Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
22-02-2024 11:01
General
-
Target
https://mega.nz/folder/hLhCyQpb#PWB5gQ2FULvWJl5trY0Lgg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 37 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/hLhCyQpb#PWB5gQ2FULvWJl5trY0Lgg1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca8a93cb8,0x7ffca8a93cc8,0x7ffca8a93cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4712 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2377867150007810420,6431629181912711629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\ChilledWindows.exe"C:\Users\Admin\Desktop\ChilledWindows.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d459a8c16562fb3f4b1d7cadaca620aa
SHA17810bf83e8c362e0c69298e8c16964ed48a90d3a
SHA256fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a
SHA51235cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f
-
Filesize
152B
MD5656bb397c72d15efa159441f116440a6
SHA15b57747d6fdd99160af6d3e580114dbbd351921f
SHA256770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab
SHA5125923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c
-
Filesize
72B
MD5f2fdf14194960fbef04827adf24213ae
SHA163bffaff3aca3df9f602c6a9383d892a50637bcb
SHA2566c723f167511a39e359eac47270d862f2ba81e10876336ac5303e2f838bf962b
SHA512555e10aef0c3015d480629651e981ee39030c646d16638fa4c639b652649257b41e4ca26c5c60ae305b4666f7ab3ef0bd2c6f981ae87dcd654c5e47af49f2f9f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD597676eeb1ebe542eee13307fbab0e34c
SHA162fef07ea6c4af4e804f72a389912be0216f297e
SHA256afc49c23511a17fb3b98e3984aec887e4ef9db3999fc0c718b5557d1c7394f59
SHA51254baf0569711129a5bbd016bc01182682d42433d22bbea085e22ed192d6a25187e03248d0f1fc876a102d733bf75bcf868eba7cbc4d1b23dba0d7a3247e12bc8
-
Filesize
6KB
MD577e6aed5b2d8fd9b8bbbbaef733a610f
SHA18d819eba6cf34f348fffb3a5c9e151181dce3dec
SHA256604f82b7b6afaf6e58351dab08ecd8c9915a37f1ee1b2687fe4bc07702665c1a
SHA5121806cf9ab269ad53a97a4db32acdfbd562cd0f19933f89ca40f3cbf646f76f0b9f9957fafebc1b6b385caa3cffe72f81b0f0265e7603a73e84344bcff196e0d0
-
Filesize
6KB
MD54bda9490094342a6d4e544d77c0d44a1
SHA166a8961e1761e1cf78467e56456ecf222a5a564f
SHA2569a71ef065c4a9f682094673c43055661574fc59ec4cff52a51de4ad8afe2bcbf
SHA512d0e72b809d4c70e2c1fbfbc46965b36a4726dd50ecb3538d772f34578712814eee451715beee06e9a769a9c0b35d1afb0207ebf80f8c3e24f6df14d67690d8c9
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
72B
MD53fa741ce7619ff29078e46c0de9a5554
SHA1eeeb0206ff5bed1c6896cc1054e6188c2cf666dd
SHA2564aed8a0a6796a13670b57ac18fffbc1f04453f9c259f037edcd730b6e612fd81
SHA5120e2efce92c0f33b3b47d121115239822926b47bb76cce69a8be647a330377a66d7180dd1a5a728a0465d0cc7997e9824a7d559142c94a06523fcaf6db7d55196
-
Filesize
48B
MD55876f51a67fce7ae3c229243d6be187f
SHA11c1597dac6cdd6258f97422bf12726b309a7de6a
SHA256efaa7d73edd7dba6eb2191dff4ebe46b07b7cf9fdab553239b8b9361df2d57b3
SHA5129cd56a61c997a70d6e61b7a6f0dd897b1763c02ec379222b81f7c7dbd54277582f89359b57b197389a34a9adcce442e8d1c44af0aff81f2e05151c8025ba4083
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57eeadc1f2c8b0645cdb8468464de83ce
SHA18b7f5dac385f3e4a42172d46b2d3f3b0f0e9d449
SHA256bd9aca328f076a70c029e663799f365e8ba66dc8c08834b4884a7f156fe5fa43
SHA512b6b35750de15ea4182c118a49d1433b2fe4b68d2a1c8051b2a45761344721d275363123ce89cf7459b661aa22faf7db913d0efddbb2ab5fa06c36d6e34abf952
-
Filesize
11KB
MD5e6af994a58e03b9a5aec19291460e727
SHA1b6d147d8f8540a5bb1a6decff584d0ad6394dd76
SHA2569b7eccaeb7847571e0be27f718fa766bad3d2b2fa0a7725c66657e21ba82a6ac
SHA512baaa833450cd53f7320f43eee74ab01744df05a0fb84a1be290a29afcd201b134b69113222c412309bef590d6c12158ef48f5b6c7eb5238cec8bf68a80c86354
-
Filesize
64KB
MD5066f6e5acfff197d12b550ef7d452d41
SHA1aaa8cfa5a56519594490d069f31a42a15ca515a2
SHA256cac3a8354c7766b4ce0900bf4d8097bf372ec405a6af4bba63a6d92132932a30
SHA51221c3985bdc883b7c0fcdfb660a577eb03870943d9e812a24726158b6c06cc36b00425fdeafddcb099fddd1488173280563f7241c9589e69d04d1eb1b5daa786b
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
4.4MB
MD56a4853cd0584dc90067e15afb43c4962
SHA1ae59bbb123e98dc8379d08887f83d7e52b1b47fc
SHA256ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec
SHA512feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996
-
Filesize
3.6MB
MD5698ddcaec1edcf1245807627884edf9c
SHA1c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155
-
Filesize
206KB
MD52a4a588494c5589c167ead83fa3ea696
SHA138291652a06280be10d68d9843737fefaff3eb31
SHA25678b315d3820682dd5cc231da611642bb1ecf133a68ab0451212e315dd0d2ae53
SHA512dc815c1bafd415de631197a9c036919211bcfb080c7c54c4bdc74fac697f0b5110a8caa7d5e52d3e3a34653a9516efab32208d99afe573d49b731e85f4b18193
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
224KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
4.4MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB