Analysis

  • max time kernel
    284s
  • max time network
    300s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-05-2024 21:15

General

  • Target

    http://0.tcp.eu.ngrok.io:12887/index.html

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

172.23.67.197:4444

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://0.tcp.eu.ngrok.io:12887/index.html
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6bc3cb8,0x7ffaf6bc3cc8,0x7ffaf6bc3cd8
      2⤵
        PID:3692
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
        2⤵
          PID:248
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1480
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
          2⤵
            PID:2896
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
            2⤵
              PID:3792
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
              2⤵
                PID:876
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2940
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
                2⤵
                  PID:1996
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
                  2⤵
                    PID:4664
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                    2⤵
                      PID:2960
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
                      2⤵
                        PID:1004
                      • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2352
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
                        2⤵
                          PID:380
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4740 /prefetch:8
                          2⤵
                            PID:2024
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
                            2⤵
                            • NTFS ADS
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3428
                          • C:\Users\Admin\Downloads\reverse_shell_payload.exe
                            "C:\Users\Admin\Downloads\reverse_shell_payload.exe"
                            2⤵
                            • Executes dropped EXE
                            PID:1776
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
                            2⤵
                              PID:2372
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,8746910226155442674,5681561682248113567,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6420 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1392
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1356
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:480
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:224
                                • C:\Users\Admin\Downloads\reverse_shell_payload.exe
                                  "C:\Users\Admin\Downloads\reverse_shell_payload.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:3800
                                • C:\Users\Admin\Downloads\reverse_shell_payload.exe
                                  "C:\Users\Admin\Downloads\reverse_shell_payload.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4620

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  0d84d1490aa9f725b68407eab8f0030e

                                  SHA1

                                  83964574467b7422e160af34ef024d1821d6d1c3

                                  SHA256

                                  40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

                                  SHA512

                                  f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  0c705388d79c00418e5c1751159353e3

                                  SHA1

                                  aaeafebce5483626ef82813d286511c1f353f861

                                  SHA256

                                  697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

                                  SHA512

                                  c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  288741a8bd5cbdf7b0bb8bcdbd67ea17

                                  SHA1

                                  5aa4adccad2874daab50c904674cf86ede203294

                                  SHA256

                                  b9188c54a042a7e396efb8d93b6b8b6eef123e805acdc98a9e2d9ffb164ebb8b

                                  SHA512

                                  268e530626db79c86f48f4f3d8e9b5c8eb0a0cfe1966d0c7172c89baf1f55952e57637955da15d80d3b7937cbc94c0550cd44595ef59f482118e2892547bbc9b

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  b0bc6f97326c4ba9aeade548c819183a

                                  SHA1

                                  81a98eddf60d4dd2063a71cf229350965eea97ac

                                  SHA256

                                  a9e9803f8fe0d4b75c0d137e1850c49d85b08714b8a65194dd6502b1f310acf4

                                  SHA512

                                  912042b45608ffe5228f0057e2c1fd6f89eb058d28a56e83ac509f58274f126fe3b8621fc079edf0bd4d573bc6fc7acdde37b3ebedb6df161bd6ea0a351e5bd3

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  b465766b0dec1fab41c58f9a813a926d

                                  SHA1

                                  b40813f357ba9b6425f4b38b1e6eaa65773ed460

                                  SHA256

                                  4592e8f5571be06b6d07e60360dec31520489ee8fc7bd3e4615d0d2d99c2aa95

                                  SHA512

                                  df818b7f624ac782cbe36bfff1766ae4625d5f3baaf419fa532d4ca27b1855dc8ed2de5f1560c2d3b31ed018255ff7a7dc86c63d6a7dacea8e5a9cd23137a3e5

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  46295cac801e5d4857d09837238a6394

                                  SHA1

                                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                  SHA256

                                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                  SHA512

                                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  206702161f94c5cd39fadd03f4014d98

                                  SHA1

                                  bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                  SHA256

                                  1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                  SHA512

                                  0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  11KB

                                  MD5

                                  50ad53746060bfcb0582471116cffd29

                                  SHA1

                                  0f6f4f7acfb82673e64fa73b285ff7ff10ca0fd0

                                  SHA256

                                  832bd25d155d2ec7d97b8817861f832937fc5094a0be71d44aec410021c8fb15

                                  SHA512

                                  2a8dfec44d7a536699828ce5e4e2ff13ebc37d2c96bcf0526406100b7567ff71c09ca4448ac7c106e1aab06979beaafaafb0ea101e564e0787dfbc99c32a4e8a

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  11KB

                                  MD5

                                  c562096d8ac3beeccc19d27c69aa9cd9

                                  SHA1

                                  776635bbcb1fb1e0ccb17e5869d41e0bbab61534

                                  SHA256

                                  0b7545cf55a08d2e48762a52a067f597a68bd15c012726a9c435c2069b92fe33

                                  SHA512

                                  2fe1343d957de1500edc93d8298785b66df537e5e850a3046c9f7c451b910cc5de9e7d7e6e3af3c518f2c4a071b8f6fd82f847eabcdc31890e6d49a7c596185b

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  12KB

                                  MD5

                                  269c1a8efbfcb9ec2d2606e565aa8a0a

                                  SHA1

                                  2f51e71b82dd89a132ad500493be6a3665b884c1

                                  SHA256

                                  27796e5901a66e911d259947b4faf9f1e6f808b8a479fbeaa81a28fab9ccd7ee

                                  SHA512

                                  e833c17ca0b6106a715844b631ab7b33867a1e4aed015a397afde326cef7d019ba3c03c145a6af81faa35da85d6046fca3c019ed8f38dd2c73ad201ba67daa5e

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

                                  Filesize

                                  2B

                                  MD5

                                  f3b25701fe362ec84616a93a45ce9998

                                  SHA1

                                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                                  SHA256

                                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                                  SHA512

                                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                                • C:\Users\Admin\Downloads\reverse_shell_payload.exe

                                  Filesize

                                  72KB

                                  MD5

                                  fe913560c7f74dde2611fd09a5f96a21

                                  SHA1

                                  8d850fd496b986b5524028fe00943a1954537145

                                  SHA256

                                  151b0aaead22c215b5c4fcc0bba5fbbc677354d45f9c7c70ff9f9f75c440724b

                                  SHA512

                                  7f7a4050a3bc469056935feaceb52f8c0999f3dbd15359e4291b0d1c09b58bba7dd0db5b2f44f78d6e8b1daf8b8ec60abe9546eb3e46c4f94b4920199cb7e8b1

                                • C:\Users\Admin\Downloads\reverse_shell_payload.exe:Zone.Identifier

                                  Filesize

                                  147B

                                  MD5

                                  c66b75c7baff86cefd9319434ff4c29f

                                  SHA1

                                  593d54e85d17473fb30d76ff9bf850c5794f861a

                                  SHA256

                                  ee33f887dd5e1b86892801d9b559af2092563c1a22cfe5c5e40034691a207044

                                  SHA512

                                  b8832a8576e425f288c625f1db16ad651fe5864d595c25c3a52db97a2769db9b6bab57ef6fd0df1530f47bf4759f9fc0cfe61bb82faf87caa91cbc4b47d4eab1

                                • \??\pipe\LOCAL\crashpad_1892_JLVSHOFIGCMOOASO

                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e