53cd6d57499142348253949c4c6cee9b696a78fa99a5a68fcd6f78e55776cd63

Resubmissions

28/02/2024, 11:10

240228-m96traab8y 7

28/02/2024, 11:07

240228-m7zbwsab3z 7

28/02/2024, 11:06

240228-m7grvaaa72 7

Analysis

max time kernel
147s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28/02/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Julien_and_anarchi_selfsniper_C.rar
Size

2.9MB
MD5

cc5610e6313e3ae170f1c51397c51ed0
SHA1

8f90b6802b1b290e808920895ba74490d524416e
SHA256

53cd6d57499142348253949c4c6cee9b696a78fa99a5a68fcd6f78e55776cd63
SHA512

75828bb0e08d8dc2d3ac85974127a059277c084bd76d022eb6679a3231a28adff248e133a53bbd7b892a72ab79836ed69e8506281f67162c65ea2db3b1a44609
SSDEEP

49152:ipGqHPpVT+bzj++y6wDsAeWUyi0ELfl4pUxaiBMt9TOdKfH7ZnptvHi7NWVxAq/a:6GqHxVabz7PAUtLfl4p6QwdKzZpFk0Cf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3696	NitroSniper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
5	camo.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3840	msedge.exe
3840	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5004	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	5004	7zFM.exe
Token: 35	5004	7zFM.exe
Token: SeSecurityPrivilege	5004	7zFM.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5004	7zFM.exe
5004	7zFM.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 5004	4920	cmd.exe	82
PID 4920 wrote to memory of 5004	4920	cmd.exe	82
PID 5004 wrote to memory of 3696	5004	7zFM.exe	85
PID 5004 wrote to memory of 3696	5004	7zFM.exe	85
PID 5004 wrote to memory of 3696	5004	7zFM.exe	85
PID 3696 wrote to memory of 4856	3696	NitroSniper.exe	87
PID 3696 wrote to memory of 4856	3696	NitroSniper.exe	87
PID 4856 wrote to memory of 4052	4856	msedge.exe	88
PID 4856 wrote to memory of 4052	4856	msedge.exe	88
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3484	4856	msedge.exe	89
PID 4856 wrote to memory of 3840	4856	msedge.exe	90
PID 4856 wrote to memory of 3840	4856	msedge.exe	90
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91
PID 4856 wrote to memory of 4540	4856	msedge.exe	91

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Julien_and_anarchi_selfsniper_C.rar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Julien_and_anarchi_selfsniper_C.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\7zOC836ADA7\NitroSniper.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC836ADA7\NitroSniper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Disc0rdTools/NitroSniper
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9dce3cb8,0x7ffc9dce3cc8,0x7ffc9dce3cd8
        5⤵
        
        PID:4052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
        5⤵
        
        PID:3484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
        5⤵
        
        PID:4540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:4620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        5⤵
        
        PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
601fbcb77ed9464402ad83ed36803fd1

SHA1
9a34f45553356ec48b03c4d2b2aa089b44c6532d

SHA256
09d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15

SHA512
c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a91469041c09ba8e6c92487f02ca8040

SHA1
7207eded6577ec8dc3962cd5c3b093d194317ea1

SHA256
0fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f

SHA512
b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7ec261da2ac26279c7f8b3429e013a5

SHA1
81a735315b6f8171bb8331f60c828468653f43d6

SHA256
31c43682d011108de6717c4c1b2749ba3f67f61f671c663fa516129689277067

SHA512
b1430745f9137974eb894c60934a74244efbfef4ef80434430510d20de0aea124a402560fec5c6d7aabc40619f2ed175a3d86e5a41070c0d1ca047e171596edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC836ADA7\NitroSniper.exe

Filesize
1.9MB

MD5
d5e815c37b6ed6465820693673e35da8

SHA1
335d5b7c1056b6d6010db628963051f1a244ddbe

SHA256
934d2022814c6dfb0145608d9d270597d46feec5ce833d754576d6a73650a632

SHA512
e9775eae34493d94bc96aa3adc25f95cba4c45d4b263565f23e834409cbd122ab731f052595382d7ab8857c133c8068644bb100ad03cdd3201e6fc5bdc4280a9

Download Submit
memory/3696-17-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/3696-16-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3696-18-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3696-19-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/3696-20-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3696-21-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3696-15-0x00000000054F0000-0x0000000005582000-memory.dmp

Filesize
584KB

Download
memory/3696-14-0x0000000005C00000-0x00000000061A6000-memory.dmp

Filesize
5.6MB

Download
memory/3696-12-0x0000000000880000-0x0000000000A6E000-memory.dmp

Filesize
1.9MB

Download
memory/3696-13-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download