033f9cc171fd69dfb4f39a0604bfad6b88d2f6b7fa822da133651c9d2bb82343

Resubmissions

09/04/2024, 16:45

240409-t9mjfacf88 3

09/04/2024, 16:40

240409-t6wmyaga4s 3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZBrush.exe
Size

40.6MB
MD5

be16688ae40d87397c29b548bafbe6b6
SHA1

76eafebc769d4200138756c61806ae89b4001b28
SHA256

033f9cc171fd69dfb4f39a0604bfad6b88d2f6b7fa822da133651c9d2bb82343
SHA512

2f7a8312867dcb8aca3b6eb33f8f7cadda151c95de93242c8ad93852373d6cf9249341ebf8974ec3d718b8bafddd543c96179d78fdf36904102479b981d7c16f
SSDEEP

786432:wlRbPpaWtsC3pqwo4WncmI7iA4bB586bw0+XvguL3o132:wldPgWeC5AcZ7iA47kxguLY132

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2952	1288	msedge.exe	113
PID 1288 wrote to memory of 2952	1288	msedge.exe	113
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 3824	1288	msedge.exe	114
PID 1288 wrote to memory of 2076	1288	msedge.exe	115
PID 1288 wrote to memory of 2076	1288	msedge.exe	115
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116
PID 1288 wrote to memory of 1576	1288	msedge.exe	116

C:\Users\Admin\AppData\Local\Temp\ZBrush.exe
"C:\Users\Admin\AppData\Local\Temp\ZBrush.exe"
1⤵
PID:2488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultfb25a265he576h428eha1a9hf48471070831
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffab01c46f8,0x7ffab01c4708,0x7ffab01c4718
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16748273486179875584,7471557588426469122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16748273486179875584,7471557588426469122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16748273486179875584,7471557588426469122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\61aa0211-3198-4e6f-b2f1-bade2c625bf5.tmp

Filesize
5KB

MD5
58a3a482e3f0d5581e7113776b94ead5

SHA1
27e632bf1f5e78048c15f016fe949f99f6bac264

SHA256
afd113e5662068242805d01cbe49e9fdeca7a3b7285cee352189807ca755c5cc

SHA512
780f8221df076a3959a3c1097bbafe234a1b286c8942f592da72923e28cc33538e4cca31415bf32cb394b73926acd0b890b45c0a4fa0ccce05dfb70020c7ebec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
09bdf3398c0566d00aab3e43d1d73736

SHA1
a064fcf3d3310cb602cbedce30fed0bada548448

SHA256
4773643d6f9c0bdebbda13e44142b52351b34140e6293606c7fe0c921bedf29f

SHA512
7932cce111b2ae9ee55904c03d80cc72aef9fc1b03cd7bdf9579f9e65df1dab5b1d3a76cd3b8de48eace3cb4319ab89d1e220e715c8c838746f524b47bb1457a

Download Submit