hxxps://dl[.]ubnt[.]com/ds/ltu-rocket/unit9

Analysis

max time kernel
961s
max time network
970s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2023, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dl.ubnt.com/ds/ltu-rocket/unit9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4812	msedge.exe
4812	msedge.exe
4312	msedge.exe
4312	msedge.exe
1876	identity_helper.exe
1876	identity_helper.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe
1936	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 5028	4312	msedge.exe	18
PID 4312 wrote to memory of 5028	4312	msedge.exe	18
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 1280	4312	msedge.exe	86
PID 4312 wrote to memory of 4812	4312	msedge.exe	87
PID 4312 wrote to memory of 4812	4312	msedge.exe	87
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88
PID 4312 wrote to memory of 4416	4312	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dl.ubnt.com/ds/ltu-rocket/unit9
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba54446f8,0x7ffba5444708,0x7ffba5444718
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,1138642717923124843,7122659296843347391,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
b023297b1df8fc7e5f05f7eb4d01bf3b

SHA1
cee5f15d00cc0920ba88e025b137733aea24456c

SHA256
3a8edb3eb26b4c30ef80dbee21b9e043fafc72154d40367b8888f271b0b61846

SHA512
eb442966d0db1e1679e9eea297d5f662167261358bce32e5548940134ce7d6e5dbfa9f8d65e74639b5903386e8d5f39448a01680bc86062f12441e689fa7a29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
875B

MD5
d5317fdd9178e472525ba270781b35e1

SHA1
243593de7aa508cf0231d98f753819fbd231b9ed

SHA256
b27cc41ade999b8025a8b44c2856a2b7abd32d1056db523bf4aee04eba627b9b

SHA512
6bb18abe762e2d6c63afc20c61b49c8ac4e6db6acfd0b551c2604966eb2164c0a49643bcb8670f504e002bafd29d8348d731848666abba6818bf5d3a4c214a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0016f18abf95766c05d494cdf245cf5a

SHA1
2d168876c71580ebfe55a97c7b07798a3608e19a

SHA256
8bc057716e3603b0ec9f0fc1d522ced96b25720445f1bfa3db1f667e4d92da2b

SHA512
9e4503a0e92d72b9c55a3b45f816cd5852a1fc321c55dc30f4d1a0547b88ed7b6857c8439a19c55c1d2b94b7f16233cf0ff796f11cb204a41883497003dafaaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
55198aedab0249fe8d6c03f70e47f788

SHA1
d332a3f820f2ab8501fc51274119151c54ad55c9

SHA256
81c180074fdd3b1d89e18fd65e4ddc6ba85ddfe0cb36fac02132bc9e3fcedb4e

SHA512
331dd130e38df21b020370eb9b03651eaa18946cda879c6758cf6c5425683f916d296283b213ce6c71ab3a7cf51b4af4eced32781759a97b82b25ac5b261f323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
918ecd7940dcab6b9f4b8bdd4d3772b2

SHA1
7c0c6962a6cd37d91c2ebf3ad542b3876dc466e4

SHA256
3123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175

SHA512
c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6db54d7e6d0aaf9e01a2de05cf388e01

SHA1
463ece77f2514f0dd95bcc6f9e477bec0cec182a

SHA256
3983f01a9ae5753df845eba8a830a824c001c9a5fdced45f43104fa05adf9afd

SHA512
f4087c86958df8b86153ecf1711951a703fad3658fa389e3a25bcc2bf935e190092b8ffd73d141f8d1429d8558b73f1323ae309da65910d7d2d796c5e52d19aa

Download Submit