085c75ce23e613be57511c5a2dc46b27ae0311ba058e7299ffdbf0226047b3e9 | Triage

Analysis

max time kernel
294s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 05:39

Sharing

Report Analysis Logs

General

Target

mason.exe
Size

37KB
MD5

a0f12925c12879a07c9be4ab0af9403b
SHA1

4c51dd1593f37b84e8a8f862bc3331a4e346e10c
SHA256

085c75ce23e613be57511c5a2dc46b27ae0311ba058e7299ffdbf0226047b3e9
SHA512

9c33817572ff1ae66dafb7f6b589ad48fa62831738fc02240969f7df47895f55d257a35ed38f13b6d1b288d67fa68a6173c2344088bdaec880d2d4cbec538765
SSDEEP

384:WmOs0IiejvCVLO309QmykrtG+dA+VfwvOSifrAF+rMRTyN/0L+EcoinblneHQM3X:wFdGdkrgYRwWS0rM+rMRa8NuIuELt

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3988 netsh.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 2.tcp.eu.ngrok.io
51 2.tcp.eu.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mason.exe

description	pid	process
Token: SeDebugPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe
Token: SeIncBasePriorityPrivilege	3652	mason.exe
Token: 33	3652	mason.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

mason.exe

description	pid	process	target process
PID 3652 wrote to memory of 3988	3652	mason.exe	netsh.exe
PID 3652 wrote to memory of 3988	3652	mason.exe	netsh.exe
PID 3652 wrote to memory of 3988	3652	mason.exe	netsh.exe
PID 3652 wrote to memory of 3908	3652	mason.exe	msedge.exe
PID 3652 wrote to memory of 3908	3652	mason.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\mason.exe
"C:\Users\Admin\AppData\Local\Temp\mason.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\mason.exe" "mason.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tmp1090.tmp.webp
2⤵
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3956 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=1344 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1
1⤵
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=3880 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1
1⤵
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5680 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5324 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1
1⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5992 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3652-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/3652-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3652-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3652-3-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/3652-4-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3652-5-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3652-6-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/3652-7-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download