Analysis
-
max time kernel
60s -
max time network
61s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
27/02/2024, 19:55
General
-
Target
Arc.xml
-
Size
1KB
-
MD5
8ab4f705c55fe341f64938859f85c8a8
-
SHA1
e1c3b636137fbb656f9bb0926c090d9862138e3a
-
SHA256
02d924b287580c5b44f46de2e0b757c0b27a6ddbbedc5fb5d50e393c69548b14
-
SHA512
575ba88cd441071ebbe72c2760f5614797ef1e26c524c6aaebeeb17162899b18c967f74cb5eaedc470d1118b1d70fb2f528da2f390057ed972dbd333d3a777c7
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Arc.xml"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Arc.xml2⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\DenyStart.htm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffac3e3cb8,0x7fffac3e3cc8,0x7fffac3e3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,15286366529248964363,3562568819298957836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50e10a8550dceecf34b33a98b85d5fa0b
SHA1357ed761cbff74e7f3f75cd15074b4f7f3bcdce0
SHA2565694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61
SHA512fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a
-
Filesize
152B
MD53b1e59e67b947d63336fe9c8a1a5cebc
SHA15dc7146555c05d8eb1c9680b1b5c98537dd19b91
SHA2567fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263
SHA5122d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0
-
Filesize
6KB
MD5374a08171ffd3a6d55612a129985f685
SHA1a9497cefb0d88a7cd97e0273976e8ae67f43f1c1
SHA256cb2e531f70c6e8c6457e0b7ff74e8dc4d8b4031d7570e6d4f41f6d2547f796f0
SHA512dec14856ac1070c0f910b51939eeaafbe6c44ffc8b4032ada8195aa13fe560564c242fb7dfdbd1b586e91e46eb71565313481b3b8710a61a59800cb40875d6de
-
Filesize
6KB
MD531eb4f8ac64ee546bb7cdfff7d158ddc
SHA149b37e552d421d03026f64ca093cdce9162f8d54
SHA256189aacf970a20c1c035113ff7f5453c03fe33fb8e9ce238c3ea01a6c6fb4a3b3
SHA512dba514b3b976ec4055551582980a4e0557f6e0110ac314828436f5678af85bf66ec872588f67f25eea927aa6f1aded9c1a7d4d6461cad22d5a975b0c168092f5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5793d3fbd0e22bdd09802cd36e50c59d1
SHA17840d4661cb2f5553e67614357a28672e223c555
SHA25623737e9a39de01d5d132c6b8b7c21e929578cc2a3f314700243efbbc2e3d6628
SHA51220ba4d350a24058660cf1d1b83a92b6beaf593d33352e3ec44f68e0fb5dc240b1a02257a304ba38d73bc5cdc4444e26fd787320b3992721bf5bd9d1371c9a267
-
Filesize
11KB
MD5e167cb9b511773bdc1ba2c117baefdf0
SHA165af8d9ef0de533bdad79d6970622564ed996975
SHA25602ff9e13963c5e64dc20e7889a2c97a2cd5396f7025a49a4350920eb25c7b087
SHA51296e7e4b52a9ce7f55e4670a068e535f6110087859c3b2eac50d037f2c46d6ad610fc21f585bdf9fa78a5cf1183e40aff3eeb11c8db54dd6ef6380a7aaace0470
-
Filesize
917B
MD56db3003d4035a94044b3983bcfbe6a7a
SHA1424a1dc46cf24960459ab50b452e8f46c7cd1677
SHA256d4370ccde3df941c0d5042d2092f3760fd488f508a900fc0b6a7fde436984c5c
SHA512430ae92736a6d12306227a00f2e82cfc8a5c23d6ba9f93ad4c21701465ad834c4e4e4c6ef0739bbc3287260dc020d7b2479f6f395119720ff19edcd8abe4cb42
-
Filesize
1KB
MD540f3b70079776526e28c077b85f64e16
SHA1f3bb2be7442928912c1776790e2abf1726331e6a
SHA256f88f943bad1783edb45c8ed3d03eb1edcf7f7e2e72f8aede24386aa9f3cb06b1
SHA5129f13f27069f3bf6bbc5cb7700d15d3383381a2061caf8d6026418ec4a689c99bc4e8160e575ea99047e3daa75f0f7615e2e00e595069ac027e9ca6a147c724e0
-
Filesize
90B
MD5d9c49c37b59f7b2c2c54967f556a5255
SHA13c137e52f4e448567ddd749ceb665cd0828ec991
SHA256b499c3506826e5d51d280454660b5d9e530cb3744110d5a91eaf75624c47ba80
SHA512699b916cafd077b661702319580083126db044a40cfaa7130bdbfa4a80ab2236ba0ac33c700b4e44f7c423577e2208312bdd38da48fc4d6d005ac18c32f2e724
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
756KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB