Resubmissions
05-05-2024 08:30
240505-kebn1scc8t 1005-05-2024 08:08
240505-j1xmyafa93 1005-05-2024 08:03
240505-jx2sgsbg9v 1005-05-2024 07:42
240505-jjm26sbd3z 1005-05-2024 07:33
240505-jdzh1sed62 10Analysis
-
max time kernel
364s -
max time network
365s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 07:33
Static task
static1
URLScan task
urlscan1
Errors
General
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
godhuntermode.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation godhuntermode.exe -
Executes dropped EXE 1 IoCs
Processes:
godhuntermode.exepid process 5492 godhuntermode.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
godhuntermode.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WPA Manager = "C:\\Program Files\\WPA Manager\\wpamgr.exe" godhuntermode.exe -
Processes:
godhuntermode.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA godhuntermode.exe -
Drops file in Program Files directory 3 IoCs
Processes:
godhuntermode.exedescription ioc process File created C:\Program Files\WPA Manager\wpamgr.exe godhuntermode.exe File opened for modification C:\Program Files\WPA Manager\wpamgr.exe godhuntermode.exe File created C:\Program Files\WPA Manager\wpamgr.exe\:SmartScreen:$DATA godhuntermode.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5644 schtasks.exe 5716 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
godhuntermode.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings godhuntermode.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exegodhuntermode.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 484414.crdownload:SmartScreen msedge.exe File created C:\Program Files\WPA Manager\wpamgr.exe\:SmartScreen:$DATA godhuntermode.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exegodhuntermode.exemsedge.exepid process 3940 msedge.exe 3940 msedge.exe 4092 msedge.exe 4092 msedge.exe 4592 identity_helper.exe 4592 identity_helper.exe 5388 msedge.exe 5388 msedge.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5980 msedge.exe 5980 msedge.exe 5980 msedge.exe 5980 msedge.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe 5492 godhuntermode.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
godhuntermode.exeOpenWith.exepid process 5492 godhuntermode.exe 732 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
AUDIODG.EXEgodhuntermode.exeshutdown.exedescription pid process Token: 33 4744 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4744 AUDIODG.EXE Token: SeDebugPrivilege 5492 godhuntermode.exe Token: SeDebugPrivilege 5492 godhuntermode.exe Token: SeShutdownPrivilege 5724 shutdown.exe Token: SeRemoteShutdownPrivilege 5724 shutdown.exe Token: SeDebugPrivilege 5492 godhuntermode.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OpenWith.exeLogonUI.exepid process 732 OpenWith.exe 5784 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4092 wrote to memory of 1852 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 1852 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4536 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3940 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3940 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 4976 4092 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/jqxVWIQT#EcaGfUbysreSEyuzDiIu9RNSIk7rIGYTYiGugzjLoqE1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafda846f8,0x7ffafda84708,0x7ffafda847182⤵PID:1852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:4536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:4976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:1616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5032 /prefetch:82⤵PID:1612
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵PID:5000
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5560 /prefetch:82⤵PID:3100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:1124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:82⤵PID:1060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5388 -
C:\Users\Admin\Downloads\godhuntermode.exe"C:\Users\Admin\Downloads\godhuntermode.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5492 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "WPA Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp856C.tmp"3⤵
- Creates scheduled task(s)
PID:5644 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "WPA Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp859C.tmp"3⤵
- Creates scheduled task(s)
PID:5716 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f1492c7f.bat" "3⤵PID:5224
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:4456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77ff9d12.vbs"3⤵PID:4520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\998beb72.bat" "3⤵PID:1336
-
C:\Windows\system32\shutdown.exeshutdown /s /t 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:5724 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:5816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵PID:5824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵PID:6052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:12⤵PID:6060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7965359757898591524,691532444526136888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6560 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5980
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:732
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3696
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1412
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:732
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38eb855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD54890f7bbb29f0442bd4e2c1c50b7df53
SHA12e1177f5e462bb07ebcdc069353709936d4d8f96
SHA2563c77af308f10c8d75382bc6e5c3dcf648fa985db5cfaa1c9dd2d304fbd6df3f5
SHA512e81de5d49858ef765c2de3fb5a71f8813cbb960acc9822fccd9e6d4125ecf595f0e2e6dc4dc5a3a98827c798f213030bb28971c9189a9b43217b52f661b832d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD5acd395d100a00ff1ada09c919f3b34c8
SHA16581db482e8e7e51c66138e128532593a3de216f
SHA2569e59b22992d79d564d7b2f2c41690140b6ddd08abf7499c15ab0b33e9ae4d5b0
SHA512768f44ccc862d6914976a2ae74762cfe307f88ea729bdd35211558de5632b8616e012d3eb6cd0268524fb8b50f7171186d71e7f76316161f77690f9ec65440bd
-
Filesize
6KB
MD5fe26f3e721e44bbb3ddd39f0dc67cf34
SHA19184e6e3401ec0f127eba78e6467bf7b49563f6f
SHA2568db10f9dae1e88bb87e0d2adff5b92832f0974276fafe27b206b5acb4a7ac19b
SHA51213c7706eb787f88e3436f452902c7945de9eac45041433688bdfa5495e713c131aeb548cbf7ec32ed624f3d700c683ab7b65c96c7b2350f114ccc09589a174cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5dacd3786f7bf2314621f7007c9a56a0e
SHA120a58a6bdc365da03a31ffcae7bbd4b7dafb0a73
SHA256a30afd90d3b376d81b2b739cd1b62920cfef71c1009d64f5acaf45796ead8757
SHA51228f5f396cbc19eea01d02f837c3c222496e48d27241f23bb54cff41767e176231a6f3959767e63cf8f9988966f3d11684882e211b3c2cdb6f6c27db6dad845fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579e05.TMP
Filesize48B
MD5b761781e4b4fa50fa464561997505b20
SHA15967cf3bde3bf46ddd84b24dbaf0e5fa632b995f
SHA2562328b13109815ad8c4bbc371a706a35130955359ef548fa18fb281254fc33c5f
SHA512789c3be19b6517d0635e0742eb6ae7bb97caf2b66f885d443c9b7cc8fdb0f2e49858cab3bf332539ba1182184727255948b79190df4d8dcba069e2e4afebe324
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD533060a70c837048b9a45d41de1a7be8a
SHA1e18d646fd602176543a6413113697dd320e0bdfc
SHA25670af205e26de37cfaaa4107c3b9943e9f62918ae8034b54ef1997c9fbc3689cd
SHA51272acc9fc274fa86bf698c9e9ff03266a435b030f4098c730c916efabbcca460ce07dc8c136be0a8981673fdfc067d4d79406885e3ece1873a32379be68785312
-
Filesize
11KB
MD555f47e994759f24ca9afa7b5f1e161b3
SHA18e87569612198eb0a43128ead2d5cdf21a604af1
SHA256a6a3e7aafb3502af2c5803eacaa66499b2f87b7b913df07eee0df19f1e235b8b
SHA512f42cd12ef80de2c9f2d0694364d9938fe6c8b3e274ead62629b8e07d5faa434610dd492943d18f344de9b34bb0abfd0ea7443cc6e99082c8c5d846f99ccab31d
-
Filesize
12KB
MD521735f920670b4c900550a019d9d7144
SHA1916dbe7051dbd1754f57ce4e936c12ffb43750ec
SHA256adfecee0c8632e9d45bd3726ccf1fccf3ba56fe11835b628444c2f49661bb531
SHA512721684316887f99cfcc790434626648e84f4866a015ea9224091b61c2134c48ba4773bd9e6181af4806955fee0164b72223310fbb07eacd4d1b1fe3c98597971
-
Filesize
2KB
MD5a192545611c3838361b2482c7fa4972c
SHA11121d70237ba8c03ef3281a52774f669dfaaa014
SHA256c3c8b9dff6312ce18cefd9f8dcb5ddf3fe5f70098b9012e57d0cded57a1f2e6e
SHA512954a645d89c36893fa5c1c52208160c5d244827aab07e2d8f7fe1b39d267535155821242985b2474b458942107b00f6ab988c5e84cbdaff4b33b64c780f33ef0
-
Filesize
215B
MD599cfeed1416eb442d848d4ab16841a3c
SHA1e88c8e47aac8ab9be7c48c2acefe72593cbbdd93
SHA2565393d18703d583fb1d4ba0c5e41ce0b778dee7671522ddb42a5d3df0ba90b87b
SHA51203bfd84f19e2685c32f8faa6c40384535ee32c3c12546c436d087488b9bf2dc81691b512c53f2bcae242d76423d502ecfc88480e35601064461e9d53068b478a
-
Filesize
178B
MD5c7233f5e47404403b3780922f7a3634a
SHA1152392b7f1d7d63d0110ac8ee04704867b79df91
SHA256887d7d2ddb455b4c14a8f7b755a05b8a11ddf93dfd84f2e1cbd20a74c017d993
SHA5127970ccb353cb6193fb93f2fbcfb11499604db39230b165e77978fcc519ffd9b5b339b63a56607ce66d92552624ba4cd8431a38d2681e66db80b9f32002884c9f
-
Filesize
1KB
MD527c110eeac8b064d06586616a32e5ccd
SHA1c02635e49bb1bbc6a2966e0b7952fff0892d3cf1
SHA25621ad204215b4be0d8900c4f8d19a58fc245db473b3d15101212899b8364d2294
SHA512a6928600c976c1ccacfb98c80dd5479f40768100d638babd36da0efd1c34d4dbb7ca555b59d25a8713ad38cffbe7e4ead1c6731820286502a4c986cd93b15c7a
-
Filesize
1KB
MD564805e105b17b7db0fabb222e8e117e0
SHA1583043f6df9f93778fd65b4c31f44c844fd363e8
SHA25622fb2dd003f44cb579e51f38177c30e3922e03151fe717d8b81027c9e9f903b6
SHA51290ebfe7331b0969564cc452cd9c84019d4285768ceaa654c1cb0fd7ca13396e1d5695700c09f3e22625c66d694f97ea63eec4fc37e7158d65221f6f77123742a
-
Filesize
40B
MD54e5e92e2369688041cc82ef9650eded2
SHA115e44f2f3194ee232b44e9684163b6f66472c862
SHA256f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48
SHA5121b368018907a3bc30421fda2c935b39dc9073b9b1248881e70ad48edb6caa256070c1a90b97b0f64bbe61e316dbb8d5b2ec8dbabcd0b0b2999ab50b933671ecb
-
Filesize
203KB
MD5fa27771b02f19cbd8ffca1099538858a
SHA1ae591814aa4b40bc0ecf87a50d0fc1df9d16c7a7
SHA25626fa94e684087b55f0d0ae839904aba0de3d6bd7f8fc2d19ddea18e6f66b8396
SHA512c985071e77314a5a3687a522fff337c3ee4b08d228b999694a6f5dbeaadd8b03f717b4c5c50526cb45cff319aaf666a7ddae63f402ed023e8246865750d821c8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e