Analysis
-
max time kernel
106s -
max time network
111s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
22/02/2024, 12:27
General
-
Target
https://github.com/ytisf/theZoo/tree/master/malware/Binaries/VBS.NoMercy.B
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 36 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 15 IoCs
-
Suspicious use of SetWindowsHookEx 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/ytisf/theZoo/tree/master/malware/Binaries/VBS.NoMercy.B"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/ytisf/theZoo/tree/master/malware/Binaries/VBS.NoMercy.B2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.0.641673168\1829091063" -parentBuildID 20221007134813 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eab65008-8c91-4669-8a3f-ecf38af89b9e} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 1864 22cd42da458 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.1.734751120\275967402" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a84b0e7e-ee00-446e-8457-7fff50edb5a5} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2264 22cd41f0d58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.2.1458716951\1306677775" -childID 1 -isForBrowser -prefsHandle 2752 -prefMapHandle 3200 -prefsLen 21666 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1653c73-2a84-4308-a496-1f030a51b8c2} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 2756 22cd93e8358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.3.1807920801\1862077928" -childID 2 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12d813cc-1916-4bba-b68f-84d67d278dec} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 3752 22cc826a958 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.5.1563542768\1334524090" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4912 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db35d013-9329-4c0f-930b-f994fd56c830} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4772 22cdb867358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.6.633358200\554099466" -childID 5 -isForBrowser -prefsHandle 5104 -prefMapHandle 5108 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d6f4880-326e-47a3-8375-adc38017e029} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 5092 22cdb867658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1704.4.406561862\1044054534" -childID 3 -isForBrowser -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1220 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1290bd86-6317-4489-8868-c7781b2e9246} 1704 "\\.\pipe\gecko-crash-server-pipe.1704" 4752 22cdb868e58 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\VBS.NoMercy.B\readme.1st"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\VBS.NoMercy.B\HTML.NoMercy.b.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc7a5d3cb8,0x7ffc7a5d3cc8,0x7ffc7a5d3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,6057579462647012365,7729799440676358502,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,6057579462647012365,7729799440676358502,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,6057579462647012365,7729799440676358502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6057579462647012365,7729799440676358502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6057579462647012365,7729799440676358502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5601fbcb77ed9464402ad83ed36803fd1
SHA19a34f45553356ec48b03c4d2b2aa089b44c6532d
SHA25609d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15
SHA512c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220
-
Filesize
152B
MD5a91469041c09ba8e6c92487f02ca8040
SHA17207eded6577ec8dc3962cd5c3b093d194317ea1
SHA2560fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f
SHA512b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f
-
Filesize
6KB
MD543cccf2b07eca51675499962fad2835a
SHA1ccacc47c452ba4278432515e3bad6afcd74f94c9
SHA256ab542bac1addcb34813517b6d2470742505effb083859b50f94946ba296ecc78
SHA512dc754f52cc876622eb13532b8dce817782bf7b74c0604a058da4269b175d89e1a9384eca6e4778e96ecedf29d2f8bd2b692baa2959da5edda8d49a35e177806a
-
Filesize
6KB
MD580d5ba537a02866d0f234ff5de9359d6
SHA1c41538b051d69a2a105f22cb818e2dbca3d0b472
SHA256fbdaa1621cf7ef3f46c176ebba3442024be097bff327df4f1f548274c7a7426e
SHA5123b3d117fd2886c269db386a01bee5f947a49e372230ce4adc2b9cff50807675d8abbf222a140f9f48260d6b52934c57bfc092a3d433218bc396d7a00ed55f90f
-
Filesize
11KB
MD5ffc2206e0bdee301ef2b5512882386fc
SHA126f6299796a3973dd0736e0e3e235e74754bc44d
SHA256abd1111b544a60d3005982afad93412423c17922876c4983bea3de2126ff146d
SHA51242097b0f2e9f55d11009ed07b63ae6c905e15cc2390ca0d78199b3e973eed90eeb069b508c2c8eaca382a4801a7ce85d0f0879810b5f6ab2fac54561ba1a2037
-
Filesize
11KB
MD5534e84e21c29fd1616309eca868229bc
SHA1c74832799fa38ba5181b1a421c156437917e2216
SHA2569cabc05b3508916cffdd71fe6b30d33494354f960279b6f239d61e1f057122b5
SHA512e5779152486c562a6ee0258b10655213d5631ebeae2a5dd9d74d55ecfdedf6cbd86cbf51d7a02c836989398d57d77318608a2428f919d390df9568437d9f51b2
-
Filesize
238B
MD5d778a1b63c4c546a1ca67eab311b0939
SHA1f0c083dad8430105f343f8e399556d78c45e30f7
SHA256f21c9ed6cd0959a2d89193dc0da7c2fa840dd15e56bd617a0a6928d29eb6dbad
SHA512cc3d5ac3e0286ca922812250c65d449b7557f06c5598b86889a0d37f8653e7c8ab646fda388db2c30e73ae0e105798ddb53639e22cb8babb206629325ad4074d
-
Filesize
2KB
MD52d0cb39f2885502080e93b217291f3bc
SHA1ad17de7248f44d3799ead28694fd3120f12fa08c
SHA256513838b5bca65d6609fb71834f0c76e948205b079087c10d5f1c65deab910067
SHA512b8756235b55eb3d3302d78a5e666971f9d42acb776ff1dc418366e7be7001415e47668b04f3efc4a039af15f9d82071ab57ceba41ed92c643cc654c36613fd41
-
Filesize
12KB
MD50c1b4f1961173243b51216d7a4f4c7b6
SHA14b03553ddea8644fd5060aad2c2b3f26ead952de
SHA256ba052d5698ac4af699a6d32ccc5421554cf31f1b0f82461ba8a4337da4cca41b
SHA512bd2504d8d9550bb3c7d4501a1455a9e058055b7c037f30d480fc7897ae8947118c65e01b9150c15fd6a376d1df5f5f4dc77aead427817183dae35de6a7202869
-
Filesize
746B
MD59d3a073107f893d4b8b71c5458f744e5
SHA18d1a3bf49c1bc1f67d03b3bcbcc331b68c647ed2
SHA256c1ac5a8f889aca07aca14cde6f0e75b634f8c6358abc6e41ed39f08a5a13f47f
SHA512fdf34b4f50a4b9fe01c2062f921ce165fb363e1ef6b9576b8805aca39c17835ebc5aacde3e6d5ea251eb66fcdeb6e51b3bf7ab9cff04a8bd933e5b66379cf25e
-
Filesize
6KB
MD52245c11fe83ca2187943a6ae54c90504
SHA126da4452aa1e98dea39298faf520c3bbe9a66c73
SHA256eabede2af24765c4896be14c492dd044e757526cd50fa9352232b6066592a378
SHA512799eee1a4c9fc4ad093cf1208c25928294ebc1013aeca4de8a0f0c0b966056faeae0f4e85ce0e55cb521f3641bafa09c81a952303f17a0fdd316c1501689b067
-
Filesize
6KB
MD5ce884a7dd17a9a57930f1c41668b3acc
SHA158780ab758ce6605721224892b25779bc07781e6
SHA256030698ecfd1c910dd79acbbfd499c6871aa5579d1fc9139057252b77aaf62c94
SHA512c13512e49d5b7c7139bd9729354f7925e06c8e7010874231395c5cb2820aa3378ea888fcd7e9b8a070adb56863bf5eddf8082c909f4ee50cc4277401c587d393
-
Filesize
6KB
MD5575fa6267b38498309e2a9f30746872c
SHA158940c1c5b003a6c4cae5198e3960549e9c1561f
SHA256d966084ebb470cca01c68521df699cb829310958efe0e4040a23a6a7b13a2a69
SHA512adbb8becee37a134d9efb5893ed7a111a24b836c22fd141fea0199951ba61108c2095d9d562783f7b6addd54ccaa8a533f92410729b6fca47e3c7d3caaa94cb4
-
Filesize
3KB
MD5c89aac67d33b2cdc0b5521985dd9e89e
SHA1087048db97641990a0928a28cd391df463c9a036
SHA256a9ebb3ec5f8867979b84db23b79d41e3cc2a18a1a6a332d87558ca97137c121d
SHA5123fddca2daac8608c37de7e57566e5f9fc673b61178f6810f0cb2e09645c5476aec772922e19e1fd89ac5d887d9231435d2966a7a1180c2919d900430417de1db
-
Filesize
3KB
MD563ba033cea059c0c818fe3bb79ce6b14
SHA184b7652e1e619de50b4dd9f7822eae14d4d9a9e1
SHA25686a589536c02effa2814fa1b6f175b7f1ec1094c7ee407d30eae349bb2a6b09e
SHA512fde40d70d42efd925fa1662ce8ea3b8d1c30f84940e366847a394ef75eaf635faed91477d27b931ab02ce60402d3adfd4c3dda530f41e75f1f5732d655168e90
-
Filesize
3KB
MD5e909fbbb359e260a840ec2c8e187c6c6
SHA14adae1343ce7d0ec44c91115c3f726fb43bd8b4e
SHA256ff27ecacd23437cd626c6970ef5711562bf83408291188afb3139298269f65ac
SHA51239a1ed0718e7342db49c4d1a76a8cfbb44789e796bbf5212b564ec8a8a3e65ae1e1a360255db76efe62a7f10077b77e1a6ed86db915aff17b3241642bd16cc32
-
Filesize
2KB
MD5fe8aa88331fc7d50e1b6cdfed2e1a083
SHA1b6e743d8589c7a13c710fba962b6eaa33a96a8aa
SHA2565dcedafac1544eea7083b7aa494a551aac9996472d2806194024c93d79f4571c
SHA512b39936ec558adb8b0ce04e5799ca8fff333779ffa1c5b4d424983ffb4dad62137afc31afeb86b91977c5202dbdd94bdd90599a666e8bfaf98d3e21bd6d35c598
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB