746af85af383deb2d75fb77dfdcc5cd926c374d42a2b1d2d383e730cc6427cd20f52

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                    Filesize

                    111B

                    MD5

                    285252a2f6327d41eab203dc2f402c67

                    SHA1

                    acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                    SHA256

                    5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                    SHA512

                    11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    3KB

                    MD5

                    2f97ee3de9fd02642ce964911aff6b78

                    SHA1

                    2da24871223ae7ab9e03889a9790bf163c92eb5b

                    SHA256

                    dd5df9d845951e918e014e65bf509bf54bae625c1e9f4c932d832fed77d5d693

                    SHA512

                    606dd6fb364cad7fe101dd07dfd1c67a757a8d1b61d1e50c2840e1cf58a56f3ecf281adc0c33eec9fc0ea70daad02c9f740dcf4b4a27b77de25450e7d42e6e2f

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                    Filesize

                    3KB

                    MD5

                    f7df0835c6b25cd8495b83d7a001db6e

                    SHA1

                    e1150468669eac29d1913df087f2ad3d1644dce6

                    SHA256

                    4da8184ee49cc2ea2bfdccd24d25535b7d219c834b5f93b3a80515aa681f5631

                    SHA512

                    69ee9d65e233a763473041bb782d14621e1850076d7f67154f2f5b5c3890ace5efe29ac0ea89dfa795adeeddf2b9cf00986c10a370fb1f47b98ba15d4a27a85b

                  • \??\pipe\LOCAL\crashpad_4736_RYIPIKMOYUAIIJSM
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e