Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-05-2024 07:53
General
-
Target
a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe
-
Size
6.0MB
-
MD5
4eab45de22032a0ed50a24a131591608
-
SHA1
a63549d67d66bb08709aef6798544141c1103ad5
-
SHA256
a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293
-
SHA512
31aa88e774c6bccbb3c8d864fe1818a6412f58ec3236ba5c5a4f69cdff9393e8e7e888043fd9796f7540f27b8a71f3681e44a17a377d42e98a04d7ed91ed1dc7
-
SSDEEP
98304:fbdhDqohDS1F+CRcB27OgUWZHw8VQjr+/bJBAUZL3:fbdhDD23a2sWKjr+TJVj
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe"C:\Users\Admin\AppData\Local\Temp\a500acda784871a03bf414b6337de98262c4203ff0b45129ee91230cd1d93293.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffe3ff246f8,0x7ffe3ff24708,0x7ffe3ff247183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10506390578475133709,7489695448139851032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5bae881256b1566a8dc2722cc10347aec
SHA12f3be5dd7bad34900509a229578b7ee71d4ec31c
SHA2567321673b00c31f2f48b8b2a0134960fb37d3a3824dcf71f6813a1548e20da3e0
SHA512093acd55f69b6b3f2483ab8964680de16793dbe2ab4c94074bd58396fd75307f61625f0253e5ef670e1d3b977f6c6d25fcae33b0eecbcb08e112812fa61c2af8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e6750a7f63d46cc1a148b262bf4da0c2
SHA1871b28869240f67881768141db98aaa04e2e6f67
SHA2566c41eb44ec480a7380450aa9e8f360b6050d0e3ab90717a1c5d0911f60e257bc
SHA5120818b6cb321c121106a1650d009f55f1f5fddf3a0f1386c3ff68ae60c39d365eb3f3bda87fd524bfa726c89efbd7661b434b1b28f8e56d725100256a28906559
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c6dee3f1e40f9c440696be678f8d451f
SHA10f079a3f2668e1c9e5870c52ce94288a11552612
SHA256d345c4d32c6d8eb20bed52f4f42deca8ac44c102069517516ba5c167d04dd552
SHA51227251f97616283bbcf24a65106dd5559efca231a9591ce23e270ac741c7e4977da42273d0e07c26658ade668016a17ba063287f39394100df6c34acf927e6c17
-
C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.libFilesize
1.5MB
MD5ef48d7cc52338513cc0ce843c5e3916b
SHA120965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9
-
C:\Users\Admin\AppData\Local\Temp\·½°¸.iniFilesize
9KB
MD5bf266107c358df5c2f746e809c9c0e09
SHA12dc2b845c4456b1ee2dd6334cab42e4ae99e4668
SHA25609d4dae875f7f29622fb0cf09a7961a0e7065359a910dab4e7668519433b67a3
SHA51227290a2da1a43c150cd761d238495fee51b5e2b791a57866d4c34a17ec3c6a0999629cfa23502e7c3b4c4ca23222947c56b41004c0728df5bff6bd287f1a4b7a
-
C:\Users\Admin\AppData\Local\Temp\·½°¸.iniFilesize
8KB
MD516ef8177433976c14d23f839a8c1152a
SHA12b653ca841498be9292cbbc8b5119504e225f56d
SHA2562a30dc50f2e6e73b059d7419b34924114bffcfa8d99f7703bfbdd4f9e5da8855
SHA5129cccf0eb97b898988e5da63584e195528dd3a0f34d0608844a33c6ac5928d83c8159151a7a15d5382a10114b819cb72d8c5840d254d9ac1023ad6ac22ac4833e
-
C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txtFilesize
189B
MD5322f59ce015ff2f1f00ecbe4fdfce380
SHA1eb4756a5bb023f6d1feacdbeac6e94013e15d5b0
SHA256c96ef901d8f23cb7626ef980c4cf5bece7aafeef9b2b8b28829d3a11a51562c1
SHA5122610ce1c0a55da67faa9ddaca26529a87bf5ebc6706621682d54024fa887ca9cd54cdc5b854f8b79ea99b02a5277d6931f633fa876107d9ec1bf503bee23a02c
-
C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.iniFilesize
260B
MD5924bf7a4ce305dad87743ba3c5773aa9
SHA112d0fddb472394b23e5176ab4ede38974e723b81
SHA25601faf5e88442653bf38adc145d517f44d3495398e0aa666c7486b7030c126cbd
SHA5122380c957717d3bc97ae2de96aba9cd3b50a1774eb96dc47840add1b12ee13485ee6cc6c4d30953b8f42d32ae3b02657966229fcbe58a60843df0cbd6170eb44e
-
\??\pipe\LOCAL\crashpad_2440_MRFQZBPUABWAXMOSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2068-14-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-10-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-32-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-28-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-24-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-20-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-54-0x0000000002AD0000-0x0000000002AD1000-memory.dmpFilesize
4KB
-
memory/2068-53-0x0000000002AE0000-0x0000000002AE1000-memory.dmpFilesize
4KB
-
memory/2068-18-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-16-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-0-0x0000000000400000-0x0000000000A6D000-memory.dmpFilesize
6.4MB
-
memory/2068-8-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-6-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-38-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-26-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-22-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-12-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-51-0x0000000002AC0000-0x0000000002AC1000-memory.dmpFilesize
4KB
-
memory/2068-5-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-2-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-48-0x0000000002AB0000-0x0000000002AB1000-memory.dmpFilesize
4KB
-
memory/2068-99-0x00000000060D0000-0x00000000060D1000-memory.dmpFilesize
4KB
-
memory/2068-98-0x00000000060E0000-0x00000000060E1000-memory.dmpFilesize
4KB
-
memory/2068-34-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-40-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-42-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-44-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-47-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-46-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-36-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-30-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-4-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2068-3-0x00000000028F0000-0x00000000028FB000-memory.dmpFilesize
44KB
-
memory/2068-1-0x00000000028F0000-0x00000000028FB000-memory.dmpFilesize
44KB