hxxp://a[.]directfiledl[.]com/getfile?id=17696539&s=5A15C8BB

Analysis

max time kernel
77s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://a.directfiledl.com/getfile?id=17696539&s=5A15C8BB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1568	central.exe

Loads dropped DLL 2 IoCs

pid	Process
1568	central.exe
1568	central.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\bin\fonts\Poppins-Regular.ttf	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\fonts\lua.xshd	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\fonts\Poppins-Regular.ttf	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\ICSharpCode.AvalonEdit.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\bin\CenterDLL.dll	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\aworkspace.lnk	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\bin\fonts\lua.xshd	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\bin\ver.txt	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\central.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Central 1.2\autoexec.lnk	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe
1568	central.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
620	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	620	7zFM.exe
Token: 35	620	7zFM.exe
Token: SeSecurityPrivilege	620	7zFM.exe
Token: SeDebugPrivilege	1568	central.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
620	7zFM.exe
620	7zFM.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://a.directfiledl.com/getfile?id=17696539&s=5A15C8BB
1⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5340 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
1⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5012 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
1⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=4860 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5484 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
1⤵
PID:2884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6112 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
1⤵
PID:4088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5980 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
- Drops file in Program Files directory
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4820 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5276 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6272 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c 0x524
1⤵
PID:4092

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Central 1.2.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5572 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1928

C:\Users\Admin\Desktop\Central 1.2\central.exe
"C:\Users\Admin\Desktop\Central 1.2\central.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Central 1.2\ICSharpCode.AvalonEdit.dll

Filesize
604KB

MD5
ecd9c594b35bead0588818206428ab49

SHA1
65694ab8bfda267bf3a066e1823d837dcca10f95

SHA256
86ff97015da0c2802b1c1c35d4e9c3c21cb024258557eff9cade16a9d58bd34b

SHA512
c9740b397ab68406a0a8f6a334631484c4daf61968bb9a1ececb9f797d63d0da5a32956fc9186cad3474d6543171dee01cdd93c077d2563ae99b836b3a44bf3e

Download Submit
C:\Users\Admin\Desktop\Central 1.2\bin\fonts\lua.xshd

Filesize
4KB

MD5
08713090c9ca001ca19735d0d23f93bb

SHA1
1731d4f285aad168fb4a802019634ff9775f28e5

SHA256
c1af5d8d18e066f0c2d535b656174ae8cdbe5f0fffe548e96d3fd2602fe7f9b3

SHA512
e048b451e8d65818331c5a9d0bca7aa90b3a532274138e0ed5a20285ae969490c77f6088f25dd6ef85df19e9cdb257f007dd2c4ac8aa08b1aa7ea092ef282128

Download Submit
C:\Users\Admin\Desktop\Central 1.2\central.exe

Filesize
12.0MB

MD5
66fd771cf93926426231f17667068e12

SHA1
fd00f3aa6a03ed20e896b75527daa7236456b7fd

SHA256
d3391a69092860bc088fd0b90a704745df4eb0667e1cd6f133079b23599ec0fe

SHA512
746a03d26ab5070239cf7936be19fd01c676b4f053f4014867e873f2433527115ca6767164c31037fe751484083b5f8d347310a202fbcd9a47032f9026491272

Download Submit
memory/1568-22-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/1568-23-0x0000000000450000-0x0000000001050000-memory.dmp

Filesize
12.0MB

Download
memory/1568-27-0x0000000005BF0000-0x0000000005C8E000-memory.dmp

Filesize
632KB

Download
memory/1568-28-0x000000000ACB0000-0x000000000ACB8000-memory.dmp

Filesize
32KB

Download
memory/1568-29-0x000000000AD00000-0x000000000AD38000-memory.dmp

Filesize
224KB

Download
memory/1568-30-0x000000000ACD0000-0x000000000ACDE000-memory.dmp

Filesize
56KB

Download
memory/1568-35-0x000000000C560000-0x000000000CB04000-memory.dmp

Filesize
5.6MB

Download
memory/1568-36-0x000000000C050000-0x000000000C0E2000-memory.dmp

Filesize
584KB

Download
memory/1568-37-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download