Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2024, 20:00

General

  • Target

    https://www.wurstclient.net

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 25 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.wurstclient.net
    1⤵
      PID:2920
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5432 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
      1⤵
        PID:4828
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5816 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
        1⤵
          PID:3496
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5020 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4960
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5504 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:4280
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=2624 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
              1⤵
                PID:3412
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5724 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:2784
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=2792 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
                  1⤵
                    PID:1200
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6544 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
                    1⤵
                      PID:1896
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5716 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
                      1⤵
                        PID:3384
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6436 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
                        1⤵
                          PID:5224
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=7008 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:5312
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
                            1⤵
                            • Modifies registry class
                            PID:5320
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:5556
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6208 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
                              1⤵
                                PID:5564
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=8224 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
                                1⤵
                                  PID:5636
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8332 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
                                  1⤵
                                    PID:5740
                                  • C:\Users\Admin\Downloads\Setup.exe
                                    "C:\Users\Admin\Downloads\Setup.exe"
                                    1⤵
                                    • Loads dropped DLL
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of SetWindowsHookEx
                                    PID:5828
                                  • C:\Users\Admin\Downloads\Setup.exe
                                    "C:\Users\Admin\Downloads\Setup.exe"
                                    1⤵
                                    • Loads dropped DLL
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of SetWindowsHookEx
                                    • Suspicious use of WriteProcessMemory
                                    PID:5940
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://pcapp.store/installing.php?guid=5BAA2AAC-6F09-498D-A5A6-E1E70CF8EBE4X&winver=19041&version=fa.1087e&nocache=20240306200155.77&_fcid=1709755290433550
                                      2⤵
                                        PID:5356
                                    • C:\Users\Admin\Downloads\Setup.exe
                                      "C:\Users\Admin\Downloads\Setup.exe"
                                      1⤵
                                      • Loads dropped DLL
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of SetWindowsHookEx
                                      PID:6068
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5760 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
                                      1⤵
                                        PID:2320
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=7844 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
                                        1⤵
                                          PID:5820
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=6960 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
                                          1⤵
                                            PID:5728
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=8740 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:1
                                            1⤵
                                              PID:5640

                                            Network

                                                  MITRE ATT&CK Matrix

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\54644a\Temp\tempPOSTData

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    b5597e367f97c775696e8c7e378992d4

                                                    SHA1

                                                    aab8aaf94000fefed9aee6c62174fcb144440ffe

                                                    SHA256

                                                    cf50e07242260196e4418a0c4fd22a7b276a8fe04c043f92520eac99ee543d8c

                                                    SHA512

                                                    c3be3c7b7ef702f70a645a2475460d01c64c130a4a16fde01756be65a9044587238b79b3d445886858c05452af089429c3ff96208a2ff2dd2b98e69fe7f2c12d

                                                  • C:\Users\Admin\54644a\Temp\tempPOSTData

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    7beabaff8239fb67c5d406add4649b17

                                                    SHA1

                                                    f0ecfbe3de3cebf4121d19973eb1e36f76d00232

                                                    SHA256

                                                    e487ef20b7eddc09de95caae02d3cb6552cfcfcd2de2deb8cf61be350ee4779d

                                                    SHA512

                                                    3e0c252174874fcd1cfd795d8fb13fd1af4c19639d399073c12b0ba40d0cedd90917f18c71fecbc3dd05e73bb55c37acc23c54535e968c796d2ae2e124164861

                                                  • C:\Users\Admin\54644a\Temp\tempPOSTData

                                                    Filesize

                                                    3KB

                                                    MD5

                                                    50e3bd97636e78bf2cf788bddf66ee21

                                                    SHA1

                                                    805049d323f34c4a2725da7a7a36c8a17f7169e8

                                                    SHA256

                                                    6ae6e53f9bd33ea67b61fb72149eaff831b4a926e743269e175bc64522655fdc

                                                    SHA512

                                                    f02dda8d1c763935519a4e1897499bff9a216446dcbf6b3cf97c3f3357c803b38969bec65479ef7476275e7b94585bc06e1317749ecbd8447fb80da5f3d10e1b

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\773CFF2C7835D48C4E76FE153DBA9F81_15174A80589B8DAF9768E9131F4845C0

                                                    Filesize

                                                    471B

                                                    MD5

                                                    420bbff21d374ccd71f4b571c30fea31

                                                    SHA1

                                                    bbb0cab5d9697ec255d24f407e099003c9c0b09a

                                                    SHA256

                                                    6702223b9c970e478ba29f0d89a5f72f12e2ef60a150a14167f5d33939544256

                                                    SHA512

                                                    8116eae652cd6c51b27ab7ba3a6049f29f0e5c3608f5a20e29664b8d20cc9b5091d83bf4ac7921c9f66f72223fee8ce68d2ea53f90e2c2a4e4ec2b94542aea19

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE

                                                    Filesize

                                                    471B

                                                    MD5

                                                    98d7610ddf260256dbb84169010f36b5

                                                    SHA1

                                                    972df0d31f725b2a99b01a18ad0b0638cd2d431a

                                                    SHA256

                                                    55af72af7a604d52e8b70940d5c775278fa9dbbd4524d1f1c731056742198d0e

                                                    SHA512

                                                    3bf25928037347d21ae3b285a5559fcf28d77a5e3ca0b4e5a650f181adcecd74e64ff605a08662ec0e090d4c6126615a8fd09bea54b7ac66cc6c58765ac57882

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\773CFF2C7835D48C4E76FE153DBA9F81_15174A80589B8DAF9768E9131F4845C0

                                                    Filesize

                                                    404B

                                                    MD5

                                                    bab96fc042156187fa943e0920efc816

                                                    SHA1

                                                    603af1cd1f8e2ac1011af79401ed00f9f412af96

                                                    SHA256

                                                    8fe3b4a3b2955678432633ae27285fa7b3db79766730a157fc9fb430472f7535

                                                    SHA512

                                                    a0de1ffd26b375157f02c26b73fe7c9e96c4ead59e6b916beec9dc6510d31c4de88d47d001b1fc36d5ef3298eca8637a52affe3380149519c18c4e801fdb0cbb

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE

                                                    Filesize

                                                    412B

                                                    MD5

                                                    11b8250c671a100223a4a5cfe133a3f1

                                                    SHA1

                                                    12a4ef6d5de20e01974de5585c1247dcf63efe04

                                                    SHA256

                                                    7c56dab2dacccb855b3b33af91705dae98df0018edd21a1b7f164714d7a11727

                                                    SHA512

                                                    47a399225748bb40dfbb08afa9719a63ebb8da5d7cba19b64d97ca7e351be8b5d7f071d4132037fe761cff32d9764444bbc1cd5b3c2ed7b69c3217c47c79f3c3

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_C39E9DBC666D19C07EEE7CD1E11AF8BE

                                                    Filesize

                                                    412B

                                                    MD5

                                                    b263757338d18aab8d2dfe94122f2799

                                                    SHA1

                                                    f363b119ca18ff04c1dc690dab8dbc60c89c426c

                                                    SHA256

                                                    c57650bc2fa6ecd0df564e235e1258ae23323561998d9405e13eeff49b5275c9

                                                    SHA512

                                                    a381a653738bb05f1a5a5aff5e190013ba063011469d04b5794f6277d21a42b6e755aadb5b8183e07f17a626e5e469fa3bfbb1842dcc0fbb6dd45efa88af0bd0

                                                  • C:\Users\Admin\AppData\Local\Temp\nso309.tmp\image.gif

                                                    Filesize

                                                    997B

                                                    MD5

                                                    1636218c14c357455b5c872982e2a047

                                                    SHA1

                                                    21fbd1308af7ad25352667583a8dc340b0847dbc

                                                    SHA256

                                                    9b8b6285bf65f086e08701eee04e57f2586e973a49c5a38660c9c6502a807045

                                                    SHA512

                                                    837fa6bcbe69a3728f5cb4c25c35c1d13e84b11232fc5279a91f21341892ad0e36003d86962c8ab1a056d3beeb2652c754d51d6ec7eee0e0ebfe19cd93fb5cb0

                                                  • C:\Users\Admin\AppData\Local\Temp\nso309.tmp\modern-wizard.bmp

                                                    Filesize

                                                    25KB

                                                    MD5

                                                    cbe40fd2b1ec96daedc65da172d90022

                                                    SHA1

                                                    366c216220aa4329dff6c485fd0e9b0f4f0a7944

                                                    SHA256

                                                    3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

                                                    SHA512

                                                    62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

                                                  • C:\Users\Admin\AppData\Local\Temp\nso309.tmp\nsJSON.dll

                                                    Filesize

                                                    23KB

                                                    MD5

                                                    f4d89d9a2a3e2f164aea3e93864905c9

                                                    SHA1

                                                    4d4e05ee5e4e77a0631a3dd064c171ba2e227d4a

                                                    SHA256

                                                    64b3efdf3de54e338d4db96b549a7bdb7237bb88a82a0a63aef570327a78a6fb

                                                    SHA512

                                                    dbda3fe7ca22c23d2d0f2a5d9d415a96112e2965081582c7a42c139a55c5d861a27f0bd919504de4f82c59cf7d1b97f95ed5a55e87d574635afdb7eb2d8cadf2

                                                  • C:\Users\Admin\AppData\Local\Temp\nso30A.tmp\System.dll

                                                    Filesize

                                                    12KB

                                                    MD5

                                                    cff85c549d536f651d4fb8387f1976f2

                                                    SHA1

                                                    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

                                                    SHA256

                                                    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

                                                    SHA512

                                                    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

                                                  • C:\Users\Admin\AppData\Local\Temp\nso30A.tmp\inetc.dll

                                                    Filesize

                                                    38KB

                                                    MD5

                                                    a35cdc9cf1d17216c0ab8c5282488ead

                                                    SHA1

                                                    ed8e8091a924343ad8791d85e2733c14839f0d36

                                                    SHA256

                                                    a793929232afb78b1c5b2f45d82094098bcf01523159fad1032147d8d5f9c4df

                                                    SHA512

                                                    0f15b00d0bf2aabd194302e599d69962147b4b3ef99e5a5f8d5797a7a56fd75dd9db0a667cfba9c758e6f0dab9ced126a9b43948935fe37fc31d96278a842bdf

                                                  • C:\Users\Admin\AppData\Local\Temp\nso30A.tmp\nsDialogs.dll

                                                    Filesize

                                                    9KB

                                                    MD5

                                                    6c3f8c94d0727894d706940a8a980543

                                                    SHA1

                                                    0d1bcad901be377f38d579aafc0c41c0ef8dcefd

                                                    SHA256

                                                    56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

                                                    SHA512

                                                    2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355