Overview

overview

8

Static

static

3

HorionInjector.exe

windows7-x64

1

HorionInjector.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    42s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HorionInjector.exe

  • Size

    147KB

  • MD5

    6b5b6e625de774e5c285712b7c4a0da7

  • SHA1

    317099aef530afbe3a0c5d6a2743d51e04805267

  • SHA256

    2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

  • SHA512

    104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08

  • SSDEEP

    3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 21 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
    "C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\explorer.exe
      explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
      2⤵
        PID:1856
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3420
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa6d6246f8,0x7ffa6d624708,0x7ffa6d624718
        2⤵
          PID:5108
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
          2⤵
            PID:4720
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
            2⤵
              PID:1316
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
              2⤵
                PID:3596
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
                2⤵
                  PID:3236
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
                  2⤵
                    PID:4748
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
                    2⤵
                      PID:436
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
                      2⤵
                        PID:744
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
                        2⤵
                          PID:3920
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1
                          2⤵
                            PID:880
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3472 /prefetch:8
                            2⤵
                            • Modifies registry class
                            PID:3760
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3572 /prefetch:8
                            2⤵
                              PID:4420
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17940669275846052951,3155525698603292099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                              2⤵
                                PID:4168
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:404
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1680

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  d4c957a0a66b47d997435ead0940becf

                                  SHA1

                                  1aed2765dd971764b96455003851f8965e3ae07d

                                  SHA256

                                  53fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163

                                  SHA512

                                  19cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  343e73b39eb89ceab25618efc0cd8c8c

                                  SHA1

                                  6a5c7dcfd4cd4088793de6a3966aa914a07faf4c

                                  SHA256

                                  6ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223

                                  SHA512

                                  54f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                  Filesize

                                  2KB

                                  MD5

                                  38bcb20750890020c65e78304348064d

                                  SHA1

                                  33376f7daba3c47208abb53bf8225776694ac519

                                  SHA256

                                  0ab199fdc9c1a4d4896dd7dd79ee58eb358eb419059ef538777859836b1a26e1

                                  SHA512

                                  10731dda002a51930ffa9f6074a9d12560271aef291e79cfe352626f38ce19162050f07844173d8f0de4fab576d202ccb0efa2d0c6768aea59c60ebc7f0975c7

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                  Filesize

                                  410B

                                  MD5

                                  902c087beaa2e8553652cc0d7c221ad3

                                  SHA1

                                  2d4aa1214ec540bc88f25e922f43e89a2704fa56

                                  SHA256

                                  c1478e3b8cb7b317d141ed3e7473d934b40d473be49357ee081a626b0556faf8

                                  SHA512

                                  d190ba6049b01f1f5517b64ef1d5b33481d6b1f4ac6ef0633d8cdc18ba84a5927bdcf50a032e461a83dadac96e63c542ecfbb5260a742eff13a901b688995e90

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  c9d620cac47aa22b38bdb43c823ac016

                                  SHA1

                                  5c29555a5cd3630e7f15512912b3b13ba5a1b299

                                  SHA256

                                  a780053df716e1bd2a01287222edf9843e5e3d6b8b6ee255c95a710a0206369e

                                  SHA512

                                  bbeb636402005dcf60ec91cbdbd0221f0032eaedf7e6d834f641f4dbc3b4d328ad833f93c90d45c249cf2bfd8b68ab9a900be9733451c280fac56b62fa7c0d64

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  c2b5addbce303233d1d2d7e96147ac26

                                  SHA1

                                  c861bec1c00c0f368460c6f0445f8a452cb0dfa0

                                  SHA256

                                  f47a7794df85b98da5293c1f888a481121aeec15353c76a920a36348a56e6e76

                                  SHA512

                                  ed75660e6630d19a65605f9d16e4e73564d290f33e3020e5d491928b93640eeea25a06177fe1c1e77bfd54eb4e4d2c14c20ff8313621be2de0cee9a6e83a012f

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  11KB

                                  MD5

                                  c446e15cdcc9c847d62e71bad30dce4b

                                  SHA1

                                  461fdde6e45d0de13db36bdfea4e89e085ecf6af

                                  SHA256

                                  fc362a6d6a90f9b58431fed2ed312aa6856b363e33f9830fd975418357f552ae

                                  SHA512

                                  6a2382f77076f008c27cc0bc702cd7daa2bb74e8d0d169f09f1ecb6fc6266b6beaa5b48fbc6143ab01ffca961746bebbd3fabece656b93428e7c6d2272fa8dc1

                                  Download Submit

                                • memory/1124-5-0x000002A73C720000-0x000002A73C728000-memory.dmp

                                  Filesize

                                  32KB

                                  Download

                                • memory/1124-9-0x00007FFA5E560000-0x00007FFA5F021000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1124-10-0x000002A73C0E0000-0x000002A73C0F0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/1124-15-0x000002A73C0E0000-0x000002A73C0F0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/1124-16-0x00007FFA5E560000-0x00007FFA5F021000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1124-8-0x000002A73C660000-0x000002A73C66E000-memory.dmp

                                  Filesize

                                  56KB

                                  Download

                                • memory/1124-7-0x000002A73C7A0000-0x000002A73C7D8000-memory.dmp

                                  Filesize

                                  224KB

                                  Download

                                • memory/1124-6-0x000002A73C0E0000-0x000002A73C0F0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/1124-0-0x000002A720460000-0x000002A720488000-memory.dmp

                                  Filesize

                                  160KB

                                  Download

                                • memory/1124-4-0x000002A73C0E0000-0x000002A73C0F0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/1124-3-0x000002A73C2E0000-0x000002A73C39A000-memory.dmp

                                  Filesize

                                  744KB

                                  Download

                                • memory/1124-2-0x000002A73C0E0000-0x000002A73C0F0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/1124-1-0x00007FFA5E560000-0x00007FFA5F021000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download