Analysis
-
max time kernel
615s -
max time network
1608s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
12/05/2024, 15:16
General
-
Target
https://cdn.discordapp.com/attachments/1174429754988965959/1239233997037506711/PNG?ex=66422e18&is=6640dc98&hm=f4710c03c9b9a35d327c8796bbff0708e031d81b2f0eae777a1ce8a50a36ece6&
Malware Config
Signatures
-
Drops file in Windows directory 5 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 15 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of SetWindowsHookEx 37 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://cdn.discordapp.com/attachments/1174429754988965959/1239233997037506711/PNG?ex=66422e18&is=6640dc98&hm=f4710c03c9b9a35d327c8796bbff0708e031d81b2f0eae777a1ce8a50a36ece6&"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\PNG"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\PNG3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4092.0.990700767\448836028" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5080507e-0510-4417-9734-0ce7743418c9} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" 1796 1e4156f7058 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4092.1.533543485\2036466381" -parentBuildID 20221007134813 -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98febcaa-b843-4cbd-b153-953b772e975d} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" 2172 1e415603b58 socket4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4092.2.765803446\1960703622" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 3040 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecc82e38-ae80-4472-bdad-d4f5d97fe491} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" 3016 1e4197d2658 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4092.3.1117153296\126217194" -childID 2 -isForBrowser -prefsHandle 3276 -prefMapHandle 3224 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {303cdc19-75d3-4f39-bb53-9bcc32eb42ee} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" 3464 1e417fcff58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4092.4.1480204594\215181855" -childID 3 -isForBrowser -prefsHandle 4708 -prefMapHandle 4704 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a8e560a-1f07-46de-9041-3cf7ad2ffd8c} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" 4716 1e419fc8a58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4092.5.1757832415\235897642" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4836 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e6f17c7-5d5f-43c3-abb8-07d4832064c0} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" 4716 1e41b8c4e58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4092.6.180574795\1706484080" -childID 5 -isForBrowser -prefsHandle 5024 -prefMapHandle 5028 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1252 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b04ecbcb-ba62-4d63-ba1a-a5fa29208c64} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" 5016 1e41be99e58 tab4⤵
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\RestartWrite.dot"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ConnectMerge.js"1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\OptimizeExit.mp3"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ReadFind.bat" "1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ReadFind.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ConnectSelect.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD524f055c061cb540ab1edb2d163ee7bb9
SHA1a87cb4e8ded24a2c92ac02896416859f05099c8f
SHA256909322ba78ed73a4fab41e5aab4481e4a31dcc33f787bee5af66c328a8121bcc
SHA5124012f182972698a179fcdd47422da312384d26dca6b0bed5ad15fdc1b528ac5bd685909c38981e2c68b66a4c14df5e59f096ac7557d4e0470bd401da8ca6709d
-
Filesize
404B
MD50dd9fc4fa79615f7b7cf423e9b745d8a
SHA1f06c7d514abf02d3de6293addd777426c5be2c86
SHA256f1fcb2926e6bc219ba486c757819f0d97c09b65fa08ac40d9030a5441d3a6450
SHA512a1d8be838077ad48f278f44855aba74a76540f4f05dfd83657df0c9d004cc1dc01e5dac50425636c98f6e21a3331ce0db3ffd8e5f5b325ba0ff16f48ed7ba66d
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
233B
MD5d0480c539c48d289180e19019e15cea6
SHA17d44fb9223225362beb4ccb4458e2c05970d8969
SHA256ef9f05c28cea02e4f9699f025a781872caa4b9646bb94d22e895d1115abb5822
SHA512880a12c0742b667aac9ebeb10c6fce734f6e74bc05d34a216dfe516f478066269725a3e34dcde2383ca0eba868b00b322f7d57060b8bd142e1935601b8bb0653
-
Filesize
2KB
MD5404a3ec24e3ebf45be65e77f75990825
SHA11e05647cf0a74cedfdeabfa3e8ee33b919780a61
SHA256cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2
SHA512a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
16KB
MD5cbbf4a32798002f536f76e46b3d0056c
SHA16a2aaf8e2e322973f3e9e5226317dc90d39227fd
SHA256e4bd48d6e534fcb34f833f7ccb56dc84b2f70170c842f1bf0be7ca11c4bd5c27
SHA512dcfe93034e154cf1e72f657861b0de604ac82fb623241ad3e898bc3e18a24c0f5a08787b71e164760288301a0ec2996c8e040df463d5e54437f8a3d466ced122
-
Filesize
65KB
MD5bae74301785767897ea813d1da790e3e
SHA1670977a9e4df1ba075774c110cb01e521dcd728e
SHA25697f8e1d9d572cfe3a4eb55fe1430357ed4d476ea58d71010cf22b25474f2f26f
SHA512603f74fb5f44b9f737d2b4b754c999039a440ae56b448e6564b8a3b797a4338acb224e02f49926a2fc08eed6824d54fe2c23cd8ed0d31e021f8d5e3ee0dfcaf4
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
261B
MD5b3ecfc35719e1070fa1c7610beb8dfc7
SHA1c00a1612ea1bcc11dcf856095be77cd78084e7a8
SHA25671b477143c04734ea38a24c9b91c40905332ce2b9e3b979782e4dbd3a77f73d5
SHA51291668f70741a3aeb23c145b414eb17356be02fb41b9265211069e21079a859d65b8bac8197d460300e3898d650bd471e122d97b466a31896ac4ca06240fabbad
-
Filesize
2KB
MD5c525a91d0bbe3a29450ecb933af039ad
SHA14d6c88bfe74a2018f09c3e7534a331947fffc3e3
SHA256389b8032854ecda51830486b9e942bf2563b3060396aa44083a08896c84e6262
SHA51223c06961388c487fb62a0100f1f0f068448809c45c6c4af6b6a5e8b59bc14b039c91f3b14d9893f506edf72d16785930be1bbcc3150a2a75bed59a75197b8e93
-
Filesize
10KB
MD55d114253d8ab8379180760b820e35e7d
SHA1fe6fc98c8046498dc9667ccc5587229ec177d455
SHA2562fb819d69b480818d0bcdec46b62c6aa98db454003e5db895133308d8097eba9
SHA51226d8b8b60e9941c3fb6af27d57a62caddb363d6cf4176339d1dbf8c01b0440e4b6e2251408a2a33b3d0f79a11d29f78822e55c5ccd39420822e7f7a5e9647293
-
Filesize
746B
MD5955daf5e56732c0d9580b03e229f6de4
SHA16b0f585f19762968bab337b93c1538c9e4287ef5
SHA256b98eaccee934e49f177cf67b91a8766ed3f3132d474ff9eba6155184f7ce7bce
SHA512e9f7994759d81b06cc43760244f628c24c3c661896d809c20c63905d30d5e181129f4e1b7d27dc22aae0b9cc71a6b0f0c9886e1ac1c03cf934dcbe6990df28e8
-
Filesize
6KB
MD52b40eb78ddf719afd85317c7428376d2
SHA17a1f355aed08df41b257dde91acd89b06d008cce
SHA2566ef5cdaa39481d57de60fe6fb1816244b7a32391a533fecfb31eb466ce409ed9
SHA5121a51f57e8b4e48a5d0fe0b501f49002f8e1eeeb26ae7cf8d189261273462da3ddd5fb4ef70051a10620914191eb4443658904b9e075201d82d73d56e722cdcaf
-
Filesize
6KB
MD5ef26efc3bd66df49cb44452e34a859c9
SHA169c1b9da82b17ecd49a964ee318076157695739e
SHA256aebe8fbb9091159c4709081f2b77618e3ed61cceaa4f59b24a750c4e12e4d176
SHA51276ff106b57b4416f821da2a6e3b751dce7672acbc082c9431164db40834440b15c1a619c87601dc81c01e9c1eec236b7b73595cc6d698045e209bce05bf62850
-
Filesize
1KB
MD5f5fac0ae4e1e290e3022d264b2076716
SHA10cd9f5c8f714bcdc07ec65261f58e789b35caa9a
SHA2561ed79886dbe57b0dd46f29d3105f8f054c9e79d36cb9ffdcdbae4603c94fc51f
SHA512f4299e4ea7bb55985e55ae3f52ef20f808dcddc1c1037d4355f946148cdf3f195346aa12c37d5f3cf124502b2d89c14e169b4dc6861463cb6148cb8badcd11a2
-
Filesize
1KB
MD509dc80e708f19a3be6ef155551c95d58
SHA1c25b54703ed380a6317f72e995f7e5454da750ce
SHA256a2009e4aae56ca0a18672c3c6808a2df006fb8700a2db8da3e9f8905c6d366c1
SHA512cf0240bb2b6c72b5f21f0ff6a48c40794d5011f097e1e17d75c5445edc11de52fe9ce6f548b2d6a4b47d8418a87d55aa2d92d4d9fdec74d896e4c0f69f48a270
-
Filesize
1024KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
64KB