Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 11:59
General
-
Target
9a56d506889bc7c1904d4869a9e21e383a6f66eadc0dd71191cb74d3a2ed20b6.exe
-
Size
89KB
-
MD5
b4e634baeecde29b2599537d357f87a7
-
SHA1
29ca3fd61d1563184e8c6353520ac2b0b82c81f5
-
SHA256
9a56d506889bc7c1904d4869a9e21e383a6f66eadc0dd71191cb74d3a2ed20b6
-
SHA512
c26d975be9a020a11248147526d1bc0733e62e4dee1cf146775cc463419161e9bad886c4a5fe56d4608f03540ce1655abd250d90f1fb2637cc1c597f6b61e64e
-
SSDEEP
1536:lr9RFbR3XfYFHuI2Zod8+7gTSaSMi9xfQb+ng5aOmTcuOiFeR7Rkxr:fbR3XMuYd8jV5iQb+ngQZhYRV
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a56d506889bc7c1904d4869a9e21e383a6f66eadc0dd71191cb74d3a2ed20b6.exe"C:\Users\Admin\AppData\Local\Temp\9a56d506889bc7c1904d4869a9e21e383a6f66eadc0dd71191cb74d3a2ed20b6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\oculta.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\oculta.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\3988376\Win3988376\3988376.exe"C:\3988376\Win3988376\3988376.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://server.massgravs.pro/index.php4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc737a46f8,0x7ffc737a4708,0x7ffc737a47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8855350172512750405,4948174680654108779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:15⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.8MB
MD5a83f105025e40d95a9de06ed52026439
SHA1084032f9f86e80081a3312423891e67f23cbc753
SHA256f7822fd1f8a9a66a2d4ec56e29cf95c43b9f76c3dc27a261ea2f7dba85f89db2
SHA512e3698fbbf8e1ac7b55939266a76ea00e287be8af3873e99e2c705a51dd2088eb6e9b3be4172aeeabbd03142874bcb6495e759902de49c05b4b0c79f07953c801
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
Filesize
216B
MD55a8a1babeb6e62d061608c54704c92dc
SHA1ee6ba44e814b8eb96245f20914b374349bb08433
SHA2567beeb19a46575b420219ef09844bbf02b848907d236e82edf271410b1b82b0f0
SHA5122e85f2ad5b5b0a026a28734d6101e194feabfaa135de3ebde82e3d7a4aa11950c496c34235da6d9ecfb86af1cb66a448a02a7c8d1aa644c611e28250caa1ae4c
-
Filesize
1KB
MD53fae1df1ca2ac1d205d96e7f01b39cbd
SHA14d94fb819ac391d7c2b7546a7d1778272d9ef5c6
SHA2566468548744d9cab368d111ddbabf5f14f8240c45ef947a0a43b29a17198385f6
SHA512ca36098cf5c3258df30624b7ba4caa1dbf710f7ba770299536d75c631d3ff095c5c5f15bcb43934b2d6113b4ec0a665cd1c7ee6295076f3b41ff796132e3d99d
-
Filesize
5KB
MD5405f4d783b06844f77c3dca2cccbb7e9
SHA15887988b177df09f2f5157d2d2e63df2def5a6c1
SHA256c387fe272abf1934ffe1aaee53efaa83885a46138f50d7769d30eec3d0aa42fc
SHA5126aba48fa1d4a36c922562693852a672fc37955adb8832fffc27ce4e2cb90a16863fc676b69ef3580a5c1f68620da42a6d192cb2222bb00d6a9b9e69f836cc938
-
Filesize
6KB
MD5a11ff97b617dc121d1947e7ebaf4d219
SHA12c508a9f9694f324bb19730d6603c6189331825b
SHA256f38dedbe6f8450e321f80659336e6f7aba17ec074fd2d640a6c1be86e15ec776
SHA5122130b173b56f07e4c8f0c46bb68b295ef1a49cb39acbb27a3c26907e7f704a078ff4bfc99a7137998f55c44b4b33ffba3c1262c6cbe2d06664fef3449a265693
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5de077c3fbb020691903ce1f8d0616c41
SHA1f714f02ba3133013ea377ee3da83aa9eb5ed96a7
SHA25650d1861545e332c06108bac864f8a4b43814abed8d8a504eb7ef4146c930eebf
SHA512d7eeb42e80356aa241fb1a7933a59ca47b08ecb2b88288c620ebce00012f02131e76ce2a27d4e765d6b0959ca9e480c53195f77523c321f9cc3413860dcf3c01
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
158B
MD554c2f3a00d5bc5ffd7f5338b8d7e265c
SHA15c4086ecf9a3508666b1bd4e27ba8f7a517813be
SHA256a6aec3bbc95bc0a300857092e35a602c601397eefc8565f2bc42e7e77df1eddb
SHA51205bf9854e0ba84f12e7ddbaf14886491d98a832ef3287b3affc08079b9d08c88d01c386737a3b3e1d9be3cd8850266bb9ea037269e027209410f1ea6c5cf685c
-
Filesize
1KB
MD5921c2fb8f2423f9fb469e274eed1d860
SHA148bf33a865d9415e514281ecb48ac8e8e43ad4bc
SHA256ce0bd47287e5b4ebe9de5d050e27e36ba863af9a9b21c52a3e8bc5f135252220
SHA51231d6a485ff59da843ce4048322d4357ec1eb832b7acb0bff4aa6a9005efdd26be97163cdc5e8da30684ce2b45b72b1b9d02bcec800c7726b26fb52f6dafb16db
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
14.9MB
-
Filesize
68.2MB
-
Filesize
14.9MB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
7.7MB