Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
01-04-2024 11:27
General
-
Target
https://shorturl.at/oCDW1
Malware Config
Signatures
-
Drops file in System32 directory 11 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://shorturl.at/oCDW11⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff974f446f8,0x7ff974f44708,0x7ff974f447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4880 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x5041⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnprotectRegister.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnprotectRegister.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnprotectRegister.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5fd7944a4ff1be37517983ffaf5700b11
SHA1c4287796d78e00969af85b7e16a2d04230961240
SHA256b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA51228c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a774512b00820b61a51258335097b2c9
SHA138c28d1ea3907a1af6c0443255ab610dd9285095
SHA25601946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
816B
MD55b1d94c69370f9d0fc5ea60e9bad256c
SHA1ea982f1d7fd254ca092ab634f704b8de37899c2b
SHA256516a3e35e4f723ce52408718c567972c23b53e6b30899ea0e807647393e2e0f4
SHA51215093deb78e2cbc27f6d8d6d68783ed586b95467aa3d1af8ef196ccf4c1214f8edd171a1e4e87184d16e64d04b8b482412a94f4c410018e55465844f364b3f5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
696B
MD56c96b683085dc53ccd781308002682eb
SHA115a982d5bae7dbf21b4759fc3418f81beace5d6e
SHA256a110d94357255ab68c348277dcb743b8c7daf4cf6e580908dc12448f083c269b
SHA512c9fd21a11b7c1abcaa8f944fc2aaa6856a2f5c835f97185641f40941fa3699e55719be0803bf4bb87b6a2a7c900cd3c0f4ff851a284e3108ef9b3c646f25e55f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1007B
MD529070ea216a2ec2cdb38ba6fc3c16d8a
SHA1e927f3461de06f5c544ef20390c191c6c4bc4d02
SHA2565f4eb5b1e59bfe06b2164ca43f2f623dfb607c3b556f6749d0ae448fe6bee880
SHA512270700735a09c442244e831104a11198e364e36cfaa6a558864e604654c9f2d4c6e6dc714070c5b47a08f91f124bf3d5fd9c28bca852fb92f2b2bb07bf337f09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58d48d577af7032a3f7d04fc266287cea
SHA1378949f4ff50e4fd8cbc7b4d101f81e4828f8f67
SHA2566721b54d1c8e2d84dead388054fa06143619d109baac17ceca0137c1187d7993
SHA512280571dff934339053a71f934abf67434910a33ca872dfcb6359403200c704259a86aaadee8c41a0376d98b5291873e9d5db375b8df45b4bb9fca66d6433e0b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5071f05bd050d3a70ce40f4a2a464ad46
SHA1f27f067805ccc0154bc7d2e76fa5f7c56bfdf97f
SHA256e2116891350a23f371e557f244223884ee436e15125635a484699e84cb036897
SHA5129b3ba9603b3083680a8b5f70f077004c35ae3f83a0e9be5c31534e7cb4747871220137c66d39cbaa311ef4fa235b39c0ee542db2f7a14759aba65f8e5b878dee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5809ff8724c4f46cdfe3e7dd37898e579
SHA1d8731eefbc209471a9395e3f90f21f54f0f96bf9
SHA2563e7c13b4e26916c0b363a78f861fe92565cc684e870c916f8fcfb95bab22b1c1
SHA5123b63838321c68a2d385d0638d7bbd9ebd423dbb89a420e968fd137c829366b1ac60036f65547d4816c4f938d9606b185ddbc9785fd328ad2459c021465143a16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
537B
MD589f6872baeacd52b56b87c12914acc2f
SHA1e70261a98c7eac5f0041dfe518e6c6427f12301d
SHA256e5f60ad158541ea5f8340e74ee3f5d8b5c7690cfbcc1da7ffb349720dfd5b2d9
SHA5120ab77bfe8458149342b96a090739f81a1f951167a87e58760be7b64fee37e07136acac8bcf7c07eda205896aa6bd8798d8fdd038c8f6be73ba8d3426b692f874
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586c90.TMPFilesize
537B
MD5ecb6309f15e43437e03a2563e10c5524
SHA107b5aa40eab8f2c9649ff16e00bda00aca3f97c9
SHA256fc3d1aef869c14816cf9cdfb738db1b2af7bc0cb779e94e4365080ebca7740a5
SHA512a12ca168e1451a0853063ccc45028fe99ec6f59b2061711f1a0663ee8693f922e1527376ca25c25f0958ab934a93fbdca1a670f80e6082fa84b8e104e3963089
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD59c1ee64bf1399c5c3b77e500b253285e
SHA162bd7ff574b83d478bb678969c10031d91e10017
SHA25670874400449aec65a4fff2226182b36b91f748e289f72f2abdaa77e7a163d646
SHA5124628c8850dd310c7d594f72e27fa45d523c8396681a53bcc3984875be61f0a067dbfc00bc609a0b836321d5c95faac37ee3cde41429a0468da82512049e1abc1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a732ec8004df8fe181b9ffdd2fce7ed8
SHA127cb466f2bce7fab69d3f045f3b35814628024df
SHA256268e98a61bb987812763c1d833a288b03b9a8e8e3de81fd4fb31bfeaf6eb71e5
SHA51219030a237c6643ec01d8fc20934e0aaaea667d6edc82156920c55d1356a89e5a74469a0598318e0457819ee3a2a49b6786c24301baee2ca743f2829f130c24e2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbresFilesize
4KB
MD531022e71e6374bc696748cbf8e22adc6
SHA1f1caf429b3f11cae0b3598edab89af57b13754c1
SHA256d9a7e519cc95441eedd9a0a6c5c5befb675c3fcba0b196e62331a2d592127325
SHA5125c04ffb85321d3d540286de174f092c219a9f6bd0e3f32c9f5986f2e83238303c5770606eefe0caf3848f9cd0dce97b6b713d1b2d771dae97369cb821ca47436
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
201B
MD535375f95b1430c8b11ebeb931fba0dda
SHA15122d139ac357db969c191b941bd479ceb9dc59f
SHA256fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b
SHA512b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b
-
\??\pipe\LOCAL\crashpad_1892_MLMNEPQXDCRTTKXLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1568-467-0x000001677FE70000-0x000001677FE71000-memory.dmpFilesize
4KB
-
memory/1568-465-0x000001677FE70000-0x000001677FE71000-memory.dmpFilesize
4KB
-
memory/1568-463-0x000001677FDF0000-0x000001677FDF1000-memory.dmpFilesize
4KB
-
memory/1568-468-0x000001677FF00000-0x000001677FF01000-memory.dmpFilesize
4KB
-
memory/1568-469-0x000001677FF00000-0x000001677FF01000-memory.dmpFilesize
4KB
-
memory/1568-470-0x000001677FF10000-0x000001677FF11000-memory.dmpFilesize
4KB
-
memory/1568-471-0x000001677FF10000-0x000001677FF11000-memory.dmpFilesize
4KB
-
memory/1568-452-0x000001677F160000-0x000001677F170000-memory.dmpFilesize
64KB
-
memory/1568-456-0x000001677F1A0000-0x000001677F1B0000-memory.dmpFilesize
64KB
-
memory/2452-475-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB
-
memory/2452-476-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB
-
memory/2452-477-0x00007FF992450000-0x00007FF992645000-memory.dmpFilesize
2.0MB
-
memory/2452-478-0x00007FF992450000-0x00007FF992645000-memory.dmpFilesize
2.0MB
-
memory/2452-480-0x00007FF992450000-0x00007FF992645000-memory.dmpFilesize
2.0MB
-
memory/2452-481-0x00007FF992450000-0x00007FF992645000-memory.dmpFilesize
2.0MB
-
memory/2452-479-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB
-
memory/2452-482-0x00007FF94FCD0000-0x00007FF94FCE0000-memory.dmpFilesize
64KB
-
memory/2452-483-0x00007FF94FCD0000-0x00007FF94FCE0000-memory.dmpFilesize
64KB
-
memory/2452-474-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB
-
memory/2452-473-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB