Overview
overview
7Static
static
3SetupFile 1.0.0.exe
windows7-x64
7SetupFile 1.0.0.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1SetupFile.exe
windows7-x64
1SetupFile.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1locales/uk.ps1
windows7-x64
1locales/uk.ps1
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
147s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 21:28
Static task
static1
Behavioral task
behavioral1
Sample
SetupFile 1.0.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SetupFile 1.0.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
SetupFile.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
SetupFile.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240215-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
locales/uk.ps1
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
locales/uk.ps1
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
resources/elevate.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
resources/elevate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
vk_swiftshader.dll
Resource
win7-20240215-en
Behavioral task
behavioral23
Sample
vk_swiftshader.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
vulkan-1.dll
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
vulkan-1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240226-en
General
-
Target
LICENSES.chromium.html
-
Size
6.5MB
-
MD5
180f8acc70405077badc751453d13625
-
SHA1
35dc54acad60a98aeec47c7ade3e6a8c81f06883
-
SHA256
0bfa9a636e722107b6192ff35c365d963a54e1de8a09c8157680e8d0fbbfba1c
-
SHA512
40d3358b35eb0445127c70deb0cb87ec1313eca285307cda168605a4fd3d558b4be9eb24a59568eca9ee1f761e578c39b2def63ad48e40d31958db82f128e0ec
-
SSDEEP
24576:d7rs5kjWSnB3lWNeUmf0f6W6M6q6A6r/HXpErpem:rovj
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4496 msedge.exe 4496 msedge.exe 4432 msedge.exe 4432 msedge.exe 1480 identity_helper.exe 1480 identity_helper.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4432 wrote to memory of 4192 4432 msedge.exe 88 PID 4432 wrote to memory of 4192 4432 msedge.exe 88 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 2680 4432 msedge.exe 90 PID 4432 wrote to memory of 4496 4432 msedge.exe 91 PID 4432 wrote to memory of 4496 4432 msedge.exe 91 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92 PID 4432 wrote to memory of 1108 4432 msedge.exe 92
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5a7146f8,0x7ffc5a714708,0x7ffc5a7147182⤵PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:22⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵PID:2336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:2424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:3804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,9160066717145080724,14017203912468940754,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4772
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3264
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD573c8d54f775a1b870efd00cb75baf547
SHA133024c5b7573c9079a3b2beba9d85e3ba35e6b0e
SHA2561ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94
SHA512191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8
-
Filesize
152B
MD54b206e54d55dcb61072236144d1f90f8
SHA1c2600831112447369e5b557e249f86611b05287d
SHA25687bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b
SHA512c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2
-
Filesize
6KB
MD56729b63607841084252a4dfe931ec5cd
SHA1e573fdaf9815507be8ad1a8148d53fe0c6d6df6c
SHA25696acbcc927dbb32d4a1920a38d41dde9de79852b88ea31fdb578767664e0836b
SHA5127622825a90ffbcb5e97396010d9d009ab4dda92958fe275403ef4654562a8604a77561cadc90bf4ee13583a2ed8cfd15c3607dd95691e5f7b9284ca2fbc9dad8
-
Filesize
6KB
MD5457e655de0ca811fa421d41f0b7f8268
SHA1d577308846e95d4d672f8df6034aab3942ef1a2e
SHA256b2790ecbeb416028c7825e62dbba71303d9d8e7b5912b155adaf8db05b69d399
SHA512c1bd5fbd66692de99bcf5f6e18b9e402cbaebf4ca14c64872d12a744c7b097e5ac26d26ffe7dd4d835f763c32009591efcc03864e7e3fe24d74369b7ad17445f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58f28816de92f9851521c94c428f5b289
SHA138fe769fd9e5dab3a000efbc024f1c14079c071b
SHA2564e576cbc0022c5a1fc87bb52780048b4b86dec97844392248bf253f33539593c
SHA512789a09b0bf419c9efbb9242062d638a9e71adf21aaeada6571df5496a5796240716bd343645e4492933d41e5405aebbcbb48f4fa20cef00dd666c578f3bdca93