Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-05-2024 16:37
General
-
Target
https://mega.nz/file/FOtSDaTa#wnbW6tYGeQTOeNZImagMOUM_ub9UhH4fi6aGMno4usM
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 33 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/FOtSDaTa#wnbW6tYGeQTOeNZImagMOUM_ub9UhH4fi6aGMno4usM1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff76e346f8,0x7fff76e34708,0x7fff76e347182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5136 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5864 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,16074842594699164673,4476517830430529233,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x518 0x4f81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\BLTools v2.9 PRO\BLTools.exe"C:\Users\Admin\Downloads\BLTools v2.9 PRO\BLTools.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\evbFD4E.tmp"C:\Users\Admin\Downloads\BLTools v2.9 PRO\cookies.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\BLTools v2.9 PRO\BLTools v2.9 PRO.exe"C:\Users\Admin\Downloads\BLTools v2.9 PRO\BLTools v2.9 PRO.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
72B
MD5d840a494e8ad36b049b7725357575e55
SHA16b8e31bacb13ca7fd184979a869ec95f041bcf63
SHA2564dc3a8fdf4dfd01a71482cc5faf85ee847e99f61ef824d46263b8f4585947c50
SHA512c96c0a11a004fac12ebd9612bcdef611e52c836869cbcfa1d7c4d17a2dea9b6fcebbe4923c941c45af6923694eb9116a7fc5a917b377609fc707601c8ce07a63
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD5b6baf347a2792051ac10072d3b7fbfb5
SHA1f4d38d140bb2f99a4dd290b9ac6bd2d96e667b10
SHA25624f2c7387b1b0e5f28eb509f88607f82cd975eee6b47c5215bad1cbda946ff0e
SHA5128ad58e4ace7a576133b98d448d1279d4ec74ef1840825dab043dc4b8e90ae84c7ad4dd3fc4ab7eddd640fbcb1046da2fcfc56652646002a8ccfbdce31740e693
-
Filesize
6KB
MD597407bc5aa8af0e1f9dff8f593c2a65b
SHA18729f2e273f580db6f3ed6851076e49f10819d15
SHA256a4257b9ad36a7e8ee5f0ba9b3d001a0db73dbcb256ef7e8f0b0154eeb2cfb44b
SHA512c74def0155dbec817c6e84c28c94ee018607bfcc4953a06b733dd1be57948e285c7f4e50f0885173d5327aae80eb826e6777deb53069828e516f6e44acc4784a
-
Filesize
6KB
MD5a3d8aeaecd38cdb0ced7116d07b39285
SHA11b22834a808d30eebd50ce3fd795b2705e1b3c4f
SHA256b9e6732b4e068ee10733ccd703d11f960e9578a5593ec9a34921a9067f418d6c
SHA512b3aa07a461108935e06032bc09a735ad8215b24b5aa2ac0f6c27b7576babbab80d54f4397ae6bd91341d9e17567994039cca51135b6919adf7b499903ffda798
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
72B
MD59d4c2a9e6dac38e7d6459e018715a5db
SHA1c2c1a93224e5722ce933373812739acedc0efa84
SHA256706e199db0763a2f762b25f1bccf1ffad4daa9c062c822e2e1407217e5b8a74f
SHA5128842c7faef1f12053deb69a39da3afa43e0b48aed3277d73fb2fb5123f39baeb1b8b355909e0aceb52ef32b8dc38a928699cf2d4b22b5dd51422748c37a8022b
-
Filesize
48B
MD5427cf27fc1d32f4ae9d4f806e3d7c2a1
SHA1df536f03e77c1b34d81afd13731e5d9d84c19199
SHA256ff45015ab25b7d98bdb5ceac2ec95cc3f2a69b7912a9d3179d31a772777cdf77
SHA512f44f99d7493615c7bb8d3d513a2e990185befb0bcab3a546c6180201a86608fc98cb6dfbcd2311fa662ad3eb617664f0cffc0cd03a3634688c839f066255e69c
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5ff172ec41c5cc921ac9c08230e899fc7
SHA1cd185db8ba784b7163b0295d4413cd2d928c5ba4
SHA2567b230a48d95e46fa256c94b922a550e5eb3a5d3da11bdd674e079cc3784fc61a
SHA5127724fb1b9a57c2d16ad8ff38da501c4073394635e7844b4560f78339c9470fcf237f9738c7a202377b43c28a6e170db71fe566499e2f3d1c757e4cccb831e330
-
Filesize
11KB
MD5c6240cb490790f8f0e97b7e416d08415
SHA1aac14d3badb8889a6c4fd2366a0929274939bfa8
SHA25697c6bd17249feb4a38bb375b86019472793b01d557963adaea91c309a45dac81
SHA51281d9b1b2eb39c7fe112d894e59d87054149efb9ab55a67391e58e37e8df4a460f8e3675d5fd39ce59ef7549b4571a9b9fd4a663c0817bccd943d445bbc9ca717
-
Filesize
1KB
MD5db06a35e2ee985807f483d8413871491
SHA14c7d6bccea5ddddd9b0d19c6f9d7b7852b896987
SHA256863d00444d1ce2e014b025f9fc84ac464c2ea08955edae963599a66b3f1dd95f
SHA512a2519b47d05e5e5249ecd4220b4ed94cabc1c7f82d238d0442b32b6a601d908f0e804414dfdec15c1e7d87e1cdbb8fa0bef7a796c405aae28273be339ea8c1a1
-
Filesize
1KB
MD5b8152180651818ef0e382061760fae83
SHA15aa82224ab08cd413f39138ac5735d412b386d17
SHA256c1d8fa3babfd42de6cdb8a58ed9ab18ba420a5009e4702619441356cddc7ccf7
SHA51299dc032861e0d799ecdb457b4bf3ce5eb317c1b56f46c0457227b6bc425fd9019b8a4be4fb106c5e73c9c4b4b80e9ba79bc78502c98f0b1d34eab90a342f854b
-
Filesize
8.4MB
MD58f8ce924fb6347bbf49bd053b2962055
SHA1de8034918d4988ab54c43463650af99e40a1ef8d
SHA25659c7c798a4c51f32221a8bed581f00f8d6eaa21d2ff4065b41694021e1826067
SHA512b2cc3965b791e1bd5bab491cde474d25dae5091e96a0faad5abfc84543a61a76df23c89ca866256e81ad18d8881ee5ec42f0f6478b0c872a2f3af5db0761c17f
-
Filesize
3.2MB
MD58c949c1a3189fc8845f22295ee72a150
SHA11df3585b887e077251008c68f233f128c08b0b74
SHA25653b6b47c5dbfbb8ea17990309e9549acc44d8b5d4b1c9e76ec754653f5d31870
SHA512b27d485b3cd4633edb245659c581458f20b67859f4e7d02205a68824d41dd216882989a807c01d5468e3f99beb78850fa7aeb217f7b8ac8ad30f3a652fc24066
-
Filesize
6.2MB
-
Filesize
844KB
-
Filesize
4KB
-
Filesize
6.2MB
-
Filesize
6.2MB
-
Filesize
5.6MB
-
Filesize
1.3MB
-
Filesize
128KB
-
Filesize
320KB
-
Filesize
9.2MB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
744KB
-
Filesize
584KB
-
Filesize
224KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
7.2MB