hxxps://bazaar[.]abuse[.]ch/download/5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe/

General

Target

https://bazaar.abuse.ch/download/5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe.exe

pid process

4804 5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe.exetaskmgr.exe

pid	process
4804	5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

8 7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exetaskmgr.exe

description	pid	process
Token: SeRestorePrivilege	8	7zFM.exe
Token: 35	8	7zFM.exe
Token: SeSecurityPrivilege	8	7zFM.exe
Token: SeDebugPrivilege	4572	taskmgr.exe
Token: SeSystemProfilePrivilege	4572	taskmgr.exe
Token: SeCreateGlobalPrivilege	4572	taskmgr.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

7zFM.exetaskmgr.exe

pid	process
8	7zFM.exe
8	7zFM.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

taskmgr.exe

pid	process
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe
4572	taskmgr.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/download/5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe/
1⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4436,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:1
1⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --field-trial-handle=4192,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:1
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=4984,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:1
1⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5264,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8
1⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5400,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:8
1⤵
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=5868,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:1
1⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5864,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6088 /prefetch:8
1⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=6212,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:1
1⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5584,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:8
1⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5704,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:8
1⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5396,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:8
1⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=5412,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:8
1⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6108,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6032 /prefetch:1
1⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5560,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:8
1⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6764,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:8
1⤵
PID:3408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4456

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:8

C:\Users\Admin\Desktop\5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe.exe
"C:\Users\Admin\Desktop\5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4804

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe.exe

Filesize
3.1MB

MD5
0466d2952a01e41b5f8025e7f7c1e122

SHA1
93be3c1f4ee7b10660083a5632857d773571c2d0

SHA256
5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe

SHA512
79639ae371de6da4eb3034201b74e04423d7b536334a21b9fd5720abec9dc69467bd09c0b5fc0d44a5c639c2220470116c98933e922a557bd3fdebaa70f6917a

Download Submit
memory/4572-7-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4572-5-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4572-6-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4572-15-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4572-14-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4572-13-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4572-12-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4572-17-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4572-16-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4572-11-0x00000294A07E0000-0x00000294A07E1000-memory.dmp

Filesize
4KB

Download
memory/4804-4-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads