Resubmissions
26/03/2024, 20:51
240326-zngc7aeh9s 126/03/2024, 20:48
240326-zlj2asca34 126/03/2024, 20:44
240326-zjezkaeg8z 6Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
26/03/2024, 20:44
General
-
Target
http://45.144.3.216:10000/rnv2ymcl
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://45.144.3.216:10000/rnv2ymcl1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4108 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3836 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5728 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5344 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6012 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6084 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:11⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6520 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5696 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\rnv2ymcl"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\rnv2ymcl3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5436.0.2027176340\211932586" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1840 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21a13c4a-41c9-4061-80c0-08e22c321505} 5436 "\\.\pipe\gecko-crash-server-pipe.5436" 1940 20cf1ae5b58 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5436.1.1781157430\1504803410" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12bdee78-f541-40be-a982-d377bff10558} 5436 "\\.\pipe\gecko-crash-server-pipe.5436" 2404 20cf19e4258 socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5436.2.2014305611\297772887" -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 2948 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e90acf7-a682-48dd-ae68-df0e79bcdfea} 5436 "\\.\pipe\gecko-crash-server-pipe.5436" 2992 20cf5bede58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5436.3.327274819\375365356" -childID 2 -isForBrowser -prefsHandle 1364 -prefMapHandle 1044 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {040dfcd4-7f20-486e-9339-c34c652f1251} 5436 "\\.\pipe\gecko-crash-server-pipe.5436" 3276 20ce5262258 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5436.4.1387585847\1250172701" -childID 3 -isForBrowser -prefsHandle 4796 -prefMapHandle 4208 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c536f2d7-4f2b-4f02-b5da-affcaeca9483} 5436 "\\.\pipe\gecko-crash-server-pipe.5436" 4824 20cf5b82a58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5436.5.2112396667\1041049625" -childID 4 -isForBrowser -prefsHandle 4928 -prefMapHandle 4932 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec6ac0e6-dd20-4a03-bdbc-0d171999c486} 5436 "\\.\pipe\gecko-crash-server-pipe.5436" 5012 20cf5b82d58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5436.6.1205645123\1838516942" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf08697c-131f-4bc6-8687-1e8ba5bc5cc7} 5436 "\\.\pipe\gecko-crash-server-pipe.5436" 5112 20cf5b83658 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5436.7.511776159\1699980192" -childID 6 -isForBrowser -prefsHandle 5848 -prefMapHandle 4712 -prefsLen 29615 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45a0ac59-ae93-4c52-8874-10bc688eb89a} 5436 "\\.\pipe\gecko-crash-server-pipe.5436" 5804 20cfb93ba58 tab4⤵
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3788 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5760 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2c8 0x2f41⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD58abdeb84c9fb85cc1635ade2cafc8031
SHA1958182897e3f234e482b1030d3e53a0d04343568
SHA2563a7c21b2895769538ec8f091c9c8feee32f5135c7e7ab0e305e0e76bb96f2d91
SHA5121e47f1f39438c214b7be37869d60970b0dd2888039c5692221918ed9dad0a012fec1b68c27c6d769f37606d95abdb16eaf1fa5a361064b347e9cdf0ed3d00470
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
2KB
MD5a4e17dfdf1f017ce5422764e270251c2
SHA1b6185dd6a791e7426ce073177097e2a29770e666
SHA25618851bc41aa1745edc54f9145de3d584b89ca26f02ad30c1d1874a12e43a3a33
SHA5122742e323cb50ea54fa0ce9ef0c6415f3bdf6800cee91b852d0545f1d84414cd8fd92a010379684bbd744c98b88680f35f5f8ac9943d071ce32a2a6eba4a050bf
-
Filesize
11KB
MD52d1006f4de79bb4fb6efcd8ef3797847
SHA145038ba2af94c59b715b073fc03e8375b045a0d1
SHA2564bcbc7a10934920ffe68e9c4ac529213c185e5f9b69366b865d5e96f2665e3ad
SHA51266047499c79bd6d3bfc1e46a66787e7ad9cb9bbf9123501d35d5fdb87a78043348868a934f69ee237203fe25a12ca4320358bfc7b8009b4ed4da0da1b237c08d
-
Filesize
746B
MD5be1e0ee7de671035be46094463e82108
SHA18af83728188e3efda7fc2081159555a9286c1e37
SHA2565c9bd5d546001d4eafffa7b228fc8b7c903f999d3503225c949e8f57503e240c
SHA5120547f31853f434b4bea8483479e9fe18bd8d0a2f87811ceafff6baf0f421bcac6590c68139a7556a9d3e76463bb3f9f24177153750b7e166c18e856ff1b5f26d
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5641f3ebd34b40a5081245fc956d43059
SHA1a0cdbcb1c4f37ca9b54ec6f57635308a16d23ef8
SHA25634becaec46a462a8c07d15a947da23f5dfae51c8ed49bc84965e126502b7fc8e
SHA51294b32c8e70ae890cc3cbe872e4a34e7f5532937cb9bf5adcd5d413de4072f718874591c1ec6b2ea8c46fd42481fb615b684b52ea7aaa75ecc09e3bcbc2ed2ecb
-
Filesize
6KB
MD5c4973c460c7a6340c4ce945663151dee
SHA1992ff97e35f2a0931883e33f79e87618181a957f
SHA256400012ff0b3986fc87bf4d5bdddb82cff4f6b08288e20fb1cf7704f0bad057f0
SHA51221217dbf7b6e5c4ec13fcd6c07ed3397a3a05cffcad8a505200cd3e61d097bfccc7755346ef0bb7f3cca5118036497d1cfa706e100593c890b98260d80c07ea7
-
Filesize
6KB
MD5b0050656ae66c3b3499cd6475cb557bd
SHA16603cd9322425d5cbc94811f9c867984fe0d6e2b
SHA256da8278d5bf1ed3d3cd018910397cd0e44550e6703e73dbcdfd0a46efc8df7af9
SHA5121971c0faba3bb100eb565b0e291d378f6248809892e4be6890f76a7eb427716a8a818e7365afb7a782cfec53f5e71ee8d511049ac58bceabe9b0a8183843793f
-
Filesize
1KB
MD55d3546b380662ec8e2db8e97f631334b
SHA11587c12a27799f90d48893fc174022ff7a9788b5
SHA2565eea949e0f38197c766a8fd4c28c88576291d1750597c5cebc95b9ed39cc59d5
SHA512faff51ee821e0d9d9466b01a488480a596db45a659c325be3a37583ce134fcb7ce27aeb52830648a75e3995cfcd119d963059c354226028dc87a769abd479bac
-
Filesize
1KB
MD5bc816e63f05e76fe0b5066c1cc0d565f
SHA16a80da7221b5f502691aa1b40b7fb30bcbdb5971
SHA256d34697ac68e22121e885a241b1cb459c357e1620ae1538d13752b6287394ded3
SHA5120f567e898f7ba46aa88d69d11deb224ca2a6f961ec0a56681b330cc8e2fcf182ad59b06ded6b97e83d1c8fb0c7c72a7d9b5521cd137ccfe9ade23ce43755e2b1
-
Filesize
1KB
MD5fc8215557a923302980db262fcd95085
SHA10cf793973f1fe4a5d007cf38c07e4382cc70b06f
SHA256d15f7b95f8db0eaabec3f7be0b8fa433bd03703c054fd7dfe8868f5055bb629b
SHA5123d3fc6ca15c58d94795d476cfce42c43f1e07e4f861d2654fadaaa72cdfea41d1183de1b1a95ee9e09e67af161d60fd11e5e483a74050909a1b72e1b34fadf1b
-
Filesize
1KB
MD5a36ac093f8d7470f87cdfeb17ac0458c
SHA11d715352fe622cbef928eed10684bbbb5a7c41c7
SHA256885eb30e6e79188984466a328d38550fa19587d70b7b53d66c79d8c0b776128f
SHA512265d7075cf5b22e3007016ea775537c4063322db850fd07493291d2b31898be0516330de2f4cb1458f29baee17a050c142087373434bc1ea3e6fec807ac42909
-
Filesize
184KB
MD574381421344e2039312bd4f0e94751ae
SHA1f934e48c195eeaaac90f5ca989be9029675a465a
SHA256b83de69d54a1283d5068b281c54cdf8092235010c7a789713218fe62b9bdeb5b
SHA51265bc7b5dbfa11cce664d71b7021a4c93009b8beefccafdf033955b974b68ed24b1d7b4695cfed63ec86b750c2800a9cfa50fd9cceaf70dca3a0f721445e78603