Analysis
-
max time kernel
69s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 23:51
General
-
Target
https://cdn.discordapp.com/attachments/1222323813526540421/1231391688841236561/asd.zip?ex=6636c9e0&is=662454e0&hm=7253065b66fee268e1adb7439b6b81752c854c495ee03c912541cbb93faa003c&
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 8 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1222323813526540421/1231391688841236561/asd.zip?ex=6636c9e0&is=662454e0&hm=7253065b66fee268e1adb7439b6b81752c854c495ee03c912541cbb93faa003c&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5ac346f8,0x7fff5ac34708,0x7fff5ac347182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5332 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2186471624015484631,12473935579300520221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27707:68:7zEvent71751⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\asd\lib.exe"C:\Users\Admin\Downloads\asd\lib.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare Tools registry key
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Shell_Infastructure_Host.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Shell_Infastructure_Host.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\Shell_Infastructure_Host.exe'3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Shell_Infastructure_Host.exe'3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Shell_Infastructure.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Shell_Infastructure.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\Shell_Infastructure.exe'3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Shell_Infastructure.exe'3⤵
-
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC AtLogon /TN MyScheduledTask /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WlanSevice.lnk"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC AtLogon /TN MyScheduledTask /TR "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Update.lnk"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
152B
MD5120a75f233314ba1fe34e9d6c09f30b9
SHA1a9f92f2d3f111eaadd9bcf8fceb3c9553753539c
SHA256e04101215c3534dbc77c0b5df2e1d1ff74c277d2946f391f939c9a7948a22dd0
SHA5123c4eb93e425b50e8bcc1712f4cc2be11888a0273c3a619fc6bf72ccab876a427158f661bfc80d0c1e47ef4116febf76a3aaa31a60ec662eae0e51c7f1d3d89b3
-
Filesize
152B
MD5bc2edd0741d97ae237e9f00bf3244144
SHA17c1e5d324f5c7137a3c4ec85146659f026c11782
SHA256dbce3287c7ae69ccbd1d780c39f3ffa3c98bd4609a939fff8ee9c99f14265041
SHA51200f505a0b4ea0df626175bf9d39a205f18f9754b62e4dba6fbb5b4a716b3539e7809723e1596bcfe1ba3041e22342e3a9cbaad88e84ce9c8c6531331bbc25093
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
6KB
MD5fac18663b19543f61f81b118b20b12c9
SHA1413ea51959ce57fa3fff0fddb4285df4961d66e1
SHA25695b7dae39e6e071b2910953bedf75a25854c76385004cf06e9ef8714e6b5ce53
SHA51207447c22ff378a90c5cb137e66f4673a49953cc3280dd4215c0cd7607f31d5070ff1e96870885ca280d14a4ad88cae6d4dcecc5d87cc8d39f05263c58aa0d8ac
-
Filesize
6KB
MD5fc97a5c45590443a551f986be453eca1
SHA1d448323e9c9705c738e651cc213403f0d5c56cac
SHA256e256aad2635a888853f69b9adcd40dd41ab92583bffb6b404b93ed0297efd91a
SHA512eab89df29c10112e933bc151caca0f6aa63b7d1990270e97997a2bb2df4e809d792cf9ef241e847ac4e4a94f19af3cd2cecd2567f42a149c8219c3594b144d1f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5aca5653a588966b288e6a1e4875ef9de
SHA1f7e6c0ce2c86529ab87f5119eb2d4cb9da376466
SHA2565c4bd3dd1d65aa7ed6999248c8657a854a5da1408612e48d1f63f888b9e6ee4e
SHA512b3f18e0d068d2ee07fc79eb6204ba334fcd233105f984f982693902f7b46387f3fc9aa9d6659e4e7c884da590e09585cc14fbe539022fa49d53fa69693e028e7
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD598baf5117c4fcec1692067d200c58ab3
SHA15b33a57b72141e7508b615e17fb621612cb8e390
SHA25630bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51
SHA512344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.0MB
MD5cffe8c1d346f56d588eda90ddf71285d
SHA1b99d41e61b88945270007a4ab1ce095bfabcaab6
SHA2561342da6c4dc1a39eda298a79f5eb106c4b55849616f05626ff4a28e7d3061dd9
SHA512cd687dd355ba8913dcb93cc1a01a1dc02b11eb0429be6b9ba43ea1f28a424e8484d992b8817143eaa9d4e5be05415f932d9d517198212892632c97de8cf4a158
-
Filesize
401B
MD5cce84e178c937eb1c94d2788e55e4f3f
SHA1036ce01f90d8359b20e89381c722a636f0f6234a
SHA2562487190d49e5be2ea1dddd1c2cdd40dd3e386825c9e821030cddb4a27cb3a0ae
SHA5129e682a750ad0dae224e7a29444e3d744971787f66fc7e31f1c6416beb10ccffda84216a858f380d9d89371588ab3689c52ebb83f3ae169ebdcc5972ed9c90ca1
-
Filesize
2.4MB
MD5d704dda42d7b9a0889ed7be6261a501d
SHA1dd0faf368badb7c9a8f7c451231a241e8c46ed53
SHA256c3d02efa76366350a636e01db6c1ef25dddf4da90661f81cb479092e59bb5492
SHA512ce04f6593b993246c2d78c80b0f5fa0365458ae0d051fa03fa850b9e12e3ff41f3ccff7d9dbacec49e2b38691fc9bf7bd28370f39ee1866cd1fa37bb7c61ffe7
-
Filesize
142KB
MD5a4e6f3e8f04843ae55bbb9dfffb7b9fb
SHA1dfd169cee17fa8baabcdb85438f471813b47246e
SHA25657b6febc0c3c7a11d419209044e1bb62a77ce11aa5b473de768c2826bfe304c3
SHA512039fd0ef58423009c0785ed3d0d7059ff549f48b4ebf616d2c0ddb7ad875fe4a563ce95fd23c1dc894a38766b32b6f12dc5a81e9f354e0e53fd2906d285e41c3
-
Filesize
340B
MD5253333997e82f7d44ea8072dfae6db39
SHA103b9744e89327431a619505a7c72fd497783d884
SHA25628329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306
SHA51256d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2
-
Filesize
229KB
MD52ca0492ceed0d0326f34598d90f194db
SHA1540e2533c7cff88fac45d213cc7531f7ce80d99f
SHA2566226ceaff4b02732740fe70b3a9fb2c9b136255b525dd436190a9e1cda09b834
SHA512c0289490e3888b0afff8b145c312a155c0be9da4c03bb1adad450f8cbc982fc207e46d0a5a14e3b0a46644102fce7ee2af3f546f2b89a2ec31cb7bbb371fb4cd
-
Filesize
231KB
MD59747df20f2de3d2dfc135044f80eb0d4
SHA1f68127c961e6e12fff789f3c734f3ac4a893f303
SHA25605161ad37374c9ca5d60ac4fc99d7339582bd5c0e4dc13f9d1ad6494eb29f4c3
SHA5121d89897947018dd0621a656665efff14cfe807e307f1e2694cf13afa8a3d0a8eff94456b5ebb1d9bb76d062a4438fc6239a4e658602936d214924c29d3e5633d
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
256KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB