Overview

overview

4

Static

static

1

URLScan

urlscan

https://github.com/P...

windows10-1703-x64

4

https://github.com/P...

windows10-2004-x64

1

Resubmissions

24-07-2023 08:36

230724-khjtsscc8x 4

24-07-2023 07:58

230724-jttmpsbf29 10

Analysis

  • max time kernel
    1799s
  • max time network
    1611s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-07-2023 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Pyran1/MalwareDatabase/archive/refs/heads/master.zip

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://github.com/Pyran1/MalwareDatabase/archive/refs/heads/master.zip"
    1⤵
      PID:5064
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2036
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      PID:4860
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3964
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4200
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3320
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3692
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:5100
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5080

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TKY5VT23\edgecompatviewlist[1].xml
        Filesize

        74KB

        MD5

        d4fc49dc14f63895d997fa4940f24378

        SHA1

        3efb1437a7c5e46034147cbbc8db017c69d02c31

        SHA256

        853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

        SHA512

        cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\263BGYXZ\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\MalwareDatabase-master.zip
        Filesize

        1451.9MB

        MD5

        44b160df5003a8aa4ee8c657a59bb422

        SHA1

        f72daa3eef29790b5406e05a823675b760216324

        SHA256

        b419662674f0841cf8f9b866111f8c896d7ba5bc45c367fca41ccef74f10a6a1

        SHA512

        b25e072434d95e8fb89106923a690d73623702fa56c83b68bcfb56cc843c152c5d7169cd6267a28979f8ef39c084c41eb9c2c8d39d54f04143949d53e42dcfec

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\MalwareDatabase-master.zip
        Filesize

        1451.9MB

        MD5

        44b160df5003a8aa4ee8c657a59bb422

        SHA1

        f72daa3eef29790b5406e05a823675b760216324

        SHA256

        b419662674f0841cf8f9b866111f8c896d7ba5bc45c367fca41ccef74f10a6a1

        SHA512

        b25e072434d95e8fb89106923a690d73623702fa56c83b68bcfb56cc843c152c5d7169cd6267a28979f8ef39c084c41eb9c2c8d39d54f04143949d53e42dcfec

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\MalwareDatabase-master.zip.1cx3nds.partial
        Filesize

        1451.9MB

        MD5

        44b160df5003a8aa4ee8c657a59bb422

        SHA1

        f72daa3eef29790b5406e05a823675b760216324

        SHA256

        b419662674f0841cf8f9b866111f8c896d7ba5bc45c367fca41ccef74f10a6a1

        SHA512

        b25e072434d95e8fb89106923a690d73623702fa56c83b68bcfb56cc843c152c5d7169cd6267a28979f8ef39c084c41eb9c2c8d39d54f04143949d53e42dcfec

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IK0JNMUT\MalwareDatabase-master[1].zip
        Filesize

        30KB

        MD5

        d303dcbf45dc1c04ceb67cce72ca9222

        SHA1

        9b2a1d73627868eaba1716c17f095465a58920c7

        SHA256

        1793011149375c05fe7e9d2b49b7ebb3881ca048c22bc1c2ac8acef61349d91e

        SHA512

        7b958359869a09b164db43d5229aed55f3880ee0e3112b8f7ab7d5cd080c81bfe70d311e83723da0ec9b02be86055d1bacf96cd6aa6992b784261694e2c88cc7

        Download Submit

      • memory/2036-137-0x0000026AA5E00000-0x0000026AA5E10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2036-156-0x0000026AA2AE0000-0x0000026AA2AE2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2036-121-0x0000026AA5520000-0x0000026AA5530000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2036-230-0x0000026AAC8F0000-0x0000026AAC8F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2036-231-0x0000026AADFD0000-0x0000026AADFD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3320-185-0x000001CED2590000-0x000001CED2592000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3320-191-0x000001CED25E0000-0x000001CED25E2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3320-189-0x000001CED25C0000-0x000001CED25C2000-memory.dmp

        Filesize

        8KB

        Download