Overview
overview
7Static
static
3cd109c901e...56.exe
windows7-x64
3cd109c901e...56.exe
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$SYSDIR/Gw...ni.scr
windows7-x64
1$SYSDIR/Gw...ni.scr
windows10-2004-x64
1$TEMP/dospop.exe
windows7-x64
7$TEMP/dospop.exe
windows10-2004-x64
7tbu03852/dospop.dll
windows7-x64
6tbu03852/dospop.dll
windows10-2004-x64
6tbu03852/options.html
windows7-x64
1tbu03852/options.html
windows10-2004-x64
1tbu03852/s...g.html
windows7-x64
1tbu03852/s...g.html
windows10-2004-x64
1tbu03852/s...b.html
windows7-x64
1tbu03852/s...b.html
windows10-2004-x64
1tbu03852/tbhelper.dll
windows7-x64
1tbu03852/tbhelper.dll
windows10-2004-x64
1tbu03852/t...091.js
windows7-x64
1tbu03852/t...091.js
windows10-2004-x64
1tbu03852/u...ll.exe
windows7-x64
1tbu03852/u...ll.exe
windows10-2004-x64
1tbu03852/update.exe
windows7-x64
1tbu03852/update.exe
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 04:07
Static task
static1
Behavioral task
behavioral1
Sample
cd109c901e0149d9fa176d2f8324fe56.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cd109c901e0149d9fa176d2f8324fe56.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$SYSDIR/Gwen Stefani.scr
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$SYSDIR/Gwen Stefani.scr
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/dospop.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$TEMP/dospop.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
tbu03852/dospop.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
tbu03852/dospop.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
tbu03852/options.html
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
tbu03852/options.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
tbu03852/static_img.html
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
tbu03852/static_img.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
tbu03852/static_pub.html
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
tbu03852/static_pub.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
tbu03852/tbhelper.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
tbu03852/tbhelper.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
tbu03852/tbs_include_script_008091.js
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
tbu03852/tbs_include_script_008091.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
tbu03852/uninstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
tbu03852/uninstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
tbu03852/update.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
tbu03852/update.exe
Resource
win10v2004-20240226-en
General
-
Target
tbu03852/static_pub.html
-
Size
599B
-
MD5
0bf3de7de6f6a9ece7674fb245c7e428
-
SHA1
a71d601820676d5741734e825c7347d59570bc98
-
SHA256
29101ddb9fc880b921c78a8aa0952310ccf0fe4eb03479425500fc2e779d4b2b
-
SHA512
30dc0cf67d772a79dec244882f24c4a6ad71a3139b1b92d6e059f1e677ef138596e71c7bf12c2283b591ad64744b9abd15895fa29c4a600f64c784423bc270b2
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1944 msedge.exe 1944 msedge.exe 2632 msedge.exe 2632 msedge.exe 2496 identity_helper.exe 2496 identity_helper.exe 452 msedge.exe 452 msedge.exe 452 msedge.exe 452 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe 2632 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2632 wrote to memory of 1564 2632 msedge.exe 88 PID 2632 wrote to memory of 1564 2632 msedge.exe 88 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 3376 2632 msedge.exe 89 PID 2632 wrote to memory of 1944 2632 msedge.exe 90 PID 2632 wrote to memory of 1944 2632 msedge.exe 90 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91 PID 2632 wrote to memory of 1068 2632 msedge.exe 91
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff814c546f8,0x7ff814c54708,0x7ff814c547182⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:82⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:12⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2376 /prefetch:12⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2507241055436401910,149763237392454250,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3440 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:452
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2844
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
Filesize
6KB
MD554035e5a9d6bb367b5912f1a6f39de7a
SHA1619f15262acf5fd7429c6f8edc542c58714cea68
SHA256e5939c3460b8e88080fb202f6c2b1e9a09eee4d1fb568fc0c918011c904a6751
SHA512b0e8a304af4b4aebd0f056e565cdd3d3dbd6525b0dbcfac0a0f95e01201542272ee1be79417c243803381162e83513509b0cc98f1e2545cb80495a0b1e9b47bf
-
Filesize
6KB
MD5772593f0485719e485b0f1aa1fc912a4
SHA11febfb24ae67bcbb84b3a4b3d44676f13703e9a2
SHA25600dd240d2693667cf6f02f27f187514b86d789d3588e21cb9770f483f48e8045
SHA5122d96017c51497c0b0a471825b8b669b5332ebc504950fa161578d708946e017caf821afef4bba9d13a474a8fa7cce71c436650ba93b6a6fcad6f316e6087518c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD548559b223b32c8bccaf52b1f0139f0d0
SHA19f07d1c788d6051c62ae90010a9efbc9491f05da
SHA256f820b5e8f976097fcfbffac134bd4088dad6481b2ddb408d8a0a682ece014fec
SHA51263052f2f5e304de1d8a0c31a5d85e9f98db313247889734d0290b24af063603c48c9e123c650e4a6bbd203b9b6ed6e218fd52ce3ff504d5609316d435a44a13a