Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
launcherfull-shiginima-v4400.exe
Resource
win10v2004-20240508-en
General
-
Target
launcherfull-shiginima-v4400.exe
-
Size
5.4MB
-
MD5
c3db052da531710367faf5e011475715
-
SHA1
46f599e4e1ece582006739debe0a522925a9cd13
-
SHA256
7c6220b046553f9c95b8098ff83bfc6b7828093650becbc1b44e3d7819d7efd1
-
SHA512
67bfb67b36dab91e37b1ada7fbd688dc39cf19c337e3938d1f7e4f47173b7dc9d0b93dc035d6511ce65b8fe44384bb9cffa9953e97c6fffadb29fd561eec7feb
-
SSDEEP
98304:qpTJ89MMbcZsgsDlilods/txVGHTJKsTnEFnAzvDfBzXEYNsJ5Ono:aTm9MMbcFililB0HdRTnEFnAzlEQsJ5H
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4672 icacls.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5012 msedge.exe 5012 msedge.exe 5112 msedge.exe 5112 msedge.exe 1420 identity_helper.exe 1420 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 4132 javaw.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4132 javaw.exe 4132 javaw.exe 4132 javaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4228 wrote to memory of 4132 4228 launcherfull-shiginima-v4400.exe 83 PID 4228 wrote to memory of 4132 4228 launcherfull-shiginima-v4400.exe 83 PID 4132 wrote to memory of 4672 4132 javaw.exe 84 PID 4132 wrote to memory of 4672 4132 javaw.exe 84 PID 4132 wrote to memory of 5112 4132 javaw.exe 94 PID 4132 wrote to memory of 5112 4132 javaw.exe 94 PID 5112 wrote to memory of 3224 5112 msedge.exe 95 PID 5112 wrote to memory of 3224 5112 msedge.exe 95 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 3784 5112 msedge.exe 96 PID 5112 wrote to memory of 5012 5112 msedge.exe 97 PID 5112 wrote to memory of 5012 5112 msedge.exe 97 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98 PID 5112 wrote to memory of 3676 5112 msedge.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\launcherfull-shiginima-v4400.exe"C:\Users\Admin\AppData\Local\Temp\launcherfull-shiginima-v4400.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -classpath "C:\Users\Admin\AppData\Local\Temp\launcherfull-shiginima-v4400.exe" net.mc.main.Main2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://teamshiginima.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb783c46f8,0x7ffb783c4708,0x7ffb783c47184⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14572840976443073061,12369393230938421811,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:24⤵PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14572840976443073061,12369393230938421811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14572840976443073061,12369393230938421811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:84⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14572840976443073061,12369393230938421811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:14⤵PID:1744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14572840976443073061,12369393230938421811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:14⤵PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14572840976443073061,12369393230938421811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:14⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14572840976443073061,12369393230938421811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 /prefetch:84⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14572840976443073061,12369393230938421811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2940
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD570f785f085bf076330e3b5e7f70669f9
SHA1914444941c37036893b0e80926d499fe175f323d
SHA256260091245a964c7c7d5b02ca75280357f51d777e34d627e621c7b3989f4985fa
SHA5127f6dc75047e50f5d8cd580899348369aa4b37fe9cbac90b88299a85e878582c013e9be0f13202c3c9f661666cd6606ab5faa649e93a0be5fa048a144ce4b1b4c
-
Filesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
Filesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD521373c042cb2d7ffa4d91a29fe15721c
SHA16b227699b23652ad7a153f389312870073ab73a0
SHA2562cc7194e87c7d99699a6b92d68c59b376a944cdf332b7bac457b6799b5ed691b
SHA5122e0cf36add66d889b6eb85eb201d456a4de65713c43bc6f61a4559f2025f1a095972c72867b8926c92b50fcae427deb6146b7cb7fe9d423fc421874303acb43d
-
Filesize
1014B
MD59bc02749f9a0f95cf379eb2152b52975
SHA150d33afa0eb7608194743438515808a761a4d357
SHA256b31f1a67001b0e2c73373e070f5b77f97d576959706640c9da2251e78a5e9239
SHA51229df846dffcf098cb527eb21dc04ba349020ca2115848e42cd2b863b664cc5c797f5f5a8a066c425b0a2fb0c086324b60191bc3e111513a65906711ffedd41b5
-
Filesize
5KB
MD5b9e9a1d92c0b975ef4c6f408e2b994f7
SHA178a8f9097a91d1ac9f1e09bbfb7cde51a94b988b
SHA25696114982665473b4c1d553b92f8539e32a0700fe2cce55cf385fb29dd5d17e89
SHA512642294cb576dc3a6ba82690b91ccc18a54729d42951e6993e693b07158605c61b64700fc7f57d225aa785389c5f32231972d9e7c0e5540cd694a0f3f46c732d1
-
Filesize
6KB
MD5339cc11d14fd6935f36f4da9fd7ab1b2
SHA1a7e2cedae1cc583eb79207cf46a7794582846686
SHA256daf440ae14887ea52864c4bbfcbaecb3fc02617445635a9a0bad46eb81fdee33
SHA512dd076ad0d9c7da27fabff813bca16bf088ba1f6f2e1e6db589e38f55e13fce81c5580de5391d366e3be284e61bd717e80ece882d00c5530f6bc49c44a9c80099
-
Filesize
6KB
MD5829ceeb77ec4497254b795d81408bc2b
SHA1e691e9b1879b3bdf15aab334726324dcd44a7362
SHA256920cb170b48140c9fe4ad58b684e118cf33163a3853a2ad389b3efcb5be5071e
SHA5121193876943b54c9cef9f25a8939e78c5ae8cc3895ae92289bf1bb6bcdded0d11e7233b6d691427aa5acacb291b05bfdf1270561278ca40b6aaba778693494ef1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5223dab67b80b71d0e1df4d5695e78b88
SHA1dde509b9933b380ced3ee69b0b285694254a655d
SHA2565d1407d0e277490ec6866897d037705385a1424103f5bee84c0e787081cc33eb
SHA5121f5333846b4e7ca486924a34f43d45bc8a1b78759a285d0777d592623b8c37497b02aa4c2e56103be5615e7ae6ada4d6cf110f27f1323c8a926502fc484a82e5
-
Filesize
11KB
MD5bb3a7a47a1ae4cfc05d4b47ce148686e
SHA171d29f3690e4f51e39feed30da3a4f601f7c9b06
SHA25697745ac032ff3e4faa25c04c601c94912eadd7db8af7a4cafd6bace15d22f882
SHA512480360fbb2be4da080e49befd291bb0ffeef465cf1c7d18633943969358cd7ce7c7b4b2b45262a975279a2b751b1fe0e88a0f3711bcaf5cc86f7442f51178816
-
Filesize
139B
MD5571cc0288e3f5db4c85ae85dcd1c64ce
SHA1181bbac9970e40769a089666de6555a51f5718d4
SHA25636ed29282e1d008064f2c06952eddabdf7c73b58e2bc5215a497ac4541be6553
SHA51216b64e01c673e8541f3b4a85c19cb5d922e6dfce772b06ca4dd0710b60e3d9e0ba4d3a34cdf19e655bd27feec6adfe7b90b355afd5193f792de4db846e112b50