Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
06/07/2023, 07:08
General
-
Target
Good Football Fusion 2 - Linkvertise Downloader_SGHi-M1.exe
-
Size
10.8MB
-
MD5
fc30f38c629fbafcfd1f4a4895814c46
-
SHA1
e6b298591f7034463f603ede1573c8a198938b7f
-
SHA256
40e1b53fb04746ac4a0561f5ab781291069b90232215afc36320263308a28ec9
-
SHA512
74aba9bd29a9d6200f5b35a15f66c6edb57b3a8cfa24b3c04f2a90224d64bcda7564047a5f88698107aaf5e18c6d22bc6d8f5f3fdfdda2bb86aeb800d90e37d2
-
SSDEEP
196608:w38JJEU16hTZl583S0LJu+mzfDkzXJKUNWGJ3k2ZoXOM1ugha:Z1MlCC0Ybzf4zZKUok5oXN8x
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Good Football Fusion 2 - Linkvertise Downloader_SGHi-M1.exe"C:\Users\Admin\AppData\Local\Temp\Good Football Fusion 2 - Linkvertise Downloader_SGHi-M1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-751P3.tmp\Good Football Fusion 2 - Linkvertise Downloader_SGHi-M1.tmp"C:\Users\Admin\AppData\Local\Temp\is-751P3.tmp\Good Football Fusion 2 - Linkvertise Downloader_SGHi-M1.tmp" /SL5="$8016C,10373288,1230848,C:\Users\Admin\AppData\Local\Temp\Good Football Fusion 2 - Linkvertise Downloader_SGHi-M1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/raw/jqKFzsTq3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dba646f8,0x7ff9dba64708,0x7ff9dba647184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1694335654901166710,1056664541208008885,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a7ad9bb1054aa03e39b3554833d0c3ec
SHA1cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9
SHA2560c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189
SHA512d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
180B
MD5781f712234169a3d5217d656b97944d8
SHA1d5a92c7938ee15cba8e6533ec411891af74458f1
SHA256654d03bdf36ae7dde6005259a0e4a916ef40a33d8f0b90c2b7127fdff88a9338
SHA5125b8169ac078a32bfbb58b2c444717832cf094d244cee9a93cffc9e068612554d515bd5cd2f919f3e447c6fea6df12e8d5aa5e385684aa2a7cbaf1c6eae042e2d
-
Filesize
6KB
MD5a2c6fa8efa2563037dea73e7caab7bc6
SHA1720d59f995a6f07fa7f2d782353643597633e691
SHA256a80795ea52a3941acebeab0c84691ae8ee28d93309fc2049115d73521b6c3c68
SHA5128b29fe7802e099db2f7da82751d1e83b17fd1c6214d97fe6760c40a91ae753ecf253baf0e846b0d9bb61536faa196eb275f79fbdb90d4df186252f1db5abcd6a
-
Filesize
5KB
MD59a96b9be4886c7befe826eae7d45ccd4
SHA18f6aa5ed2cb2717d849441e06d10b6f06a0e1354
SHA256843370506fbe8587a6823ada57f88eb079b81d2519d9e09a58f3fe4ee2db157f
SHA5125fb64d55e984c87f1c86e932e0310b45833267613c1e043ab2369a6b54d3ecb692838e488f97639c832bf8a84e143a41e034f2a2a2c2803a29f5d4cfb857220b
-
Filesize
24KB
MD5e62cc4051e1f8eaa0abda5d730a2496b
SHA1d15346e40b196bc313cbfe5ac96b3c90b83345be
SHA256ffb5b740b8777d010f0d32a120092084c3cd32eaceb937188d698ddc22df2fcb
SHA5123e8f6d89c7c153177b2149d86cd8602ceafedf66f5335a86b19dfa46fc38c47f6ff9a272c3b71b4464a5921ebdf2461fba25692ca916b9715bac520bf1e81a22
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD56fc49b0ae7c39ccd3a6e8de46839eb8d
SHA18600c72c4e30b1ca7148e79e3726a51a37c7ed54
SHA2562f009ae27821e7dbc9925eb12ede9aa860933e1f81c05a7c108cb6af213de4b9
SHA51245e57caa50dda4a8c80b23ee4c7eb5b7c5938aede4d444814373546a242d9f49eb8309d23dece51cbc471e3f443e0cc87c4a46485ef917226a1100ba8fb8809a
-
Filesize
3.3MB
MD536b37e0b2ce4747ceac6f895ec3e1660
SHA11b961ff51b855a48626bf03326ac08c68744b3ca
SHA256d189b03c957346c8beee98d3f2b1956381eefb67e7818b476e93494e28acd681
SHA512ac8a2797769743106631a2aa8f36940ecad11c6c91ac8e86d1a846ffeb3005a3704ce1401290d9dca54b859a4c5ee261c8804f7b7e8d59a01047a3e1126d150f
-
Filesize
1.8MB
MD543ce6d593abd5141a3139603f352ae05
SHA1a97c75e23d275dddfde15ef5fdf3ff3253c0992c
SHA25694e874f2702ea6be50e7d74864b66e7f763449c3db237803f3fad6adfd64ed3d
SHA512bfc527529e5f73ba190dfc5bd043175c7e2ae963b665d6d39421c29e025020f1d593dc88b7bee33d86ef6b4f7a4c5e1a0339df4e99cab6849a275d1dda9f439f
-
Filesize
1.9MB
MD5ce2dc2cc12aec529511da19cf63ba802
SHA15b45c33a34df73920077f546176a3aa96df0f80e
SHA256bde7cc0193ad2fbdfa9f072d9003bf1c82cd27e027b2e038343514f8cc8ee6d2
SHA51298b5017e437b05639238b63bdf6cccdea7665f3fa0c55e87e8c7139551c213b1a63d641d588b950346ec66bb03b4800dc4e3dd4c60f80e0e76779b1ba58d2be7
-
Filesize
33KB
MD5db6c259cd7b58f2f7a3cca0c38834d0e
SHA1046fd119fe163298324ddcd47df62fa8abcae169
SHA256494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2
SHA512a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb
-
Filesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
Filesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
Filesize
29KB
MD506b0076d9f4e2488d32855a0161e9c74
SHA17dbc3c098f7fb1256aeca79c256b75802b5fdd69
SHA256929243f002eb4209a9e68af6744a3d63ece2b173c910a59d6752536dabf3870b
SHA5127cecc1fc1c13f97dfe1ae7592918c9df16233851a8dd667ac2199b92fd24410a6ef76acfa014cd00aad2d27dfe2887f41100563cf2240f720466dbebaed0375a
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
3.4MB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
3.4MB
-
Filesize
60KB
-
Filesize
4KB
