Resubmissions
05-05-2024 08:30
240505-kebn1scc8t 1005-05-2024 08:08
240505-j1xmyafa93 1005-05-2024 08:03
240505-jx2sgsbg9v 1005-05-2024 07:42
240505-jjm26sbd3z 1005-05-2024 07:33
240505-jdzh1sed62 10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 08:03
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
godhuntermode.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files\\SMTP Subsystem\\smtpss.exe" godhuntermode.exe -
Drops file in Program Files directory 2 IoCs
Processes:
godhuntermode.exedescription ioc process File created C:\Program Files\SMTP Subsystem\smtpss.exe godhuntermode.exe File opened for modification C:\Program Files\SMTP Subsystem\smtpss.exe godhuntermode.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1780 schtasks.exe 4956 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A7877BB6-314B-4D92-9A8D-6CD919E6050E} explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
godhuntermode.exepid process 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe 1128 godhuntermode.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
godhuntermode.exepid process 1128 godhuntermode.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
AUDIODG.EXEgodhuntermode.exeexplorer.exedescription pid process Token: 33 1644 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1644 AUDIODG.EXE Token: SeDebugPrivilege 1128 godhuntermode.exe Token: SeDebugPrivilege 1128 godhuntermode.exe Token: SeShutdownPrivilege 4628 explorer.exe Token: SeCreatePagefilePrivilege 4628 explorer.exe Token: SeShutdownPrivilege 4628 explorer.exe Token: SeCreatePagefilePrivilege 4628 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
godhuntermode.exepid process 1128 godhuntermode.exe 1128 godhuntermode.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
godhuntermode.exedescription pid process target process PID 1128 wrote to memory of 1780 1128 godhuntermode.exe schtasks.exe PID 1128 wrote to memory of 1780 1128 godhuntermode.exe schtasks.exe PID 1128 wrote to memory of 4956 1128 godhuntermode.exe schtasks.exe PID 1128 wrote to memory of 4956 1128 godhuntermode.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/jqxVWIQT#EcaGfUbysreSEyuzDiIu9RNSIk7rIGYTYiGugzjLoqE1⤵PID:3364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4816 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:11⤵PID:1612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4892 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:11⤵PID:4776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4732 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:3440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=1328 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:11⤵PID:3112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:3432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=4904 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:3976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5236 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:4508
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6236 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6212 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:11⤵PID:1832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6552 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:4272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6792 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:3576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6976 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:2712
-
C:\Users\Admin\Downloads\godhuntermode.exe"C:\Users\Admin\Downloads\godhuntermode.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDE45.tmp"2⤵
- Creates scheduled task(s)
PID:1780 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF11.tmp"2⤵
- Creates scheduled task(s)
PID:4956
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=5812 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:11⤵PID:3912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD527c110eeac8b064d06586616a32e5ccd
SHA1c02635e49bb1bbc6a2966e0b7952fff0892d3cf1
SHA25621ad204215b4be0d8900c4f8d19a58fc245db473b3d15101212899b8364d2294
SHA512a6928600c976c1ccacfb98c80dd5479f40768100d638babd36da0efd1c34d4dbb7ca555b59d25a8713ad38cffbe7e4ead1c6731820286502a4c986cd93b15c7a
-
Filesize
1KB
MD5f4819a1db9e68dc60cf594a7262a3f4c
SHA1105f1392b72f117e378e502436eafadac5d6eb95
SHA2569648afd55d1ee72983b04b574bb1fa870549d3db91dafdd7a15e253858090f2a
SHA51218a71e6ecd89ee2f8cb9d55abc0507acfddacc18c6fff9bbd2e891cf4b3dacad8e2a2bc5a76071d6539ab23b905b8e0e313806152795b9b3a20882d90f6cfa2a