Analysis
-
max time kernel
97s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
21-02-2024 17:09
General
-
Target
https://mega.nz/file/nv5iVLqQ#LAGZqvV9oruP6yKsSj9S8A9FWJeDB8zDbStNnBlC17E
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/nv5iVLqQ#LAGZqvV9oruP6yKsSj9S8A9FWJeDB8zDbStNnBlC17E1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0d6346f8,0x7ffd0d634708,0x7ffd0d6347182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5168 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5880 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6428 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,15535445084328494513,15226672235924608894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x494 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\Mw3-Sniper.exe"C:\Users\Admin\Downloads\Mw3-Sniper.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53bde7b7b0c0c9c66bdd8e3f712bd71eb
SHA1266bd462e249f029df05311255a15c8f42719acc
SHA2562ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a
SHA5125fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818
-
Filesize
152B
MD59cafa4c8eee7ab605ab279aafd19cc14
SHA1e362e5d37d1a79e7b4a8642b068934e4571a55f1
SHA256d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166
SHA512eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6
-
Filesize
72B
MD57fa56dd5f4fd90f1538a896984b113ea
SHA15637494f6aeda0837229a1db954e36e36c05ffb3
SHA256afef8eb9be4b567006757c632aec0d13556ac5897e0e8a4e929c54a7f0872a82
SHA5126e3b71a2e0f68599aa0599d6abe4b308cfa8bf0e21f9e0da37cb14b8bb2ec2db4fd9b424152108a7748aea08038ae9e45f2ac092801a5837bbb3afc0e596ca4a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD5aa0552e4dfc5782ee0b1f775e155e1fd
SHA1f5a2b66cb6c717568c66b64814a3628190981d6c
SHA256e9a52d61bcc59a40ae5a8c75326b20cd9ec771fe273c912bab428e166e0256d6
SHA5129f2b107495de3b11f4c462438d046c2cd5104987ade5be3dbdf144a2a49eeeab5b64503e7903de0ab40394114ce508e10c0301684c5c564c511e02f1cbd1bd06
-
Filesize
6KB
MD53e13e7289864547ee3719f0be1c94f04
SHA10486f327206dd621b7f8c5cd423462638f999afc
SHA25668cd84d676aa747a6def76da6c0951a2ccea8f2c6822428ce4959e13656d017b
SHA512e0a354b8fa4ef23eec182db8d7f2d226bde3c98a3451169447abd41bcfbcfd62525ff75f15462426a03a1c9e5695107a1e40b8598f945c531b59f61b169ca0d0
-
Filesize
6KB
MD5592a5fd19f4a248a134ea20630228ad0
SHA14a69557110b66e7d2889121346d70e6fb4b3bd3f
SHA2568e459e02ffe4460d2096cbffa363b7e0da196ba97f5cd59a221e291389652bd6
SHA5122ce08ccd0cad7d646b3a576f5ea5fcecf9c82b90024d6b35698c38ba0f4de5b8ab9c22ba0b27b574bb82ac7f56cc4291604975044c2820137f2b0787d4aed6a1
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
72B
MD5d67d69a8d4c1b7150d6583154e8ddd57
SHA11b8701b0765f2b20868988e3b2b8456f03b74cda
SHA256181f09a52858e50f25affd8f08fffc9235d966769b0baae8b2da5176f3c4de54
SHA5123d6172b3eb91c405752a58d1f7e78261a50f240db3529a9f6332dfa591230ed7a2a49b803e3416fb4b2bfbf77c883970135235f0db11c86f6b0e0317eff1b86a
-
Filesize
48B
MD5e2509128c2cf706f3970436fd524238c
SHA12cbd0161d128281b1a2e833f3479d5ba70e1cdf4
SHA25615f777feadcd8816a21c61daee28b73f4174ee456aaf4781b91bb9e411c1afc1
SHA512a7b5b748ad867d70c1f4eb81bafdcdd7b066da9f275088134ec0e3c3891cafabe72c27056bce2424de2995e8ae2116df7be3002b66acf957cf9f2c055ea38bd0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b3d5bc759eede6d75df84dd77ea66237
SHA1db900e59e34e7242b760c19a96e9f82cf198071d
SHA2569dfe3e0db8851b2b9a9f5f7dc894a5a73451fbad1abf8c064df3bdb9e7208140
SHA5126200ec5f33691db67b05f194790febd6182b750eae585eaa35a1b7d140365b121938a1a39f0105d282a42cdde1b0f2dae17c2efe846e7c281a2e03d7b46c3a4d
-
Filesize
11KB
MD5087006681f1de677ca3c8a957cd20d9e
SHA16a799b10db857f844a0ed0a31a16cd5a6e465f0c
SHA2564581777f10b55e479e61a6e6a35ac989bbf82d1cdae4ffa2a0530bdcee702958
SHA5121c622d33b9a1f8b5c4de4b28c83cf486c0d572421fbc139159957485e5276430e80d535a117289406cb64d8a5a7f25123bb317c39885ccb7ae2d51513bd37d22
-
Filesize
6.6MB
MD5e25937274239318f0ce57e3b9a37d89d
SHA11acf0ef2d672f4c8c2b8ac94b98f12bbf1cfc4c7
SHA256a0441d5ed37de43b6acd2c1de9dbb5f83c975984e7224c1625ce9b87e26c8213
SHA512d576ab33117afad09be55e1edcdfdd37aeb2441c21880a4effb92abf484e7aafa4b11724ff0afc3b29859d724edbf57f6879968a01f4f2e7f74fa5f130c87c4a
-
Filesize
5.2MB
MD5b9e63f4c2af4996f5a188576f41df2a8
SHA1921a531f993812f19b396704322be15a6c3ad704
SHA25696c3fd28660b41f2ebc6d222cff99d2394ebf34c652a6eedf5635beaa8dbb2c7
SHA512ed7b503945fcf85538f30061fb62f28d436c6e8bd89a09e8c7e537f00dd8de7aa18f89633b87b4469ea83f774e2e24cda426523f715c38b2ee07b76ef3e96d31
-
Filesize
4.1MB
MD5dacbaada3e119248da699f39728a0963
SHA1979fd22299752f9c9ab0d32f6cb5a31c29ecfe7e
SHA256fa43d9e171fa8d97ecf47ffc20af7ecc3b3f037e73d4818b785ff8ce65a462c9
SHA5126a30156db4f3c48345a548f5ac7aadd351506eb5071fbe5d5a8f1e3f40e2b7cc20a7fb6f3d1b245af484c80f58b0f15dddf8ff3cb2d08fba773b9ff763fda0a9
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14.5MB
-
Filesize
4KB
-
Filesize
14.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14.5MB
-
Filesize
14.5MB
-
Filesize
4KB