Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 12:46
General
-
Target
b4e634baeecde29b2599537d357f87a7.exe
-
Size
89KB
-
MD5
b4e634baeecde29b2599537d357f87a7
-
SHA1
29ca3fd61d1563184e8c6353520ac2b0b82c81f5
-
SHA256
9a56d506889bc7c1904d4869a9e21e383a6f66eadc0dd71191cb74d3a2ed20b6
-
SHA512
c26d975be9a020a11248147526d1bc0733e62e4dee1cf146775cc463419161e9bad886c4a5fe56d4608f03540ce1655abd250d90f1fb2637cc1c597f6b61e64e
-
SSDEEP
1536:lr9RFbR3XfYFHuI2Zod8+7gTSaSMi9xfQb+ng5aOmTcuOiFeR7Rkxr:fbR3XMuYd8jV5iQb+ngQZhYRV
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4e634baeecde29b2599537d357f87a7.exe"C:\Users\Admin\AppData\Local\Temp\b4e634baeecde29b2599537d357f87a7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\oculta.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\oculta.ps1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\1119860\Win1119860\1119860.exe"C:\1119860\Win1119860\1119860.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://server.massgravs.pro/index.php4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd7bb46f8,0x7ffbd7bb4708,0x7ffbd7bb47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9885950212252514907,13794052485696159245,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:15⤵
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.8MB
MD5a83f105025e40d95a9de06ed52026439
SHA1084032f9f86e80081a3312423891e67f23cbc753
SHA256f7822fd1f8a9a66a2d4ec56e29cf95c43b9f76c3dc27a261ea2f7dba85f89db2
SHA512e3698fbbf8e1ac7b55939266a76ea00e287be8af3873e99e2c705a51dd2088eb6e9b3be4172aeeabbd03142874bcb6495e759902de49c05b4b0c79f07953c801
-
Filesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
Filesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
Filesize
216B
MD54dd2778e773b3ecf5b721474cfbfe427
SHA16a5bcf38521e5c799258d1563763676e313c89a4
SHA2565fd691453820d585fa2d7b658c0723ca3d580f3ca43f19ddb1d834a83c539031
SHA5124f715225a00aadf29f69ad5678dc0d3aa2fdec0ee6cd512904412785aa821ec33faf2f2ac0fddfe083bf19e1081442cb23d2307afa8887381315680d48361b47
-
Filesize
6KB
MD581146275252710b9ae4e9d94677f27f8
SHA1257ccd202b50f112d79822ef5fa005b06879a318
SHA256c7e7e8836f440d5a0cf7c10f179732000bb79e0c02a645bb37a3e0193aa6bf5e
SHA5127dcf222b1e4a5a215867053f5297dab81734dd816f11a15117c02b55eb76e537e9632dd01d592199d086186cc54ff5f4ed2539c5d195829cf092fee1845d874f
-
Filesize
6KB
MD50a839e32218fdc602bd019c74071c554
SHA1f6a4a512521a06062ceb8d808b38f5a3fa6c2ca5
SHA2565e0a43f25e84a07695595fb92daf64f649c95ddf7c6ef10f34089d60ad697082
SHA512161db81e573bd7ca071c5b30f7eea5bb2ac3809cbbb50ad417552ffec46048fc21603a08c3b1d7c1d177435fd13e3c1a6311c406cd18c362fd0b315f1535beff
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD553fdda464c6c54e928bae3b0668a62b0
SHA18b8c4f929dfec1cf85503996872cfdeed3fc731b
SHA25682c521c7e8a53efbe92b158aa5067bad1a4e7e969aa7aaa99bba95a0e4783882
SHA512ecb0b216628f09f8ff7d217081a29562ba0e3dfb7f76dde3dd6581391b94721f6e38fc075f4cb2d9ac0827bc39f4e8af64bf7ad6b39de0313d70a9c5fe4fbef8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
158B
MD554c2f3a00d5bc5ffd7f5338b8d7e265c
SHA15c4086ecf9a3508666b1bd4e27ba8f7a517813be
SHA256a6aec3bbc95bc0a300857092e35a602c601397eefc8565f2bc42e7e77df1eddb
SHA51205bf9854e0ba84f12e7ddbaf14886491d98a832ef3287b3affc08079b9d08c88d01c386737a3b3e1d9be3cd8850266bb9ea037269e027209410f1ea6c5cf685c
-
Filesize
1KB
MD5921c2fb8f2423f9fb469e274eed1d860
SHA148bf33a865d9415e514281ecb48ac8e8e43ad4bc
SHA256ce0bd47287e5b4ebe9de5d050e27e36ba863af9a9b21c52a3e8bc5f135252220
SHA51231d6a485ff59da843ce4048322d4357ec1eb832b7acb0bff4aa6a9005efdd26be97163cdc5e8da30684ce2b45b72b1b9d02bcec800c7726b26fb52f6dafb16db
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
14.9MB
-
Filesize
68.2MB
-
Filesize
14.9MB