Analysis
-
max time kernel
154s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-12-2023 07:15
General
-
Target
0e159016f4e1223bea4164d318677a65.exe
-
Size
99KB
-
MD5
0e159016f4e1223bea4164d318677a65
-
SHA1
71620f4f37856112b07a97c3e6f1920bd33cd49b
-
SHA256
53330cee9bba3b7648a03a941a072182a1bc616256d4289a8f0f0db9152ec587
-
SHA512
7374df5592236fec321014c146464486e2b36b78f519ceb6aac771be1582435a984c995b6b6138a97cb6caecb846769befe6f1c23c99a72e434db96f90989e55
-
SSDEEP
1536:MkcUv9Wrw3h3FA2BJskRMbBLBZCx5ywyTjcol97NKRxWMZvbNV5LtL3HX:1d9xR3G2BZMbBLBaYw0coLujNH1HX
Malware Config
Signatures
-
Drops startup file 1 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e159016f4e1223bea4164d318677a65.exe"C:\Users\Admin\AppData\Local\Temp\0e159016f4e1223bea4164d318677a65.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.chrisqueen.com/cb/FULLMOV/program2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbac0a46f8,0x7ffbac0a4708,0x7ffbac0a47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14324822325984638322,14763622109388214065,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3104 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cf6151ba586cdc5d265c338fec56af63
SHA156d394d63e5bdffaeb904175254e44cb163708f1
SHA256153ea04d58db25fac99ead51c05bcbe60ecec063adf3e8aca68404d9c93b2dc8
SHA512c10597251fdcc9f592e2c8b98c9035fb6d7e969f62b67613272b79e5342cde81a866c424d298e74d474cef9bf7e7d7856716649b5aa5201f4cceab6923c8039b
-
Filesize
152B
MD5eb20b5930f48aa090358398afb25b683
SHA14892c8b72aa16c5b3f1b72811bf32b89f2d13392
SHA2562695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35
SHA512d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8
-
Filesize
537B
MD53b50b7e7cd0885c8b942ef19a113fba2
SHA1f7054487289aaa984771538e29e8ae60fa80df06
SHA256004210ca24a183214313ce1b090a3480edb5e65bd2b3f443f45d8e1a6fbb97bf
SHA512696f6627fb5451d86afdb789d0640ac0fb1528050d407859ad87f102a6fe9f94694a33ffa0ad86f4b64c15c99d59e35edacadc15bdd223853f44bacd8e325d5a
-
Filesize
168B
MD5bde9bfc619cfca879e86e9274ee826ce
SHA152ef53e1ff50a1ed0c56e4599672bf25fb58d668
SHA25669a3275ed0bd321b3ea184cc5a77e2634d925e05d5a637577db34fca77a35533
SHA5126290f3699756fbae5cd20888ddcd3a085f0727999fe65be2c0ef8446fab7e3a8bceba01cabd8dcc136e38aa6f3ca76995f46441eb9a35d69b3438b6e9690baab
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
944B
MD54761866ed8231f2bc125f0ece4726968
SHA1550765ac1015421bfc4c5d3a8d150abb625a3b07
SHA2562e3355cf6391f2901e069f4844a1cdf4078a883779788d9366df98d5daad365e
SHA512706dd75d4c0d664f835ca2c53c73d7616e9c43f2592a3e0db3c7377c1b8979c0ee31ee51232df9ae0085ba7900f788abfbecd2ce4b1a69a6ee4ffe28c92503b4
-
Filesize
5KB
MD5f297ce28bb915948e755e38057fefff1
SHA11aced1b021ae04ae732ae10d414ed796862a19fd
SHA256a6d445ced1a7ada66536d947430de7766533bf14ec93c2423e3f3183c0166d17
SHA512ee6f664b7703d6a3886456065bd3d757519f48190f9349e76c5aca7e973d30b02b6a401fac962dbe688ecf9c1d12987104613c79c4939d4d8712aed9602848db
-
Filesize
6KB
MD5d3defd4992724db754fb407c5668f26b
SHA1d97d64bf5c5a1a2481f3de45f84ac70ea56402af
SHA256eab555f865f11040d6dbde3ff093d4367465982af3af6e271fea22ded25c1989
SHA5129414135f7c67d65023f6112ca7dbfb87daccd746cc717f5dc0fa4de6a7e9731f8a6ef32c199ef2cf539b15e21790aa7932e9b871c617dac98c080dd64fea905f
-
Filesize
7KB
MD595e601c49578ce7a99db2f3deab1a576
SHA12288eb4d35ca4968971010fde8ebb98dafb684a1
SHA256a7979bed3c6c277141d1524d5d83e4edc597e6b62505e86f641d623570722afc
SHA5120fa544eb59900b5410e3d6b98760846dc3f5831d231903abf3bf180a53b041d9e60a5a9d47daac5cc43597cfeebc1cce8d6f2bd417fc1cb6dd8ae21e5fcf19c4
-
Filesize
24KB
MD52bbbdb35220e81614659f8e50e6b8a44
SHA17729a18e075646fb77eb7319e30d346552a6c9de
SHA25673f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd
SHA51259c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD582574de577ec1048a7306a38033463b5
SHA1a429b521d52d42dfc60dcf3b25790a1124cfb3d1
SHA256963ee9bc17fb3b6a190c6b894901a3fd4205365ad00860f4a9c08c467e53b117
SHA512105e229eca780d97dc0a87216284f866c10d4973be2adbb3eff8220059cc97af27feda7fe7af321f635d889e5863e8e84aba2dbb750e9c7bd1aab0e5db6377b0
-
Filesize
128KB