76a56aa46b0102a96a4af355f5e03aff2b6ae6076f040ff4ff4e0d943a75d411

Analysis

max time kernel
88s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MegaDownloader_v1.8.exe
Size

3.1MB
MD5

e88a876515ddca653c424791d614e58e
SHA1

4dd7b4bddac0aac4439e0e1582a943628b670e63
SHA256

76a56aa46b0102a96a4af355f5e03aff2b6ae6076f040ff4ff4e0d943a75d411
SHA512

3d7bc4c0da0216b632551b4520d1b3ab4442175e03db5f4705cbf69ee41d1cf4bdf8ccd275ee40634346f549f16d93d7a98ed929069032fc87a91b8b1c489db8
SSDEEP

49152:2qeNVTiHG5hswaJJoUxpyfKV5SiheRiiZQCu9f0BTHgXhfSUQP:nE5iHUPajqCVlwfgJ0ZgXxxQP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
992	MegaDownloader_v1.8.tmp
5048	MegaDownloader.exe
4176	MegaDownloader.exe

Loads dropped DLL 1 IoCs

pid	Process
992	MegaDownloader_v1.8.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\MegaDownloader\unins000.dat	MegaDownloader_v1.8.tmp
File created	C:\Program Files\MegaDownloader\is-V814Q.tmp	MegaDownloader_v1.8.tmp
File created	C:\Program Files\MegaDownloader\is-LVD1O.tmp	MegaDownloader_v1.8.tmp
File opened for modification	C:\Program Files\MegaDownloader\unins000.dat	MegaDownloader_v1.8.tmp
File opened for modification	C:\Program Files\MegaDownloader\MegaDownloader.exe	MegaDownloader_v1.8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\URL protocol	MegaDownloader_v1.8.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open\command	MegaDownloader_v1.8.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell	MegaDownloader_v1.8.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open	MegaDownloader_v1.8.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open\command\ = "\"C:\\Program Files\\MegaDownloader\\MegaDownloader.exe\" %1"	MegaDownloader_v1.8.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mega	MegaDownloader_v1.8.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mega\ = "URL: mega Protocol"	MegaDownloader_v1.8.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5048	MegaDownloader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
992	MegaDownloader_v1.8.tmp
992	MegaDownloader_v1.8.tmp
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe
5048	MegaDownloader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	MegaDownloader.exe
Token: 33	5048	MegaDownloader.exe
Token: SeIncBasePriorityPrivilege	5048	MegaDownloader.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
992	MegaDownloader_v1.8.tmp
5048	MegaDownloader.exe
5048	MegaDownloader.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5048	MegaDownloader.exe
5048	MegaDownloader.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 992	4664	MegaDownloader_v1.8.exe	96
PID 4664 wrote to memory of 992	4664	MegaDownloader_v1.8.exe	96
PID 4664 wrote to memory of 992	4664	MegaDownloader_v1.8.exe	96
PID 992 wrote to memory of 5048	992	MegaDownloader_v1.8.tmp	107
PID 992 wrote to memory of 5048	992	MegaDownloader_v1.8.tmp	107

C:\Users\Admin\AppData\Local\Temp\MegaDownloader_v1.8.exe
"C:\Users\Admin\AppData\Local\Temp\MegaDownloader_v1.8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\is-24588.tmp\MegaDownloader_v1.8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-24588.tmp\MegaDownloader_v1.8.tmp" /SL5="$801E0,2536378,780288,C:\Users\Admin\AppData\Local\Temp\MegaDownloader_v1.8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Program Files\MegaDownloader\MegaDownloader.exe
    "C:\Program Files\MegaDownloader\MegaDownloader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5048

C:\Program Files\MegaDownloader\MegaDownloader.exe
"C:\Program Files\MegaDownloader\MegaDownloader.exe"
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2220 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MegaDownloader\MegaDownloader.exe

Filesize
2.0MB

MD5
f3b0a05d8683d57861e9a42f451f7349

SHA1
1eec6fb2649038ae4ec2daa1d7464fa7e7c5ed3a

SHA256
388af83e7ab90e23beb0f662c3e08211f63230a7f985e92d4b4d559d8d62b556

SHA512
c8385282e269772902db470d12784046a6dd62c067ff6d00874159116d20942bb5d02997874377cb6a1ad24fbd60eb954cb713c30de3efe45ee6db066e57b214

Download Submit
C:\Program Files\MegaDownloader\MegaDownloader.exe

Filesize
705KB

MD5
c9776dea70af96d8751360d9c629df78

SHA1
e1d9f25ef2350385b39a8c5ed54442d1c9c519c2

SHA256
8b4af25def34055e6f4aa61b818cbec9a23731781f0cf1fb5c836f62eb9dae5b

SHA512
f1dfdd423a567983dde59a86453b08f32d283cb0f9eac7fbf0f4ff4fbb6ecaa0439f2aee09721669557bd1bc86b7751c6bee7bc1c8bf603fa89151763b624694

Download Submit
C:\Users\Admin\AppData\Local\MegaDownloader\Internal\Buffer.dat

Filesize
50B

MD5
370208c6d6b30ae5a8151f11b7ef6cd5

SHA1
570dd5fe862a11cd503e8e53e04b4cedbd8fd0b7

SHA256
9cd3d82322d8dce11834a4d93d061d9231f8b3ba0e6aea7be86ca4051dea7ba1

SHA512
de80689e814fb74abe6a4c49970ff074771b3d16e747b5c98c1bfc6fe8e72122793e496b75602bf4c6b1eaef7ab6a3902bdf1f427027f1c8e1c3c4ad458b9773

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-24588.tmp\MegaDownloader_v1.8.tmp

Filesize
2.5MB

MD5
96eb39b5d1650daab0a9fde463532dba

SHA1
4fb2fb85a00120526bac8439209241b00bacb987

SHA256
cee4083982feb0e7b78423295621a98ec63df522cf4475e3cc103ab3a95c0896

SHA512
780c558be33290fabae820f02c62d0e3a61792a56a06d80a248e9cf12b345f6d1bb45421970305ddb3dd17866b62d600d999c465803f68d0e103182715313fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7L9MM.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
memory/992-12-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/992-37-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/992-5-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4176-57-0x00007FFC8A0E0000-0x00007FFC8ABA1000-memory.dmp

Filesize
10.8MB

Download
memory/4176-54-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/4176-53-0x00007FFC8A0E0000-0x00007FFC8ABA1000-memory.dmp

Filesize
10.8MB

Download
memory/4664-11-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4664-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4664-38-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5048-40-0x000000001D5E0000-0x000000001D65C000-memory.dmp

Filesize
496KB

Download
memory/5048-61-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/5048-36-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/5048-32-0x000000001B940000-0x000000001BDC6000-memory.dmp

Filesize
4.5MB

Download
memory/5048-31-0x00007FFC8A0E0000-0x00007FFC8ABA1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-58-0x00007FFC8A0E0000-0x00007FFC8ABA1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-59-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/5048-39-0x000000001B890000-0x000000001B8FE000-memory.dmp

Filesize
440KB

Download
memory/5048-62-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/5048-64-0x0000000021670000-0x00000000216C0000-memory.dmp

Filesize
320KB

Download
memory/5048-66-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/5048-30-0x0000000000C40000-0x0000000000CA2000-memory.dmp

Filesize
392KB

Download
memory/5048-81-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/5048-82-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/5048-86-0x000000001CE00000-0x000000001CE26000-memory.dmp

Filesize
152KB

Download
memory/5048-88-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download