Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 08:49

General

  • Target

    7ebdf9d35465794a46cfdb8d91aabb4b.exe

  • Size

    5.6MB

  • MD5

    7ebdf9d35465794a46cfdb8d91aabb4b

  • SHA1

    531599d3e261dbbeb56993a94478bbdac2f1ac01

  • SHA256

    bdcee4d2c5ac46330804613de038e856c43c4c75dad9faf0e198601490bd8897

  • SHA512

    8fca267de766e3661677fb1c2968b0951ca2e77d144d56e5db5a590795bce7378f1ad42e1fcf2b61586de85ac07e565cf6374160215edb229480f95fe5a5fc29

  • SSDEEP

    98304:tqLKm+uTLWHXyQgKZdxc1GUuK7Je00yUfojJ+cTxpQo79NfKjuhWmBtpZxqmci6U:tqmuHWHXJXgu4JOwjRx68ajuhZBcniTn

Malware Config

Signatures

  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ebdf9d35465794a46cfdb8d91aabb4b.exe
    "C:\Users\Admin\AppData\Local\Temp\7ebdf9d35465794a46cfdb8d91aabb4b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/crJTB3UAPz
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff431446f8,0x7fff43144708,0x7fff43144718
        3⤵
          PID:2008
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4760
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
          3⤵
            PID:2376
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
            3⤵
              PID:4036
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
              3⤵
                PID:748
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                3⤵
                  PID:3956
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                  3⤵
                    PID:4456
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5192 /prefetch:8
                    3⤵
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2548
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5176 /prefetch:8
                    3⤵
                      PID:2392
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 /prefetch:8
                      3⤵
                        PID:1120
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 /prefetch:8
                        3⤵
                          PID:3244
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
                          3⤵
                            PID:1176
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
                            3⤵
                              PID:3544
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
                              3⤵
                                PID:1280
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
                                3⤵
                                  PID:2880
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,4140336558989302946,6987625058032948741,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 /prefetch:2
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3368
                              • C:\Windows\SoftwareDistribution\Download\qmxjx.exe
                                "C:\Windows\SoftwareDistribution\Download\qmxjx.exe" -map C:\Windows\SoftwareDistribution\Download\qmxjx.sys
                                2⤵
                                • Sets service image path in registry
                                • Executes dropped EXE
                                • Suspicious behavior: LoadsDriver
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3184
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4712
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3644
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                  1⤵
                                    PID:748

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

                                          Filesize

                                          1KB

                                          MD5

                                          13fe4f617cd4b038e4093de17ef5741c

                                          SHA1

                                          e79e963ff911d121b3223e12e9ddfacafe060d3f

                                          SHA256

                                          c1d48657089d5823e42433d43cd67e16d5f62ca87e594b25adefcf27ebbeb13a

                                          SHA512

                                          de5baad1e2bd1f5ea63619dab6812eb5d9f2d9b9c0b45af23b0889b6b0c6ff74fe4939b5f467a82a52187ae9890a0fdbb69dad2be2713b7cf58f11774e95bf21

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

                                          Filesize

                                          408B

                                          MD5

                                          9f6441f2475145dc78f8670a7ebfbb86

                                          SHA1

                                          831f40e42707ad5a05b29addc4efbb2369a636d3

                                          SHA256

                                          013932075eb98e7d12e750c7aa809eb6a1267c28192590cdc329a13ce8aa3bb6

                                          SHA512

                                          553c0329b2e51b3223f9f989206a69ca7b5963c9f2d789b6f5019db945c3c221dd0fb2e67c0eeafc08ca2ee3c84fa1596f4f39e6b96646d3c8db919840973dde

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          eb20b5930f48aa090358398afb25b683

                                          SHA1

                                          4892c8b72aa16c5b3f1b72811bf32b89f2d13392

                                          SHA256

                                          2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

                                          SHA512

                                          d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\97f212df-0774-44eb-a825-6cfa62e31f88.tmp

                                          Filesize

                                          5KB

                                          MD5

                                          6c73e099a6245328372fcb686f94769a

                                          SHA1

                                          2669acdc9b3758764c29167528b4453fbde07569

                                          SHA256

                                          fd3c823eafa46697f45d26e9f8d15bf4a8af7af0cf6f27c9103e144cd21b424b

                                          SHA512

                                          d7aeb09ccc8d4740a6501745d333ef9fb1e065c1c7829efe4a68e6ed52cdf843b222c42725358ff465134802781a27ca2f9f89878c9e13f583370ccce0c6bab4

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

                                          Filesize

                                          2KB

                                          MD5

                                          aeb17f33b43e7b58dc807d2240308b59

                                          SHA1

                                          880fd0a04306bfc5ff1f377781c8b11e966b092b

                                          SHA256

                                          5eb1373fe33819b25b504aa0b2efa0f83dada3dc9310ffda67357550c22ae06c

                                          SHA512

                                          e63526b32aa18355144f503206266639fa9f9a892413ca9112460fe789938807ef20fd60f70a99dcff363972fd22eb4b121d9c2934c067369ef3611ded9ade4b

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                          Filesize

                                          111B

                                          MD5

                                          807419ca9a4734feaf8d8563a003b048

                                          SHA1

                                          a723c7d60a65886ffa068711f1e900ccc85922a6

                                          SHA256

                                          aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

                                          SHA512

                                          f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                          Filesize

                                          537B

                                          MD5

                                          438c6eb4d43815c098a9876be5a07c49

                                          SHA1

                                          1a8db2289140c0e92a47b2637fb65cb00edf656b

                                          SHA256

                                          e84fea616b542934a988b24ae69cdd89497a8410437003e6ef0d7dadedd97613

                                          SHA512

                                          c5943e3e7304768c2a9e802059b189a2bf06c8f652ccce5939d44c5abd8b1dd27485d7dfc5d0a2c5a62860acc4b94d7c52cafb1128b69180f7fd985b2df7e488

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          5KB

                                          MD5

                                          bca9173b438f6c6631f1b06e35ec3cbc

                                          SHA1

                                          f2bc67efdd37036bcd8079c66b008a713eb649dc

                                          SHA256

                                          da1a2b10091a0a046f5a8f69fcfb69f7876f0b3c0cd019cbd0c801599e58ee9b

                                          SHA512

                                          b23456b823ae5b58b67280fbefbf3fe96bd7a752ba4f1710f5eb5b0f782f7cfafd64cb992b2ce4dfe03adf739fde3e57834a86f1424a440cb04790537d4ce694

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                          Filesize

                                          24KB

                                          MD5

                                          2bbbdb35220e81614659f8e50e6b8a44

                                          SHA1

                                          7729a18e075646fb77eb7319e30d346552a6c9de

                                          SHA256

                                          73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

                                          SHA512

                                          59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                          Filesize

                                          16B

                                          MD5

                                          6752a1d65b201c13b62ea44016eb221f

                                          SHA1

                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                          SHA256

                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                          SHA512

                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          10KB

                                          MD5

                                          c7cabb25cd85eb8218d3474d52281aac

                                          SHA1

                                          3f256b51e9990b3f7738214ee1cc9953473ec43b

                                          SHA256

                                          936dcdd0b86f9195de196371b10658b526c80ae0a779dcfeb9dee0484de16e31

                                          SHA512

                                          e282e08756ba1efe7bdf784f1dae159112fb8cedecba11b0316b49ef3b6d11c1162c302e3b406f1643ed780553e9e3ea6ae74d530c5b6b639436a6439b4d44da

                                        • C:\Windows\SoftwareDistribution\Download\qmxjx.exe

                                          Filesize

                                          260KB

                                          MD5

                                          083c6c05ac5875d0b6e997e894ca07bc

                                          SHA1

                                          69d0116998e8a70db5852fccb86d45975ce88a9a

                                          SHA256

                                          03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

                                          SHA512

                                          fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

                                        • memory/2100-1-0x00007FFF61650000-0x00007FFF61652000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/2100-2-0x00007FFF61660000-0x00007FFF61662000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/2100-3-0x00007FF670E20000-0x00007FF6717BB000-memory.dmp

                                          Filesize

                                          9.6MB

                                        • memory/2100-298-0x00007FF670E20000-0x00007FF6717BB000-memory.dmp

                                          Filesize

                                          9.6MB

                                        • memory/2100-0-0x00007FF670E20000-0x00007FF6717BB000-memory.dmp

                                          Filesize

                                          9.6MB