Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23/02/2024, 09:51

General

  • Target

    Forza-Mods-AIO.exe

  • Size

    13.2MB

  • MD5

    170b9031c89726d445a322689ff66ff7

  • SHA1

    e4d827a5ff30aca7783d872b03c2afd3c78e5d62

  • SHA256

    26bde4f22eaa466847881b96b4fed699f850dafe2af43f722df1e588aacbf46f

  • SHA512

    2ddb71e49e763d3067a8fd0824f8914b19e9ff1ec7e47e484c95453ec029254cc92831934a05a18803ae3ba39282a03923686f2ba9015d688fddc19d2cfbc0b5

  • SSDEEP

    98304:YbhD4ny4CVdxkYNYSFxP81Sqg15upj7P1sD8JBM:yhDq0x+SfoBg1g5j1sDn

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Forza-Mods-AIO.exe
    "C:\Users\Admin\AppData\Local\Temp\Forza-Mods-AIO.exe"
    1⤵
    • Checks computer location settings
    PID:204
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2636
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:1332
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4176
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4228
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1852
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:1544

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          1bfe591a4fe3d91b03cdf26eaacd8f89

          SHA1

          719c37c320f518ac168c86723724891950911cea

          SHA256

          9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

          SHA512

          02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZP3JQEV6\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\FYM42U9T\dotnet.microsoft[1].xml

          Filesize

          84B

          MD5

          4603b3ce1c1fdd042a48a4c92f8b8bad

          SHA1

          6d8f5443402f39185da61df3b16cf59f8b0d977a

          SHA256

          f671f2103c1791d270e9c7f52c05ee3accf36c98ddd115bddfbdb05c424d4eb9

          SHA512

          7eecf058d28c78807f4c3502a256981e06e708e187c2caca5514019b30f9aa90ad73d02d2d3fdd5ab8be413df9e82e549da9bf009b3a68d8d57e9a3320c9b3bd

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\FYM42U9T\dotnet.microsoft[1].xml

          Filesize

          387B

          MD5

          065cfa8d7bc4eeee12b7f5b2af33e874

          SHA1

          675680627852dbe9f9ccc90f0e6cafc9c3ec5d30

          SHA256

          1093e24982ff3cb918d3488da113422c2607ef731c77756d649d4cc37f3fa9ba

          SHA512

          c02367a6e6116e6ae65f5b8fc96dd73683f9bc4ad815a0241299318fc265f4376fe2cf823db8fae553e97ecbc3b83af178c38a813f524613d2968e7257366ecc

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\GD8RYPPD\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\P2AXMKN4\favicon[1].ico

          Filesize

          161KB

          MD5

          8565042b6db20c23647202bf4b95f11b

          SHA1

          9f0829cb3ceef14ac10e0b66338d8b7243a09101

          SHA256

          dd7958526f6b8510fc2a9a675056d78e029e62015e8913dda574ff5797ddb969

          SHA512

          dbf692b7219a3ea993ab939442a843ffbc7bcfe63bc62117a14ed7e953ffce595393e9f950649aa609a7a9a94b56003ab84cb82edaf2db3e4551434204085b95

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\m3lihh6\imagestore.dat

          Filesize

          64KB

          MD5

          f633c0de3f935fa6f8e08f5d7aed28af

          SHA1

          8ced514fc400e906c7f2c1b98fec8d65aef1166e

          SHA256

          7cd215cdabf5b5e1391021c77ee72e40fc69f586a2ee5eb8ee7071c6a5dcb5d6

          SHA512

          f180bbf212df27315798c6df23b231a5797c29baebdb6125e7bbf16151431e3179e5d56cc57a54e6c22774592f5d71e7f79011bb5fc80692ee8b45bef5f29715

        • memory/1852-421-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/1852-92-0x0000019D1C890000-0x0000019D1C892000-memory.dmp

          Filesize

          8KB

        • memory/1852-111-0x0000019D210A0000-0x0000019D210A2000-memory.dmp

          Filesize

          8KB

        • memory/1852-113-0x0000019D210B0000-0x0000019D210B2000-memory.dmp

          Filesize

          8KB

        • memory/1852-115-0x0000019D210D0000-0x0000019D210D2000-memory.dmp

          Filesize

          8KB

        • memory/1852-142-0x0000019D1CBA0000-0x0000019D1CCA0000-memory.dmp

          Filesize

          1024KB

        • memory/1852-157-0x0000019D1C240000-0x0000019D1C260000-memory.dmp

          Filesize

          128KB

        • memory/1852-163-0x0000019D21A40000-0x0000019D21B40000-memory.dmp

          Filesize

          1024KB

        • memory/1852-172-0x0000019D21B80000-0x0000019D21C80000-memory.dmp

          Filesize

          1024KB

        • memory/1852-107-0x0000019D21060000-0x0000019D21062000-memory.dmp

          Filesize

          8KB

        • memory/1852-186-0x0000019D21E20000-0x0000019D21E40000-memory.dmp

          Filesize

          128KB

        • memory/1852-193-0x0000019D1C2E0000-0x0000019D1C300000-memory.dmp

          Filesize

          128KB

        • memory/1852-195-0x0000019D1CB20000-0x0000019D1CB22000-memory.dmp

          Filesize

          8KB

        • memory/1852-79-0x0000019D1C820000-0x0000019D1C822000-memory.dmp

          Filesize

          8KB

        • memory/1852-428-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/1852-256-0x0000019D22530000-0x0000019D22630000-memory.dmp

          Filesize

          1024KB

        • memory/1852-105-0x0000019D1CEE0000-0x0000019D1CEE2000-memory.dmp

          Filesize

          8KB

        • memory/1852-109-0x0000019D21080000-0x0000019D21082000-memory.dmp

          Filesize

          8KB

        • memory/1852-82-0x0000019D1C840000-0x0000019D1C842000-memory.dmp

          Filesize

          8KB

        • memory/1852-309-0x0000019D22680000-0x0000019D226A0000-memory.dmp

          Filesize

          128KB

        • memory/1852-314-0x0000019D231A0000-0x0000019D232A0000-memory.dmp

          Filesize

          1024KB

        • memory/1852-419-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/1852-420-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/1852-427-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/1852-422-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/1852-423-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/1852-424-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/1852-425-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/1852-426-0x0000019D0AFF0000-0x0000019D0B000000-memory.dmp

          Filesize

          64KB

        • memory/2636-0-0x0000023623B20000-0x0000023623B30000-memory.dmp

          Filesize

          64KB

        • memory/2636-246-0x000002362A250000-0x000002362A251000-memory.dmp

          Filesize

          4KB

        • memory/2636-247-0x000002362A270000-0x000002362A271000-memory.dmp

          Filesize

          4KB

        • memory/2636-35-0x0000023628440000-0x0000023628442000-memory.dmp

          Filesize

          8KB

        • memory/2636-16-0x0000023623D20000-0x0000023623D30000-memory.dmp

          Filesize

          64KB