Analysis
-
max time kernel
161s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
13/03/2024, 03:15
General
-
Target
c4d50e48b15d38067cde662d91c13627.exe
-
Size
13.0MB
-
MD5
c4d50e48b15d38067cde662d91c13627
-
SHA1
63c6e51413b2f1af9c7f82995e5a4b46d336a5da
-
SHA256
ee686dfe51cfc075c2ec5201bcf6410c67eab2008a88152ce4eed2b562fe055f
-
SHA512
fadc4d700aa9fe06fde5404e32a177527829817870fa509c0c1707a57fc41e73c668e9d7d0a2ab933bbaf7f5bfa476aa6e2f68bced145fd396b377ea9b87675a
-
SSDEEP
196608:/46ob5tOcEC7fFLOyomFHKnPU46ob5tOcEC7fFLOyomFHKnP446ob5tOcEC7fFLm:/qltDFTqltDFDqltDF
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
-
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Windows directory 22 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4d50e48b15d38067cde662d91c13627.exe"C:\Users\Admin\AppData\Local\Temp\c4d50e48b15d38067cde662d91c13627.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc21da46f8,0x7ffc21da4708,0x7ffc21da47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5928 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,7358071626145181032,14669984352209150314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:13⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc21da46f8,0x7ffc21da4708,0x7ffc21da47183⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec 0x4a01⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50764f5481d3c05f5d391a36463484b49
SHA12c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224
-
Filesize
152B
MD5e494d16e4b331d7fc483b3ae3b2e0973
SHA1d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737
-
Filesize
360B
MD597ff52b56f74bd9b3630c855e1621972
SHA16581adb1fe61db08add9b9ca159038312b1e0423
SHA256bd50ae4247dcda09f4f6184c2470b6dc3a2708c68edd28a0e475ec177a69b682
SHA512dafca5c07aca0cc518800f5bf9fc03dd9d88f63fd85cafdcf309e029f6a612eed4f429336f57f2831a480b5c75f48024c23bdfceb32a39f18b461dd25abbc61e
-
Filesize
480B
MD5db47363adcdbf8d52a028579c2729e88
SHA1337db7cc6be28f4dfde26487e22b1d159bbb0b2c
SHA25685d7aa000d0b68d70ac833784d8bacb9452400b32bdbe2e1dbf74529a68e9aa0
SHA512c8776a9797ee87d109161c5f63eb75b308506fcb6c67bf47478fe635c96b2be5b7f6915fc0e298cd7d077d1a94c583bff156c8a492e513d6a8f1233c76ee29c8
-
Filesize
2KB
MD59d8a6bc70ae6777179d010fb8bd89de1
SHA1241f52228f369414d22c6de4d84c5d7764324533
SHA256c876e81885176243d89ea16d52735f01fffecd50a3b4b7cbcb72cef41032930c
SHA512818c6b4e462f1ac70063fbd19660719cfe7de24dd1df381c4808b9d9244c14fd6645422fdbc612d6c855b9df9b4314e2d0685e22975498b1c1ec7e6e0e604eb9
-
Filesize
6KB
MD5dc2c52720c52a32e98b9de2dfd0b5159
SHA19cf69ca10e6d4c6ef0a024009b1ae9f7790846db
SHA256037be51b8ef5ca65893ec5da8231d96133385731d77913bcff0c55ccf902e336
SHA5128bd54c67ec5128b432be552ec054a2061629f614f74e9e63358478f9d3184392ca9b06577ce194dab7ea7176e23e7a55178239ea821557d653928359ab1436fd
-
Filesize
6KB
MD52789bd60bc7758e8e0c3bd4e32e8defd
SHA1da24770b89cbe6faeacdf06c08be2248014df037
SHA2569fc69b6c7f64c44c7d6354ea0c3da619151424b3fea995067b8b3a32b9913d7c
SHA512fc292902621ba170ab88ee4c6907b763b4070d6259e144c802acd7e92ce6b359919ec6dc36edd83d8522d9f1cc545ba616f98fb9c9acd70be167644adf989fab
-
Filesize
7KB
MD5e9da36604a33be078722658eb60eb957
SHA17ce0c4bc8f14e960d727dbae069c0fc587784c6e
SHA2569884b68780ac50970a768135f237b4842566fbd30f3fc9f880d158e9ce6e1002
SHA512c928a98651b51b76da13c1d680bd36a1134c035a00f3a72ab3023a0104f74bf17fffbfe1742fb6a11e01dfa17b892c2f0977f5069319e34423d93b42ce09ef62
-
Filesize
6KB
MD5c0e56b3975367f39e033c5498fb19298
SHA166f42f3787c9a2ba522026dffbe18f3b015af818
SHA256c602a8ec32ff76e6a9a17e2d802bf7699912dac8526fc422bbcf9cbd2630ec2a
SHA51220d4a3db17d4b0ea9bb90c766c5a998adc530fedd3ce76766aef6f9df9963b26e8c82dd3bc51a60a72f0d5891b03ebb476c990be6e17ba735c01f103ff94edc2
-
Filesize
871B
MD59e6a6de0700c07b6aaffd239a98f4a85
SHA14c6dda7b1671405c284b3e386dff1d9acaee0cfe
SHA2563aab7b2a306405b59afc239abdd682fbabd939b4df2faf606ffecbece5b222dd
SHA5129789e1654dd96258a6ee82992fb9643cb680807bd4f7eb087141909976d3ad08b26fab0ccee360788ae72f7a23587744cc6c695880f26cef806d1de0293a7203
-
Filesize
1KB
MD53617557dc09193afe84cba6fb61c7002
SHA1ba36ca23bc7ea3e41ee6143a5bc97edefe6d9dcf
SHA2564b2fbb9b7b6f54911a6d7d6582b7ab0927903c33da1a83629a3e6e4382f1aa4c
SHA512fe747d2d40d569c39774448d145f9c9dc8c6a526bb4682565021cd65fd62444343af18f423827b04be04cef914882408900347c65032b6fb914fbaa8c6d5069a
-
Filesize
203B
MD5c58187026fec5457a84d4396d109f551
SHA11adaa3443b46f50afdb202844e88f3845061027e
SHA25607bcd5a24e54a2824743c1093128e7019107542991f3a3e0f35815804e10dad7
SHA5120458854ad04b45e8231f3522abc5b6827d8919499bddb5006decbb5189793463f17670963f7f28dc2b3971308862c55220d4c1679df0938acf04ebe53cfa3ca0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ec22ac15978e7ec75126f892e5620515
SHA1a6c1f43df4fdc56b06710c8121d2fa51957cd2bf
SHA256604fd9554c03c9729594332a60cd67d33235234a7faf5b38790e590c0964a926
SHA512852ae36341827d13b7bb68635926eda73c8620e7d5a6728daea1de3c405536b67532ef515413edf029fb20c623ff596e64b3b1c35146d2d92ee583ed0c58da49
-
Filesize
12KB
MD54a294e95a76482cb0d3f955bef7ba062
SHA1afe341b172c702988a7cca4b87afa5ddcb3351ca
SHA256376a245482774644613c8a999b4ef2b4dbecc1503d2bf75466251d793ff5d411
SHA512933fcc679bed63131cd565c42fb3ec03d68d8d590dbc5b1ed697ca19b98dcf853ff65670d957fbc02190a48a6669f51495c53a6d891b748fae281518aceba1cd
-
Filesize
29KB
MD52196f48f191714682525e491e22aa7cf
SHA1ae805cad67cd2eb59e682d29ff2dede4b95207b1
SHA2564129f205b7c81d36461fe061143ac31f381f0c5c6d79bac67b53640374b89c2c
SHA512582784f39f0fc1f7b42f77afc1d2f9d27e6e236796af002422a9c923e7b504137256633e5a2e24f31aebe5d52c231b8799c08fbd41501fe9720b368c2c07c650
-
Filesize
13.0MB
MD55198a15cdf3531002debce52fc0e2f38
SHA1310b6d279881c12d3b97ed6685e413b0aba4d8b1
SHA256128bfacc06a2107b6a892826737b53291423d0b9ac9968465bdf30604355c532
SHA512c27e450fbe9f7bc7589f05e001e86fc493fa376f0db0ff2f9de66fe197aba4ce13f57223b96664524928a5d725092bfffc55b4ab7072537f25a3006308c4ffe8
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB