hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan[.]exe

Analysis

max time kernel
146s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
97	raw.githubusercontent.com
98	raw.githubusercontent.com
101	raw.githubusercontent.com
102	raw.githubusercontent.com
103	raw.githubusercontent.com
3	raw.githubusercontent.com
96	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608458052191890"	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{4E9F3787-1A90-40A6-A4E9-A6A79F9BD41E}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1320	2424	msedge.exe	117
PID 2424 wrote to memory of 1320	2424	msedge.exe	117
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 2844	2424	msedge.exe	118
PID 2424 wrote to memory of 1092	2424	msedge.exe	120
PID 2424 wrote to memory of 1092	2424	msedge.exe	120
PID 2424 wrote to memory of 4456	2424	msedge.exe	121
PID 2424 wrote to memory of 4456	2424	msedge.exe	121
PID 2424 wrote to memory of 4456	2424	msedge.exe	121
PID 2424 wrote to memory of 4456	2424	msedge.exe	121
PID 2424 wrote to memory of 4456	2424	msedge.exe	121
PID 2424 wrote to memory of 4456	2424	msedge.exe	121
PID 2424 wrote to memory of 4456	2424	msedge.exe	121
PID 2424 wrote to memory of 4456	2424	msedge.exe	121
PID 2424 wrote to memory of 4456	2424	msedge.exe	121

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe
1⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3992,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3268 /prefetch:1
1⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3740,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:1
1⤵
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5288,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:8
1⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5304,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:8
1⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5708,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:8
1⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5940,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:8
1⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6128,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=6088 /prefetch:8
1⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6064,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:1
1⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6756,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=6628 /prefetch:8
1⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6776,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5864 /prefetch:8
1⤵
PID:4492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7fffde21ceb8,0x7fffde21cec4,0x7fffde21ced0
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2716,i,12667239992650189210,4887313194479726508,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:2
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,12667239992650189210,4887313194479726508,262144 --variations-seed-version --mojo-platform-channel-handle=3372 /prefetch:3
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1924,i,12667239992650189210,4887313194479726508,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4428,i,12667239992650189210,4887313194479726508,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4428,i,12667239992650189210,4887313194479726508,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4464,i,12667239992650189210,4887313194479726508,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4508,i,12667239992650189210,4887313194479726508,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,12667239992650189210,4887313194479726508,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d28731d70493c11bde60f53ea07d6655

SHA1
465b6ce3484a5c4a178dd5b849e69dac15a5d3fa

SHA256
4425f3503831f7a2a04128383db95bf0857a152ede25ad41fc48a299600e224c

SHA512
0d0d138d5044047222dc45d9e3f3ecdb8e84116be65b6ac422a4f374c5d1926019b2d71dd3b081634375eaf2b725a658e041b0cc7aa390b18ad074a3efc6d762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
7e5756163d9e7ea550224f35fb58514b

SHA1
d6ece64710c4edb9aaf0671a85ba863ba449a036

SHA256
d844609e9657dd98ad0aada1175262e94ffba996e8831ad04607ff51f9a97804

SHA512
622dba6d8e94c24e977f865f3821947c00185fb1d65ae369853ccf1ba84a5aecd4f7242f2940be46cdfa98f0c9a7ee49e25d35e316bb3cc154eb605bab8e5e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fceae694-63fa-4504-9fbe-8a1d4ef1ce4c.tmp

Filesize
12KB

MD5
ed3292b6ac269acc00171d0ba7156f2d

SHA1
a39d8731da4b61adae2f6569d044b999b86e6cbc

SHA256
e1ade322cd491aa282ce8f42ee2b0573a05fc8c2e5c5a9f28c1ec0b6d9f7ba5f

SHA512
421127a2f2287bbf10d602e8b2e6f27cec9020eec379107562dc1c4ae9fed62f551714610024fdbfbcc6a5e1396b727c93b8847a168f7473f7fe653ef50b6e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
62KB

MD5
52d160ff4fdfe4b92cddb2770771e00c

SHA1
633c8ec2f34550120784fcc5e4fd0465d60a04a6

SHA256
3c9805bd1ff9a3aaf2e98836c61160ae0a7358c61448bba55950c5daed0dd190

SHA512
34c87dc50a77d4fcff4ec91dfcf9438e216373d176479235fca2a278fca228f604226b79bd344bc165cc6097e84574a83da92fe2e5beade6dfb32e6caa48c5a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
62KB

MD5
ad29b602c8b3a41487ad05e0f1745a74

SHA1
475cb0c0c0749faf8ef109085cbd2ecd943f8558

SHA256
7e8c23a2bbad701af724510c2f146d105b2abd6809a94431bb7531e0476a7611

SHA512
fd59aa7985195bcf2d88dd5112c6944b0ad111c6628ab8066fb788cb1e408aded461e532a41599222e371b6a628767dd0532aae8194457ddaac66c0c90e117d4

Download Submit