Analysis
-
max time kernel
77s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 03:28
General
-
Target
https://dvdscreensaver.com/
Malware Config
Signatures
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dvdscreensaver.com/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc502e46f8,0x7ffc502e4708,0x7ffc502e47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4688 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,4865748602129084396,9132803778616163734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_1164-zzDVD.zip\zzDVD.scr"C:\Users\Admin\AppData\Local\Temp\Temp1_1164-zzDVD.zip\zzDVD.scr" /S1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_1164-zzDVD.zip\zzDVD.scr"C:\Users\Admin\AppData\Local\Temp\Temp1_1164-zzDVD.zip\zzDVD.scr" /S1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_1164-zzDVD.zip\zzDVD.scr"C:\Users\Admin\AppData\Local\Temp\Temp1_1164-zzDVD.zip\zzDVD.scr" /S1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
1024KB
MD59ee207b07ef39feb69da8317fa0f5b78
SHA17f9b864d0690a5ef46327f370e627f0029c6e339
SHA256f38b0c6f65df547ceb50c89011c6b10b42bb34018abf9870017fbf9d3c9c8161
SHA512710585e68ffbb47ef5c1b7787729f355b9258cd17479d89ab9078af2c032c8e09cd4601082ca0d260ad7cbda87d80a53be8a743fd18fffb4d4a442966bcf3ef1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5382d906872568b5946f0c0f9d2546f5c
SHA1f6dd575740ccd2b95ac3d75a1376482df3a9eec0
SHA256c8c7b3f7e740a040708c292b7f6ebccc1a1ac042bad7b1cf0a614141dcad69d3
SHA512c377a96a176f9a0fc5426f461f7ce4d52076109b7994aab40a65ddf3f9184ae5674578829cdd250392063d81e59deb4ea000729f4dbcabacd756cbe1eb8306e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
596B
MD5addc921742ab3d6f02d86549b9572649
SHA1d88c9d0ea19e739288ca2a402dc60fc16c610e80
SHA256b3ee8a4b6225cecd953481fbf1eebd0c54ec8720ec71f5960a08244b3b7d2da8
SHA512561eac7c9fcc2268060af31120ec0c2cf6edf2fee38abdd5b58544ee28313fc010422641bc9b1f1f13a1f3fe34a2e13d4856b863b279c9cc774f4c1c92aae60b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
596B
MD5956bf09539ad297d6c7d4c15d9e95995
SHA19f7f69e91ac6c8ef95620ca2df3728c7ba2bd3d3
SHA2562a50e11455cd68a599e1fc8c9bf417a503b1bd7cbcc2925b13080ed5b18bc155
SHA512e3aa21536b442e62759d34af67ddecba4b0eb88843da7a7c8193a164930b39263ba0a3e5b8da205e253e699252877fcfdbded3759ddbb290bcd3e2715127fee1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5037613c528c1eda63612a4e2ef5af8b2
SHA1f9576860fe427571852902da3b0977ba803f0136
SHA256bb6a69b594d8d9f441494d1b40df97b8f04d63356017306746c62fec3eb3c662
SHA512a0f6418a0cae49c5d150393a579c5503dbabd45524b652bc0962f780bc95fa29ce6417e520128131e7407a6d2bd6d36d5b0008aa573a930b93cf54bee606e8a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52d9f6a60dc1cbb749d0df78718bf08ad
SHA13d3f06f724edf7c5245e94afeea2b963e17e510b
SHA2563f3eab7b7fdbe8787a829960f427661a2ae1b91b0bbe8483522eda779edffcbf
SHA5126146ec74d3fd916d18e3e9e0911d62857a8bb17141d7589b71aa379a07f356b50d0bdae0182646726b0782a860d50624af628ccc96acedbd8e51858f75e11e5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5a54b281e2ecf35b3a13e3c407175d66e
SHA114ea821ad3df07aecccd2c05592e9108ccd563db
SHA256cc2bbb0cfb372188794b452242bb86438197aef1475f5ce285298fb778f060b3
SHA5125e25b9bd71583d9ee5df546d47ea4bac63e38641f09ee97eb5dc8709ffbe9deff10b4de1525dab2887a914496b839c0d6d26dbf1446d3053817bcd976bb05ecd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d2228304-9c20-41f2-866e-2febbe321879.tmpFilesize
5KB
MD51cff22f64cb43d5de5808a3ae14a0985
SHA1f77397e18cc7d1cd8526919d901fa9d9217feb02
SHA25602b4896b87fbb0c6ec81542a04237c1d986e430dc01bf8ed7bf91520e688e5cb
SHA5127760b3f7e0dc39bac5200beb591fb46b78587397d696f3f20f79fed65f7749715521b6a3b2ef25552537ebb79cd6850e6cf49fd1689a6cca0c128cef6b0266d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD591c49ccd80775a4688e6f54c18b29a17
SHA1ac2b0b018c09de2f1863c1a167280ccc9bf89aa1
SHA2561e60d01035737693f6f87258ada72ad17567709a5731280f3f4a373ef458436d
SHA5124ac98c610ab258a81d895682120e89406a34e2fa10bbe22826b3c659e1dad3d6e38c51b3783e5675017b86b8465ec68cb45ed560bb228101484192ff49b43305
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ced27accdd6cc8209359c287866f3bbe
SHA1287e4d2fd00e36049aa17b9051610ef2f24b389b
SHA256f88f6d350de156f17310f388286339f305bd782ff6c0a0b7076cbb0a7fbc8684
SHA512b913263c9eccfef91af8a7e698d5281733755e6d0bc84177025c538ca255f14997bfdad221339c28f4a1ee74f6008cf2b99d7839d0dc8f135e2b9ff25994d14a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\dc46ddf0-21ef-42d2-8573-eb532ea9eea0.tmpFilesize
11KB
MD5bcf2bc640e9d9bb6e42ec5d816554778
SHA13ceff3329544a242918e273099638055ba6888c5
SHA256e4e203a04cb93ce5ac202f773ba5e737668d6f348c726d87301494d40215386b
SHA5129462d12604fdf9147025dac6e013b297cdf83327eeb4d8b43472c877e834c2e7a3197e192e8277ea9758f65869dbedc8b9c9956a28a87aecbe32421c862d091a
-
C:\Users\Admin\Downloads\Unconfirmed 688596.crdownloadFilesize
5.8MB
MD550f961614983cb9714885c2af5bc3a8d
SHA18a20033f5d08976b7429c56a1fc48f321fc90d60
SHA2564510b52a6b7f1af7f8a3f4c797cd7dfca502116b33e86b6ea43da1b1403b4d9e
SHA5122646106ee6f0d18fa876ee55197c4d466c474a2760384fd32b1d261ac795b0d2ae1150d8277bc6f4d6b32ee56310684f49b8c83aaf6b71f1ed093e9dd7b55be4
-
\??\pipe\LOCAL\crashpad_3804_EEKODEKYOAYCHPENMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4632-151-0x0000000000400000-0x00000000013A3000-memory.dmpFilesize
15.6MB
-
memory/4632-149-0x0000000000400000-0x00000000013A3000-memory.dmpFilesize
15.6MB
-
memory/5436-164-0x0000000000400000-0x00000000013A3000-memory.dmpFilesize
15.6MB
-
memory/5436-162-0x0000000000400000-0x00000000013A3000-memory.dmpFilesize
15.6MB
-
memory/5540-188-0x0000000000400000-0x00000000013A3000-memory.dmpFilesize
15.6MB