Analysis Overview
Threat Level: Shows suspicious behavior
The file https://github.com/Endermanch/MalwareDatabase was found to be: Shows suspicious behavior.
Malicious Activity Summary
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-24 20:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-24 20:37
Reported
2024-04-24 20:39
Platform
win11-20240412-en
Max time kernel
66s
Max time network
78s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Temp1_Petya.A.zip\[email protected] | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584647130030254" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Petya.A.zip:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Temp1_Petya.A.zip\[email protected] | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4661ab58,0x7ffd4661ab68,0x7ffd4661ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1748,i,8785330492500202939,12879468434227532334,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1748,i,8785330492500202939,12879468434227532334,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=1748,i,8785330492500202939,12879468434227532334,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1748,i,8785330492500202939,12879468434227532334,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1748,i,8785330492500202939,12879468434227532334,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1748,i,8785330492500202939,12879468434227532334,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1748,i,8785330492500202939,12879468434227532334,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1748,i,8785330492500202939,12879468434227532334,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 --field-trial-handle=1748,i,8785330492500202939,12879468434227532334,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Temp1_Petya.A.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Petya.A.zip\[email protected]"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.110.199.185.in-addr.arpa | udp |
| GB | 142.250.200.42:443 | content-autofill.googleapis.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| GB | 142.250.200.42:443 | content-autofill.googleapis.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
\??\pipe\crashpad_1644_KTQRPPMRZUMXFMIS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 24696e9327dbb00f87dc31ace43d7d54 |
| SHA1 | 91e087d4318dfc3c17fc5592b77654dd9d375253 |
| SHA256 | 9aa5e5546f733446a3c424346fded69ef0bfe13170b098a3364b4dfd1eed9aaf |
| SHA512 | 9d0f176fb1946714f96f4508d0c975fb7caa4dd92191e95b50890ebdbdf8f249708cbf4eef1c22017c6d46e217faa1c0ae16c321604a6d243821322fff063d55 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 32c6193170ac28cfa8fd7910ef11cc8c |
| SHA1 | e690077f80a47465934f63a6a5d4505b846c752e |
| SHA256 | d63bbbec34bdf1ba9ee58fbff9a83ffe8673f727b1ee4d7806a8e303f164a156 |
| SHA512 | c0f8afd66d2eed44635edad47fd3705e73d5f761bc6177cd2125df4cd6acd553c9dbf72a254092836c6478780b79998f6575a41c036e931eeae8d4e4d2b70138 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 9a006a247f5361716a6810f92bf7f15b |
| SHA1 | f2796a4f90509a3b7e67c86902345badeb4fae4f |
| SHA256 | a7fdba3ed239cd4ff23850a37691834d08bd2171fc60f3c6fb67628e0adacdf4 |
| SHA512 | 7490b31a8a6c42a74d19567f462ef7f5f793fc918fe8ba70c0a9a75c5fe35392bb1249d31172c85b979854ae24e6ad24d01116020054b108977a54d5e7d356a9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 79ea2f11326f24a6c38992ffdf778677 |
| SHA1 | 193c3b8403b709d193ad614c73f116d6521ed362 |
| SHA256 | 46245a0dc873b71ee217d34d4d680c8c1951630b68abe7a51ec81694f59efa0a |
| SHA512 | 87c4a6c1e56ca623765f0fc1439850ede342a5adc37ba1c14eac1206e33c07dfbe138525f051a91e6b0590ebdfee4c95c6262ac67b948ca9f1a0e1fd25d15436 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a67e97a1dadab541a2fb59064a9abc07 |
| SHA1 | 107297bbe5c07b0628b2809bc2f3100794b2e205 |
| SHA256 | 32f763726a157fb344478beb11d38fa84226bcd8f8b1f57689e519ec11f8d6ea |
| SHA512 | e22dd66d7f802302ddb7bbdf390fe9efac176ed834723ce75a9e3d03cf8c137a2d33c044172570b239c4be48492394e014be33475a674809081dc2d128341b41 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | caaf6637d935ef0b94bbee5fb9dd1111 |
| SHA1 | 0e43f66902729cfb74af6a239846ce4bfe8fa610 |
| SHA256 | 09dd246c9ab6c1102f6a7fdd272888952a8eef895dab4a11c2ed109acf307edd |
| SHA512 | 0a7a1b4caf0862b5129581d14252cd51d4a17e8ec3da8a558bded6e0498e848da124bf1ebdc8e6428e2a403e45618e9fd6e626866f33e34a39bc1a649f393b30 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 44b76269da683d299f1eff0b35cb0979 |
| SHA1 | 13cc9718f8195ffa2481d0b5e2c831e8007cec5d |
| SHA256 | e87a93f598aa95de92f4b32baab09def2eda28ff2d0bf2b45bdb1825facf0d44 |
| SHA512 | 2bbd5bbf43a14d58a8f56a5db04b5471980600e054614f1a572f6f731047c7e57b2d29712bdd0eebd69e66b1dbef8b8eea6b642ec7e4ee23d9e004a895babc40 |
C:\Users\Admin\Downloads\Petya.A.zip
| MD5 | 1559522c34054e5144fe68ee98c29e61 |
| SHA1 | ff80eeb6bcf4498c9ff38c252be2726e65c10c34 |
| SHA256 | e99651aa5c5dcf9128adc8da685f1295b959f640a173098d07018b030d529509 |
| SHA512 | 6dab1f391ab1bea12b799fcfb56d70cfbdbde05ad350b53fcb782418495fad1c275fe1a40f9edd238473c3d532b4d87948bddd140e5912f14aff4293be6e4b4c |
C:\Users\Admin\Downloads\Petya.A.zip:Zone.Identifier
| MD5 | 0f98a5550abe0fb880568b1480c96a1c |
| SHA1 | d2ce9f7057b201d31f79f3aee2225d89f36be07d |
| SHA256 | 2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1 |
| SHA512 | dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1f8d4f81784f0cec320178394896418b |
| SHA1 | 9ac5e6772bc54449328762c20e37547644081622 |
| SHA256 | 67e8a55984699c4c65e58eda907328450d5266745b5d39e6add3485f13b9765f |
| SHA512 | d1fe2b73d30745ff791280fe49117bdbad1eac1bcbc13639dbf15bf04bf50dbc886a2e12ece4bcf75512d42f3ac400100d9c2c22f74c300a032248928b5b4269 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 899e1481586c4d6fd8cfa3f97fc9404c |
| SHA1 | c910a0802c9ea845b2a3fe03bab68aba1c191349 |
| SHA256 | 0adc1516b7dc4ce1aad24e5b625f413503f1938c2586c25535e3c0e33471ae97 |
| SHA512 | e51f9e936ebe1ca314aea3363bb564600ab145bead1d5ba3590bf575d6fbb4fe92a3116efc24098ed7023544d8d483f3c1fb6d6ab59b7c6eee1b9b5971e0d724 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8c00f539b5afa5c66e8471562a0ebba4 |
| SHA1 | 528df599f05c57b7b21045857b6990307f102ad8 |
| SHA256 | d676f67041b811175ef6150536fc2974dd181fe1e4bf0d120a83b3c1492a9363 |
| SHA512 | 1d15a4ca27ad8f78a675a2fe98a85045c08598e1c31421e8e1bbd3d35a35e199ae4da4319482fb0d55987709a88ccdca8e9e3f4ac42bc1c3fb5c57f59c0eed32 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | c282d5df145db70954f4714eaad48b46 |
| SHA1 | 0790f8e5cc1ce456cdb5306eeda819632ca5b843 |
| SHA256 | c902780ed71fb8e1926f9c10b88172acd3f5b5b1560cc3fc18443fff9c7f5ec7 |
| SHA512 | 3a5c18525c69dc35278376c686f5cd0efb25e9c82ac85db9265f149a85a628d20334ec82dd59969c1ee1a566c3d2b67f1b75d5a3b7ced4a938eda6a4b1c835ad |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585f42.TMP
| MD5 | a88cf752c55fd813afbe97d1df00c4c5 |
| SHA1 | 5dc7f1c6d04368dafe685d6f23441203f90cf60c |
| SHA256 | b519c64a9c6601c049bddd4ea58201800900f0606edacb41cdf71e59eb4d9bd1 |
| SHA512 | f6bfc4be5b4c69b5a9bbe2a93aa4b7908e1f0ccfcc8e932eb98915c2d80d1a91227a6420511cd4b6ccac87ca61e6a838a4d5739e4782ea54a290d9c9d475c8b8 |
memory/4036-310-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4036-311-0x00000000022B0000-0x00000000022C2000-memory.dmp