Overview

overview

7

Static

static

3

kona_dancer.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    903s
  • max time network
    1168s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-06-2024 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kona_dancer.exe

  • Size

    4.7MB

  • MD5

    78ae653289ab3169ecd0c76215999c6d

  • SHA1

    2e09dc10bd7e1962c08e54b8a026b4aa492c89fd

  • SHA256

    565693b546ad31afae5b00ab2f54db4211949665ff22a09aa769689d852c736d

  • SHA512

    ebfca5a18e376947ed79b439c59d2e9099860da462b7592685d38f64b05cdcf249b96f4bac48a656593e299faff866abc489602792126b2b385966dafa776133

  • SSDEEP

    98304:aBE45G1w5eE2hAMKqJ3M1tpEURBL4sNZcbjBGQsTujRwsOrsACl/bC69U:aRmlPkHAVKSvOQPjC6q

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 11 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\kona_dancer.exe
    "C:\Users\Admin\AppData\Local\Temp\kona_dancer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2152
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fff32a93cb8,0x7fff32a93cc8,0x7fff32a93cd8
      2⤵
        PID:1652
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,13001572255837229062,13012661966365353907,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        2⤵
          PID:2576
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,13001572255837229062,13012661966365353907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4880
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,13001572255837229062,13012661966365353907,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
          2⤵
            PID:1908
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13001572255837229062,13012661966365353907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
            2⤵
              PID:1164
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13001572255837229062,13012661966365353907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
              2⤵
                PID:2140
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13001572255837229062,13012661966365353907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
                2⤵
                  PID:3012
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13001572255837229062,13012661966365353907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
                  2⤵
                    PID:1308
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,13001572255837229062,13012661966365353907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1096
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4260
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:1724

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      8f2eb94e31cadfb6eb07e6bbe61ef7ae

                      SHA1

                      3f42b0d5a90408689e7f7941f8db72a67d5a2eab

                      SHA256

                      d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

                      SHA512

                      9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      d56e8f308a28ac4183257a7950ab5c89

                      SHA1

                      044969c58cef041a073c2d132fa66ccc1ee553fe

                      SHA256

                      0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

                      SHA512

                      fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      5KB

                      MD5

                      d26711a4c2a00c087789db6f39a60502

                      SHA1

                      5ea16331aa7d3d250f846fd45a078322028887f1

                      SHA256

                      dd9a67e1aa07d8d886314d980d427e8d3a0bcde146808dc85816c0b8cef9d34b

                      SHA512

                      dc8430df4872dfa304cca10692699f6aa99ea1b8730062c67e07ccdc3a485915a61dc90f15931029538776980c388f537cc2f363d952a59182b942e421041460

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      5KB

                      MD5

                      c8c81e015fc21fccdc60412badecdb18

                      SHA1

                      66c6319522eb1c374cdcb655a5f82c0a38c528d6

                      SHA256

                      d9a881f96e58c4293892df08e8ea0c418c6e9726fba2518e14dc899f03583c70

                      SHA512

                      1de1a36f95dde1837604ceab82d0043b1a2bf47fed6a9477aaca5d84bfe6af9ad50015aa98304e5a008f3d39caa33e24ef7fa91ec3e73135207492d90c8a984b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                      Filesize

                      10KB

                      MD5

                      a8549be1bb8212d6da6da0b2f4b48988

                      SHA1

                      3efa37d90d9714378d68a8d14fd725d8a8c5a4cf

                      SHA256

                      2a6649bf21ba84c7977423c47cc3fc87f282f889ff75889f8fd065b77011470e

                      SHA512

                      d62c57b58c208ba18f5a3423bd756816043e00c0ab842227bd4369de69981a9fdcfb65793f34ff30b849483b566f9534381d69f594b4daaca1fd75a4399129d1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                      Filesize

                      264KB

                      MD5

                      f50f89a0a91564d0b8a211f8921aa7de

                      SHA1

                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                      SHA256

                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                      SHA512

                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\File.cu.mfx
                      Filesize

                      11KB

                      MD5

                      76ff77742ba21273fbf543611abfad66

                      SHA1

                      0d991ba8258c1035f08432ddfbcf33a6e39ca575

                      SHA256

                      19f426dea391079ffe24d1d1557f304516cb26941cbe52f50b70072e23294ae4

                      SHA512

                      c532fceb8f55cb18422c1d9a4a522022a1cf4b568b347510d815789330410cc73863121b8aad4b89c93ec4b0bcdbcf27456a26bb299e08fce6d560eb85a0d4f4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Flash6MovieV2.cu.mvx
                      Filesize

                      1016KB

                      MD5

                      7e9a230129b5f11e2b940cde1afad241

                      SHA1

                      292b8261740d813ef4c661127b1bb6573b8ef3d2

                      SHA256

                      9efcc0e68ef48cbfef9238ea914684b95555c76b0d5476eb1bab6120123def69

                      SHA512

                      0e209714f8ddefeb87bf274aa5ee29ca6105a551fc9c32cea244e20c7346be95b79eafb809db0036a70783b6c02be4a85268645230b261065093964d33b1ca58

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\MFPL7014.DLL
                      Filesize

                      896KB

                      MD5

                      b414d4ba7bfb6218ae6b224b46c81d60

                      SHA1

                      8282c38c13b477fbb2f3cc2a9d5ab2d4569e47a1

                      SHA256

                      94058fe5343d8d76d313998e1db44a0bedd47184b132fa6c3ace021cb665d703

                      SHA512

                      daa822502c781ccd6bcdc5a17d8d0b0f3f5a7b729811fb578934b64198a67078ccaff26aa20d3ca068b05e39a45e3f382b49b317bc45d92a2058bc6768049792

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Registry.cu.mfx
                      Filesize

                      10KB

                      MD5

                      73cb321b36b089d413c7f91b83b248c2

                      SHA1

                      b30809f44cc2581acb2df2fc437a43200e045b10

                      SHA256

                      1634a80cb09d33249fb16b34d0d0994c6af1a9099f1214a35e274357d1e87817

                      SHA512

                      2ce7162f6b09c26c2b54287d719524819455cdd3d6e6c13ffc54bf8ac11471bf0bb14b72363821cf95ca624c42d2c6f528d26fa77e076079e5d7272d39093560

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\System.cu.mfx
                      Filesize

                      15KB

                      MD5

                      d554bb095d096c52a8622d5db59fe91d

                      SHA1

                      a2249807a4321a9c8a8ae822909f50388dcd6721

                      SHA256

                      4390e1e3412f0ab9d342233b485c938da520eba570882ce5a67c7c5d591b6373

                      SHA512

                      22dea084eb794c62230f0a66ff4cccaca73af744edf89f2893e459307b82a852da8282cb6a58011e4ecea5318563312b126a4a34b702e93ae48e4c749b07ba24

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\mPlayer.cu.dll
                      Filesize

                      112KB

                      MD5

                      96638e85fb459e3415e38b6e1043ebc4

                      SHA1

                      b4c9839e489b2455e744b45210a2f4d1706b58d2

                      SHA256

                      a58ae284edc3b223c78dfe9536bfae239acead751a9de003b45512b249c1720f

                      SHA512

                      3abd926e8e779e74b7a441201f78cbc5c414bde3365e05d3c43320796f086cc2522e1f1cea557480e8ce9e089a88d03decd539c6cb79d7881bcffb874a8f176e

                      Download Submit

                    • memory/2152-26-0x0000000003700000-0x00000000037FE000-memory.dmp

                      Filesize

                      1016KB

                      Download

                    • memory/2152-33-0x0000000003800000-0x00000000039A3000-memory.dmp

                      Filesize

                      1.6MB

                      Download