Resubmissions
14-07-2024 08:16
240714-j6aelavgkf 328-03-2024 15:44
240328-s6f2tahh81 315-02-2024 03:14
240215-drq6xafb7s 605-02-2024 16:35
240205-t3whrsebaq 305-02-2024 16:32
240205-t17g9aeagl 308-12-2023 22:35
231208-2hv1haegb3 331-10-2023 16:20
231031-ttf2qaba4t 1024-10-2023 18:54
231024-xkm1fsgg8z 1020-09-2023 14:18
230920-rl8qnagg4s 1023-08-2023 22:11
230823-139hyshd3w 10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
dl2.exe
Resource
win10v2004-20231215-en
General
-
Target
dl2.exe
-
Size
849KB
-
MD5
c2055b7fbaa041d9f68b9d5df9b45edd
-
SHA1
e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
-
SHA256
342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
-
SHA512
18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
-
SSDEEP
12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3008 msedge.exe 3008 msedge.exe 4332 msedge.exe 4332 msedge.exe 3808 identity_helper.exe 3808 identity_helper.exe 2992 msedge.exe 2992 msedge.exe 2992 msedge.exe 2992 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 652 dl2.exe 1240 dl2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4332 wrote to memory of 4912 4332 msedge.exe 87 PID 4332 wrote to memory of 4912 4332 msedge.exe 87 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3300 4332 msedge.exe 88 PID 4332 wrote to memory of 3008 4332 msedge.exe 89 PID 4332 wrote to memory of 3008 4332 msedge.exe 89 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90 PID 4332 wrote to memory of 1140 4332 msedge.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl2.exe"C:\Users\Admin\AppData\Local\Temp\dl2.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffb5a46f8,0x7ffffb5a4708,0x7ffffb5a47182⤵PID:4912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵PID:3300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:1140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:12⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:12⤵PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵PID:1192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,9078973705032443422,1604982064303962038,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3176 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2884
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\dl2.exeC:\Users\Admin\AppData\Local\Temp\dl2.exe {7BE51CF0-6FAE-4711-BD47-1ED645E7F96E}1⤵
- Suspicious use of SetWindowsHookEx
PID:1240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57a5862a0ca86c0a4e8e0b30261858e1f
SHA1ee490d28e155806d255e0f17be72509be750bf97
SHA25692b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b
SHA5120089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD51f90891617800e0b44c55b8b7d0fbcc5
SHA13269667c558f3ef2768fb16c2d5116bc9ac6e8a7
SHA256b7faf8e1667bd64d798b532d894e142452e7163cd6a18f69a14c83f162c216c3
SHA512a11d158d316e291428bc2573cc34a04aea107f97c9dc2b0add93967a9d57e9cb0cf31a9abb6543193e23644478d4cc48693bcde5b37dccfc63f92760b42188cc
-
Filesize
5KB
MD58f0fffad0c9880b195781475430c3d5d
SHA16d87f6d2abefec1de31ef8e4437efa32d840cc52
SHA25611e49b361f973df0fcf5eb377dcd41314d389137c3a1d026140d22c38d0aa319
SHA5121bcef543315955ed08d188e5378ab110ef8814b933a2a1cdb0bd113d54a9c8e98b62c9897a7009700888f8163178d86de2a9e2e30fcdcec8b62c0aba9a107d5d
-
Filesize
24KB
MD552826cef6409f67b78148b75e442b5ea
SHA1a675db110aae767f5910511751cc3992cddcc393
SHA25698fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb
SHA512f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD592405e2887b9787b0bfd1f7ebe8c55dd
SHA175d34ce8f72ecd96e7779849cf39b0b469394a30
SHA256fed1455fd7be0168290cd8cc15a9e9141cae4ae95744727277ad12f00dbec68c
SHA51266e51cfa6c8b5aa4ba26a0bd653559ead5fff82126d9e9b1c1a1f5d4f7fd706910af146e720061c478bdb1ec4125d6ec58573f5855384f39b0524c20004eda61