Overview
overview
7Static
static
3d618921099...a0.exe
windows7-x64
7d618921099...a0.exe
windows10-2004-x64
7$APPDATA/�...�!.lnk
windows7-x64
3$APPDATA/�...�!.lnk
windows10-2004-x64
3$APPDATA/�...�!.lnk
windows7-x64
3$APPDATA/�...�!.lnk
windows10-2004-x64
3$DESKTOP/�...�!.lnk
windows7-x64
3$DESKTOP/�...�!.lnk
windows10-2004-x64
3$FAVORITES...�!.url
windows7-x64
1$FAVORITES...�!.url
windows10-2004-x64
1$PLUGINSDI...RL.dll
windows7-x64
3$PLUGINSDI...RL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$SMPROGRAM...վ.lnk
windows7-x64
3$SMPROGRAM...վ.lnk
windows10-2004-x64
3$SMPROGRAM...�!.lnk
windows7-x64
3$SMPROGRAM...�!.lnk
windows10-2004-x64
3$SMPROGRAM...�!.lnk
windows7-x64
3$SMPROGRAM...�!.lnk
windows10-2004-x64
3155�...վ.lnk
windows7-x64
3155�...վ.lnk
windows10-2004-x64
3CI4.exe
windows7-x64
1CI4.exe
windows10-2004-x64
1bass.dll
windows7-x64
1bass.dll
windows10-2004-x64
1gamedone.html
windows7-x64
1gamedone.html
windows10-2004-x64
1newgames.html
windows7-x64
1newgames.html
windows10-2004-x64
1order.html
windows7-x64
1order.html
windows10-2004-x64
1Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 12:19
Static task
static1
Behavioral task
behavioral1
Sample
d618921099f3913b985beb1550eeb3a0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d618921099f3913b985beb1550eeb3a0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$APPDATA/ȫַ!.lnk
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$APPDATA/ȫַ!.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$APPDATA/Ա-!.lnk
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$APPDATA/Ա-!.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$DESKTOP/Ա-!.lnk
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$DESKTOP/Ա-!.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$FAVORITES/Ա-!.url
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$FAVORITES/Ա-!.url
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/BrandingURL.dll
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/BrandingURL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$SMPROGRAMS/Chicken Invaders 4 Ultimate Omelette/155ɫվ.lnk
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$SMPROGRAMS/Chicken Invaders 4 Ultimate Omelette/155ɫվ.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
$SMPROGRAMS/ȫַ!.lnk
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
$SMPROGRAMS/ȫַ!.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
$SMPROGRAMS/Ա-!.lnk
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
$SMPROGRAMS/Ա-!.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
155ɫվ.lnk
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
155ɫվ.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
CI4.exe
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
CI4.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
bass.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
bass.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
gamedone.html
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
gamedone.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
newgames.html
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
newgames.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
order.html
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
order.html
Resource
win10v2004-20231215-en
General
-
Target
$APPDATA/ȫַ!.lnk
-
Size
362B
-
MD5
9656c04d91ae3066cc07235e06fa0b32
-
SHA1
b2fcbbaaee9cdfe744909a5b6b20f88fd26ae118
-
SHA256
b5ed69a6cd004197ebef1742aa3c27d5d7d78cdb15b3129957ec89fe65666f0a
-
SHA512
93a28b9d2f0b99bc56001837183f69f7ceebe372b44ed1640c5fe35ba6b3c5616aea04326e865ae206868f0c12e04b42c1b183b19d90f0d6d65fb841340dcf63
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4700 msedge.exe 4700 msedge.exe 2564 msedge.exe 2564 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe 2944 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe 2564 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5088 wrote to memory of 2564 5088 cmd.exe 89 PID 5088 wrote to memory of 2564 5088 cmd.exe 89 PID 2564 wrote to memory of 3980 2564 msedge.exe 91 PID 2564 wrote to memory of 3980 2564 msedge.exe 91 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 2092 2564 msedge.exe 93 PID 2564 wrote to memory of 4700 2564 msedge.exe 94 PID 2564 wrote to memory of 4700 2564 msedge.exe 94 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95 PID 2564 wrote to memory of 3996 2564 msedge.exe 95
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$APPDATA\ȫַ!.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.1122i.com/?ie2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8058846f8,0x7ff805884708,0x7ff8058847183⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:23⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:83⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:13⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:13⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:13⤵PID:4696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18064599741539544640,13487041019526267817,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4936
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5b3099f3500bbd8beca16c39db899b175
SHA1afd6d07cc12874b1424e96bd490b4fed4eb8f1a9
SHA2562716818d59fd7620b947cd78e175e2570536472176de62fbae7d3534a952595b
SHA5122e0a5f44633211e4571eab2d0c6cd764527e3dcff15be52315be1a72c91589ee12dd7c7531469499889871bc957dabccfa674524cb33322ee42f7fbb7a437cf7
-
Filesize
702B
MD50e2e9a2ef8562b58cc2485c8aef961a3
SHA189d0132c6e63070cdcccfc01856ed5ec6b62c14e
SHA2561606507c493f18368152d0c942df7e2c26a9dae05d1e2d8a193c8b8fac58d444
SHA512520de065689e51837e4525d113d502f57c71ab3e2ae4364f8fa1647c82c781b08e2811ce8d6f485b61535f2e0073f363c7aee2d2f8284931fc7503382f328adc
-
Filesize
6KB
MD51dc646456fc359beb5419dd6f16f038a
SHA1414d9b92e0772e3203787ea02a9fe7793694341c
SHA256d46176b3cdec89cfdb85af6c6727f585a8cfe62c0a1c3a877afd314705ada6d2
SHA512e0e240238ca45ddd6b636bd84f997963f6066f6bb2d1b3d8fcb023b1e858cc92f3891cb45ded6e7cd04f28a2303b0fd17305c30f837f89a9daba5ae3231c84d7
-
Filesize
6KB
MD5908097ba16d67603acd978484d99dce4
SHA115bbe6703f6866c4be7f1dae72289aa16ac7f353
SHA256cbdea67817ca3dcd0736b135571212d1146fab647011945ef4a586e19f7a680b
SHA512b6fde614f547a00af8ee3937ec192eb664fa77277b9372e3aa4b5c9b4eb36e149a0cacea30fe97bbd83d22e91702ef85e60adf79726b5f6eb38a6381f8976e8d
-
Filesize
11KB
MD5d0e93c14ce926eeee09a3f186e8b6f85
SHA18a1998497515291a7c3d3fdafe76fd4644005cc9
SHA256ac91027667e07d5f47b1d52def5cdf0567dfe0fd6149b7b31d48202c056ca938
SHA5120a9cdb79a7203e4d5885045bd97f3e8a0859e8895fe64b3e542719f37a6ed4c9e3776e02ff75fca8118bf01cf0e90da95d1edb131053d3a647a212bf1c61f8c9