Resubmissions

30/05/2024, 23:58

240530-3z845agb25 8

30/05/2024, 23:56

240530-3y9z2aga73 7

Analysis

  • max time kernel
    34s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 23:56

General

  • Target

    https://disk.yandex.ru/d/7gd7nkrbQw6sQQ

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/7gd7nkrbQw6sQQ
    1⤵
      PID:464
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3776,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:1
      1⤵
        PID:3284
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4880,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:1
        1⤵
          PID:2236
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5256,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:8
          1⤵
            PID:1152
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5248,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:8
            1⤵
              PID:2580
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5772,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:8
              1⤵
                PID:1960
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5692,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:1
                1⤵
                  PID:4316
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6132,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
                  1⤵
                    PID:2520
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5704,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:1
                    1⤵
                      PID:4992
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6616,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:8
                      1⤵
                        PID:1500
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6924,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:8
                        1⤵
                          PID:3176
                        • C:\Users\Admin\Downloads\NEVERLOSE.exe
                          "C:\Users\Admin\Downloads\NEVERLOSE.exe"
                          1⤵
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:560
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\SavesMonitor\RmK92.vbe"
                            2⤵
                            • Checks computer location settings
                            • Suspicious use of WriteProcessMemory
                            PID:4040
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat" "
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:5308
                              • C:\SavesMonitor\Blockcontainerproviderdhcp.exe
                                "C:\SavesMonitor/Blockcontainerproviderdhcp.exe"
                                4⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Drops file in Windows directory
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:5360
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bza2MO65mN.bat"
                                  5⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:5548
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    6⤵
                                      PID:5604
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      6⤵
                                        PID:5620
                                      • C:\Recovery\WindowsRE\conhost.exe
                                        "C:\Recovery\WindowsRE\conhost.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5800
                            • C:\Windows\System32\rundll32.exe
                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              1⤵
                                PID:3176
                              • C:\Users\Admin\Downloads\NEVERLOSE.exe
                                "C:\Users\Admin\Downloads\NEVERLOSE.exe"
                                1⤵
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:5216
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\SavesMonitor\RmK92.vbe"
                                  2⤵
                                  • Checks computer location settings
                                  • Suspicious use of WriteProcessMemory
                                  PID:5256
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat" "
                                    3⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:5668
                                    • C:\SavesMonitor\Blockcontainerproviderdhcp.exe
                                      "C:\SavesMonitor/Blockcontainerproviderdhcp.exe"
                                      4⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5720
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k SDRSVC
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:6012

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\SavesMonitor\Blockcontainerproviderdhcp.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      6c43270f19233761545141a2175d00bc

                                      SHA1

                                      2af739400dd238badc0b7e9ce3d45e1eb0023e48

                                      SHA256

                                      27b5ff20a635463564a1b19868af62916c29453654d703aee7482b391b554de4

                                      SHA512

                                      b43a8964c58fb933a80bcdd8b688d8ffda33a832e831ae8c2b54323908c5fe7c87953f24836ee987802d9429f1cd313947d3df988a90817f651edcf89c6586d6

                                    • C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat

                                      Filesize

                                      92B

                                      MD5

                                      a65e78a870380ac9c4ba083569959d4a

                                      SHA1

                                      8d6c9d55106b4ac275b873db16c069a27b79609f

                                      SHA256

                                      d82e913f336059d8b7e9adf0832357d82b746230c75a997613b00714e86ddf30

                                      SHA512

                                      9021e5dc54bff72ccb2b62d6c13f44dbb90c04f4b88513bbee04b559290bf93f149cdfb574cc8ce6d645237e9f7effb0b5e267d33db1d0ecafe2da7a159e2b44

                                    • C:\SavesMonitor\RmK92.vbe

                                      Filesize

                                      208B

                                      MD5

                                      252c8a936c61108036239630f110d0b9

                                      SHA1

                                      765fa5076b12b640ab968cc5279b540e9f161341

                                      SHA256

                                      d16aa2383787258cc998e0f6a1d48f62ceb3c11068355c2eed26cdd74dc97b34

                                      SHA512

                                      d333fa3186c904c52b5685bb3e9197f25a0a4980955d973e1e99a84433821ebf5dcdb1faad21e5554eea940bd219fb92cf92e77e6be72d187692ae22e3856de5

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Blockcontainerproviderdhcp.exe.log

                                      Filesize

                                      1KB

                                      MD5

                                      1eff74e45bb1f7104e691358cb209546

                                      SHA1

                                      253b13ffad516cc34704f5b882c6fa36953a953f

                                      SHA256

                                      7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc

                                      SHA512

                                      44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e

                                    • C:\Users\Admin\AppData\Local\Temp\Bza2MO65mN.bat

                                      Filesize

                                      209B

                                      MD5

                                      572e5b8ad26a8182890e47673d0b5654

                                      SHA1

                                      61165e46d11316ac42010ca9fe9a6fa782872f32

                                      SHA256

                                      3dc183225d21b68ead3d658bb1d2f20920ff32ef25d70e1463de199691a9f793

                                      SHA512

                                      a872d2731acb541877ef1ecb1f9ea62ecb71b22647fdd4a3b4aff40e348a25ff02d3311c8e59d3e615931393519724d7baa956951e353cb512f8f1515312fd53

                                    • memory/5360-12-0x0000000000610000-0x00000000007EA000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/5360-14-0x000000001B3A0000-0x000000001B3AE000-memory.dmp

                                      Filesize

                                      56KB

                                    • memory/5360-16-0x000000001B420000-0x000000001B43C000-memory.dmp

                                      Filesize

                                      112KB

                                    • memory/5360-17-0x000000001B490000-0x000000001B4E0000-memory.dmp

                                      Filesize

                                      320KB

                                    • memory/5360-19-0x000000001B440000-0x000000001B458000-memory.dmp

                                      Filesize

                                      96KB

                                    • memory/5360-21-0x000000001B400000-0x000000001B40C000-memory.dmp

                                      Filesize

                                      48KB