Analysis
-
max time kernel
294s -
max time network
306s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 05:39
Behavioral task
behavioral1
Sample
mason.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
mason.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
mason.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
mason.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
mason.exe
Resource
win11-20240419-en
General
-
Target
mason.exe
-
Size
37KB
-
MD5
a0f12925c12879a07c9be4ab0af9403b
-
SHA1
4c51dd1593f37b84e8a8f862bc3331a4e346e10c
-
SHA256
085c75ce23e613be57511c5a2dc46b27ae0311ba058e7299ffdbf0226047b3e9
-
SHA512
9c33817572ff1ae66dafb7f6b589ad48fa62831738fc02240969f7df47895f55d257a35ed38f13b6d1b288d67fa68a6173c2344088bdaec880d2d4cbec538765
-
SSDEEP
384:WmOs0IiejvCVLO309QmykrtG+dA+VfwvOSifrAF+rMRTyN/0L+EcoinblneHQM3X:wFdGdkrgYRwWS0rM+rMRa8NuIuELt
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3988 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mason.exedescription pid process Token: SeDebugPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe Token: SeIncBasePriorityPrivilege 3652 mason.exe Token: 33 3652 mason.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
mason.exedescription pid process target process PID 3652 wrote to memory of 3988 3652 mason.exe netsh.exe PID 3652 wrote to memory of 3988 3652 mason.exe netsh.exe PID 3652 wrote to memory of 3988 3652 mason.exe netsh.exe PID 3652 wrote to memory of 3908 3652 mason.exe msedge.exe PID 3652 wrote to memory of 3908 3652 mason.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mason.exe"C:\Users\Admin\AppData\Local\Temp\mason.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\mason.exe" "mason.exe" ENABLE2⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tmp1090.tmp.webp2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3956 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=1344 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=3880 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5680 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5324 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5992 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3652-0-0x00000000754C2000-0x00000000754C3000-memory.dmpFilesize
4KB
-
memory/3652-1-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/3652-2-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/3652-3-0x00000000754C2000-0x00000000754C3000-memory.dmpFilesize
4KB
-
memory/3652-4-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/3652-5-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/3652-6-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB
-
memory/3652-7-0x00000000754C0000-0x0000000075A71000-memory.dmpFilesize
5.7MB