Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
03/02/2024, 23:27
General
-
Target
restartserwera.exe
-
Size
7.2MB
-
MD5
42b54c18a31575f62928dc111d7ba088
-
SHA1
3ca800a94077a984b82d342a42fa395802019fd8
-
SHA256
54b394e487b094033d97e0901a84bf00f6db63e8ea180d077f3fd2ee288b7ece
-
SHA512
f4212b622ccaac8253ff8b39fe9865abe3e077c4553c3ea7f0ab8c374827c296b664b5d9b9d7299c0ef310f54cd9164c7a0aa09d32f468184cccf38935676652
-
SSDEEP
196608:c3oNerYFMMHYglsdDsfBT++Dht3kbJmqCh0WsVSjeOI+:c3oNerYFJlQs5ThUmqCWVX1+
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\restartserwera.exe"C:\Users\Admin\AppData\Local\Temp\restartserwera.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/coders2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/coders3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb792546f8,0x7ffb79254708,0x7ffb792547184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6080 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5412 /prefetch:84⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,15650645437502980029,17945152444480939606,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3320 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5efc9c7501d0a6db520763baad1e05ce8
SHA160b5e190124b54ff7234bb2e36071d9c8db8545f
SHA2567af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a
SHA512bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d
-
Filesize
2KB
MD5eb0099630f692ca1826da47d608468ca
SHA1fee20530d3654d6bcdeb4a7d7e5a79a57dc57947
SHA256920ed922e8d571292b7b546e86ec6fc5458cd61f9a78eebd78457868f94a5e98
SHA512b4bcb0b876b1deb3219080d99978bb9a4a1373769f8b6e44f4fe7be49243d43a410baf08cd15fb1cab03e2f5d14f5c3f3b72889a68fd002be0d97ac86bd83ce3
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
323B
MD51eaf2f4407244a1168b2d6fc8ca87880
SHA16b1b7aa5a43b129d90ec32a0e906a061ed9d8b1b
SHA25612e0f5280e07cd6ee13b9cdd280096fb7ee853aaa614d6e7894e017d55f0972c
SHA512387f366d44dba0b3c10cfae93b095d8ba2951d0933a3fca82ea6e3b0bb8b12b914d563406b975f98d60135e1fdb7b5006c116b4a651373dc3da22915e9f7055c
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD51c3a93f0d0a7cec81432d23386957613
SHA1490d0a032b9fd75ba5322e0579e815c7e54763c2
SHA256dcbf3c2a89aebc87cf329ce160593782f0112c0906b1780eeecab39f138e924a
SHA512e42028b163d662d5b1b971828434d47d1624b154e169ad1902d7453d21265391e2723872e21b1c5017d47af658e65983127107e9ec1f9aed729c70cf9c278ce2
-
Filesize
5KB
MD5636051118c9444f936444f4c4a12ee1a
SHA1ef1c8815fc4cbe953b005f25db17029545a4fcaf
SHA25611a184b3182fae35eac3acc98cf699af3001a3f2ce54c960d08158ccdcbee15b
SHA5126a3f27f6198dbf691e9191a28d84ca4743d9084eabad0c43f9b6f9095309453abf7e4df715a86c429fdeb3133c054c314f6e2e4ae1937f752776c0ed7fa04ae6
-
Filesize
5KB
MD5f77bc4ecb5a1d05a268992f42b589e11
SHA12623cf7a09054e01566bca8f308af1778fb3ac20
SHA256c37a395676b1ce76054f69fa164f1a13a28c36cbe542ef2499113c38c7b91d2e
SHA5121b1b942c313f5ec150df214ac1925a844e69e0d76f7f88df522d9e2dce99785488024b136adce867954702d023185a0a61799bf2f22a1599ee46fde9a37ba418
-
Filesize
24KB
MD5121510c1483c9de9fdb590c20526ec0a
SHA196443a812fe4d3c522cfdbc9c95155e11939f4e2
SHA256cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c
SHA512b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81
-
Filesize
370B
MD500b968f3045d1abd65efa3a13afa2d14
SHA178c17e772a4a6936fef6e46af7460fe337fc0dd1
SHA256c3b26ef7c65815b419f68588a7352210fcf82d3031222ecdd141d7d29c8fab91
SHA5122e42e53c47247d3a826d5d8ce3e68c518f92de102725ed03809dce6bfe478c2b3e84c5b0da45fd0823d7cd7541830b17cd865c9c33349fc91c9dd83861f430a7
-
Filesize
370B
MD5cd0756cf0c600291d4f6bdbedd24b860
SHA13cc98653b7aa0b23bc7dca8fbf4f886fa4700df4
SHA25697ba1be4da4cd5f3dacba97cec554bddb6a2d8b668fbf931fe41ec9683249ccd
SHA51294595e762373c0b9bd0612d5590f29b23a6118cd230d69a4fc1d691355a251d5119ff9539b44402cacfe34afc7c6f721c17660d588a40936546b493212e57952
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f55d3fd7b6c6dac7a678248ff479bf4c
SHA1d233603273d39b36f24554dfdc312ee027254eba
SHA2564d261e04513dfd63e418481ae8d67f1701b9cf3b72fc7c71dc7bed7d76342f5c
SHA512791ecc7a72044c323e9c82f38f71e034edb9d2e6805cf9596ae6549cde204b5d718137f1351baa83019075dc569eaf1c02b941c7a211d9397fab72f3f39ef3d1
-
Filesize
10KB
MD51458fcd17db2be557513ca88934da6a8
SHA17377821af98343b80737b60cc3ab703650178e3d
SHA2566405339ba662ef27d64a4d263d5473c26f59b778d1d7e3c9ccc7b8a4958292d4
SHA5121da90fc7711ff1f340e132361815236a1aa0b1684a27449eb31cc9be1f365c751a074777f0b7a8870413850d46be7276cd6a7a37b3c9fff80659bf4435a7ba0c
-
Filesize
2.8MB
-
Filesize
760KB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
16.8MB
-
Filesize
76KB
-
Filesize
2.0MB
-
Filesize
3.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
760KB
-
Filesize
2.8MB
-
Filesize
2.8MB