Analysis
-
max time kernel
20s -
max time network
15s -
platform
windows11-21h2_x64 -
resource
win11-20240319-en -
resource tags
-
submitted
08/04/2024, 12:11
General
-
Target
https://cdn.discordapp.com/attachments/1221201304291119135/1221215023745990807/Dox_Tool_V2.exe?ex=6624391e&is=6611c41e&hm=267bb35c29af87ef626c7c2f3b8ab0a0999b21ada0ccc8507635309414b40c6e&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1221201304291119135/1221215023745990807/Dox_Tool_V2.exe?ex=6624391e&is=6611c41e&hm=267bb35c29af87ef626c7c2f3b8ab0a0999b21ada0ccc8507635309414b40c6e&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8627d3cb8,0x7ff8627d3cc8,0x7ff8627d3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,12306774842385628716,9896058178325313528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54113e45804b7888f88ae2a78482d0951
SHA14c59bba45c65ba65aa920cbd4eb0d7ccf517a220
SHA256174195025b51f69ece21274cd7a97fff9f3d9a4bf57185ff3b1297bf2da6d1db
SHA51216355c4c575a162396cf2ca377f586b3659a70e8c1708cad66b74bb3ef66cbf9ed33d9376730325d95420e5f4f558b2bdb6b5b7595b8b822eb6d2449a83c3f95
-
Filesize
152B
MD5e521eb4a4c2bbe4898150cf066ee0cb0
SHA1c2b311b8b78c677b55a356b8274197fdcbae8ab5
SHA2561f947cf3be3f525e3039b9c363bb7d7bc0dd2b70da434149e0f0cbbc5d13dbe3
SHA51259e1b52a41dad2e7f36e0343e330b00bc33a7ba88f616928fd2b6cc526cac6effed76b006cb8a23ff45e85be27647114c7a8376ef3ba53d38ccb9ed4de9a5ea8
-
Filesize
5KB
MD5959e6ebc76482b6811401f91688cca90
SHA1739e57ba2f6ca0910fde11c81c2bb7003f1ec09c
SHA256bfcb150714eb1b3589fdd74a3545c76f43e40d7cb5dda238f213ccee41076413
SHA5129917b0db2beb0c4de99010f869513c9d21ceeeb6fbc8380272f0b324a41247f9a64c69f7e6f619a8589dd9476f6f268adcd97e2c1754f91e8ccd27c03be7a30b
-
Filesize
5KB
MD5f8a080cbb4d1a3170c780139265122c8
SHA11126e34ddff6eb095b70f47d78294eca14a23e80
SHA256cc8bf1ef52cf1d9b92c0070a7e03724e9db60dd38b2676a693af7a6e3dc0f4cf
SHA512143bd489e4042fd0a53ae4505476e4709db8828f117dc4f366d3163c0d48d6088bb0b2fc6c87889b75b37ef8e70ce5062b2e61de3aa82e2b98ee97c6286557db
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5ac7d2637165a54d8f7d3a226665781b2
SHA1471cc2f7d09975ee8ffb69a7b2a7f8a3f6a9121e
SHA256f97586c6b8556b5474887490072ab9c595e7dd5165e37f7f3dbc5d7bff219ae6
SHA512b9569789e32446d3657e24e1f3779904aa7c0b46d7beee1708d2cd555507372a726bf5f6716cdb483fedd880d0ee8b5086dabb090e36a52095f0337a507b86fa
-
Filesize
223B
MD50bb43fca12935f1c698f06cabd9d137f
SHA1457aa2594397b1b0c436f4340a1b91d75d3b0331
SHA2566c5538acbae031c2009fcaf1711ba924d8501ae4abdc2ad1d4139cdf7c97aab7
SHA5122452fdf4e38a2bef3020e75436c5affa6b88255a6ecdb4ec46def664b4ddf2471443cfae825d140e00ef0c9ecdcca4db81b44fd4a0a194c46a402ed1bd0359a9
-
Filesize
180KB
MD5b0424efaadfbf9991e55b397076c8181
SHA1bcf68986d9f98bf5d76a7eba580eb09be05e6243
SHA256dfdb90a7d5e41b030bb8bae6f325688ff3d3b3b2da8c554c34e66dad86cebe90
SHA51254e4cb638c71dd987951619ffb2e1d4f98fab7d75af4c1d39fed30162aece639961863b3caf1ade34f840a02233cf9431d9eb30e76d5a470383392c2fad0bfcd