Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 16:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/JKornev/hidden/releases/download/v1.1/build-1.1.zip
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
https://github.com/JKornev/hidden/releases/download/v1.1/build-1.1.zip
Resource
win10v2004-20231215-en
General
-
Target
https://github.com/JKornev/hidden/releases/download/v1.1/build-1.1.zip
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3160 msedge.exe 3160 msedge.exe 3504 msedge.exe 3504 msedge.exe 1316 identity_helper.exe 1316 identity_helper.exe 116 msedge.exe 116 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe 3328 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe 3504 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3504 wrote to memory of 5024 3504 msedge.exe 36 PID 3504 wrote to memory of 5024 3504 msedge.exe 36 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 2204 3504 msedge.exe 88 PID 3504 wrote to memory of 3160 3504 msedge.exe 87 PID 3504 wrote to memory of 3160 3504 msedge.exe 87 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89 PID 3504 wrote to memory of 2136 3504 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/JKornev/hidden/releases/download/v1.1/build-1.1.zip1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa862f46f8,0x7ffa862f4708,0x7ffa862f47182⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:2204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3452 /prefetch:82⤵PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17528586355789446841,25345723092645204,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2100
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5bcaf436ee5fed204f08c14d7517436eb
SHA1637817252f1e2ab00275cd5b5a285a22980295ff
SHA256de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120
SHA5127e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c
-
Filesize
265B
MD5ee77ee0ddce6df6a4cf39b6d19ea6b4c
SHA1d5407a3c365266b7a794e647bc17ed9e06b4389f
SHA25679a078c39145a1dc1c27c15f05bb7a39bdaf7aec14fd85a2dcfd36b95a3f5b36
SHA5121841689b05aab9ba73ac48bb390c148e92d218b07da6b89bbec900bcb84055fe2080115545933d495f6e8f2506497af930fbab1c68cf65ff080f2d5a61b30eeb
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD59cd1bc3d2957006518aba553326f2b7e
SHA1a584eaf3c993b63a09813877815a37c6bb2cdf25
SHA256607528860292803393d4a03e501bb6c17ad8af0f391dfb9b3c24c3b68a325e6c
SHA5122ddb9c7c2f28f0359edc96ce0a50d13a8b5a152e829d18c557468f6c11ad8a181354287541fdd3fe6df31865d3941c29bf19e12569593737a1e050c98ab0d55b
-
Filesize
5KB
MD5864052c58bc6a23c631c41fd312afef9
SHA1e413f0e21387b5eb37a2b3bb80f5670f9b5896c2
SHA256d45f734bd6e74a2ed00278a740e0129c6c3daa4b06f168c8edeb6ac7cc2c8713
SHA51269db94d7072abf34018c270bbd48aed3c7bf3ebd4c8c5e6d69199b6c4c358c1daa56e8e0f09804fc5713fbc613ce9c88710714ecfe091e7a85c85b20a5c14eb2
-
Filesize
24KB
MD5b0ba6f0eee8f998b4d78bc4934f5fd17
SHA1589653d624de363d3e8869c169441b143c1f39ad
SHA2564b5ee509e727accbd11493dda2c1d512e7dbfaff66c4f5f7ea9c2d2ccd06151f
SHA512e9a165da246c6b80fc38431538203cf03f95794184ff63f00c9500f8919a2028b803f64b670e685185eed72df0509e3185c9b434fdbf2bc7af36021d46bd08d9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD50e981db57f72120121c3a4f8bd55da20
SHA1139e367613efb18314e89c6b3e512221fb5bfd34
SHA25680384dc70280388928fb3673852ff35691830369694abc724a6c702d8e2aeec7
SHA51205b3c07e972800a2ceee1aac1b81b33bfcd7088ee4c5624fe180661c0f97c93c9118706990c53b861d8a0432325968cbb806e4647ff20529e26669aacd80d731
-
Filesize
4.6MB
MD5ed0cb62dd8de0f25cc98c7ebc292c4b1
SHA114ee7c0f3362ff55a7658acb3cd7d6af73786e9a
SHA2569c671c9b8b0ceb403f8adcba74fc74f6212ac5468dfd5589681e3ecf8635328c
SHA5122b35929f2123e236ef73d30e28a93acb0315998ddd025a03d439ea89ae1759f1f3d463e8e7b366ef56aae7ce244a166b5ee09c68054c5bbb249f2f8ef185b6fe