Resubmissions
24/02/2024, 13:27
240224-qqdkmsdf6w 3Analysis
-
max time kernel
257s -
max time network
278s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 13:27
Static task
static1
Behavioral task
behavioral1
Sample
immunity_patch.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
immunity_patch.dll
Resource
win10v2004-20240221-en
General
-
Target
immunity_patch.dll
-
Size
1001KB
-
MD5
ab9c8096adc570783063ca78f6a8130d
-
SHA1
dde1c227877c07e82553f93cadfda51b9772375c
-
SHA256
3cccdfae7c0f5e9c561c8e7e95cf73630a2d98362501b18c6aaaa9d4fdf96956
-
SHA512
34e1360a28a7658a983bd38cf2fbce6e19c56aa14569dbd9090f7f6fa037ed332b3f9d71982a4c735f2e5e589a7df6d517db7c04a5d4788fce8abc3e8fdcdd3b
-
SSDEEP
24576:WwwjVzeBbXh2T/YMUs/Jle1sKT0mUDwU57lAfhGS8cUnKwP7Pkt:W1jVz8bXkE7s/JUoH7afTWnXQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1160 msedge.exe 1160 msedge.exe 4800 msedge.exe 4800 msedge.exe 4604 identity_helper.exe 4604 identity_helper.exe 1016 msedge.exe 1016 msedge.exe 1016 msedge.exe 1016 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe 4800 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4800 wrote to memory of 2860 4800 msedge.exe 96 PID 4800 wrote to memory of 2860 4800 msedge.exe 96 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 4820 4800 msedge.exe 98 PID 4800 wrote to memory of 1160 4800 msedge.exe 97 PID 4800 wrote to memory of 1160 4800 msedge.exe 97 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99 PID 4800 wrote to memory of 1412 4800 msedge.exe 99
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\immunity_patch.dll,#11⤵PID:2332
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\RevokeConvertFrom.svg1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda55c46f8,0x7ffda55c4708,0x7ffda55c47182⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:22⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13362646333819523117,16634994840510770763,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2924 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3156
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57ee1c6757da82ca0a9ae699227f619bc
SHA172dcf8262c6400dcbb5228afcb36795ae1b8001f
SHA25662320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31
SHA512dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
6KB
MD57a092e96a2825f3f1fbab7ea6bbfec8c
SHA141047b2a3925bccdf625d37471c2d1e8d0bc7bc8
SHA25686834d69ae82a7d0562e9ee74b7660a97d86513f0312448c1700fa5f6832e3f5
SHA512a439177e2142064ae782cb5562eee2768459329fccba826f40d2508e3258272eebeb90033a1963ae17a55178bd0b0a5bc03cf4ea87862b3409c2cabc74cc4557
-
Filesize
6KB
MD5a57d7fb26ff551d63274d533edc173b4
SHA1b6ebb2b81e0338c1182496d6fff0ae432313051c
SHA256261028d68fb985779bfb6c07ce49eb270ec94cd75c3b5ebd141c10a8f5ea6e8d
SHA512bc42d1518492e366c33906322a9aba7fc123859ccab2e129fe2a8e85e792879526916812175e9e69adb0fd1470924d7255a591a7aaa4b5e9b2e0f03977a5ee99
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5b4d6da2f603b1dd36f2582fbee62aeb6
SHA175ee42f401ec9eefc37e49da71f768b603963639
SHA25621be950be5cc29c642fe22519b4b9c696a167f9a91b8e7c5280811752da60fc1
SHA512c22d33b068ec602261f7793e4581464596a67721d636ca0cbc891b19edc04523f004dca3be1dedecd7490dfcf8ce7313db023d6a1bcb64574af1d810d1258367