Analysis
-
max time kernel
105s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
11-06-2024 12:41
General
-
Target
https://gofile.io/d/8fm66E
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/8fm66E1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9e363cb8,0x7ffe9e363cc8,0x7ffe9e363cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,5289463928326005325,13513503185571003997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\freedom.v0.94.3\freedom_injector.exe"C:\Users\Admin\Downloads\freedom.v0.94.3\freedom_injector.exe" C:\Users\Admin\Downloads\freedom.v0.94.3\freedom.dll1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Users\Admin\Downloads\freedom.v0.94.3\freedom_injector.exe"C:\Users\Admin\Downloads\freedom.v0.94.3\freedom_injector.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51e4ed4a50489e7fc6c3ce17686a7cd94
SHA1eac4e98e46efc880605a23a632e68e2c778613e7
SHA256fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a
SHA5125c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28
-
Filesize
152B
MD58ff8bdd04a2da5ef5d4b6a687da23156
SHA1247873c114f3cc780c3adb0f844fc0bb2b440b6d
SHA25609b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae
SHA5125633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e
-
Filesize
288B
MD568d1605d56836a5d1cb0d30146c5bb9c
SHA1b57d4841af8319145f834c534e75baf2cde39abe
SHA2564508fec5b9157a7ae65dd2071bf2d968ec4d5282aea0368981289fe73b3c1d2b
SHA512c0fb90fe95b67768535f36d69a629b576d9013963d7408985a62f1cd8e30d0fbb792852d0b83d43be0a33a508bdc20cbedb332919e5452b4221adf9a15adfb19
-
Filesize
317B
MD5afc6cddd7e64d81e52b729d09f227107
SHA1ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a
-
Filesize
5KB
MD5c5027f9a217d28ebeefa03819d776e09
SHA114f737d4d6029fa8a50045e79fbb7a349f76a446
SHA256b7abbe7d82a84d173cd44b4fadd32eaad76018da4c09ef3306d3b6a69adeed7c
SHA512f1ec5711979c37dd7b14c3c72a1ec6dec504234fdd21ad6a7b2ad9283de47f137ef70daa3e52daaa559c585d20eefce934cdad81220bf0649be09cdc4e7c1fd0
-
Filesize
6KB
MD52447862fce4f8a9536314b37bf2f77b2
SHA18dd664fd7b46a91cb005829a7702e12a1f1529ed
SHA2567947cf57769de8b6bbccef23bc73228d02479ed94e66bb2199ef737a3d802d94
SHA5120f0c6b4ce9f0300827a4fb0d29914bb1f4adebc5c8f42824c339a915a14d6f86de08f7608623b73dc1ba4120941386e7ef1650848c72da37b2ba37b41411032e
-
Filesize
6KB
MD5d1dae53bb3dd98535aa5900419e0f8d1
SHA1cf53e23e1220cba1053634ababdffb50e2f68970
SHA256ad27e3234386e8ec39779782d0faab4a76d6bf6cb97d1d3773518395fb12fb85
SHA51296ff4ebe884f3f5e5dd2144de4bd661e6f6a13780f7dfc924bfd6c53955ce5363f22692a34048c7ce5cb44ea6d04eff7a7bad8c6c257b87858d960b0b9dcc1c0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD539cfcd8ccd4f5b45ea1e4c2d3dc85a60
SHA19fc99c612178de5de99e482cc4103a0ed0c69f87
SHA2568a24d72b2bc7ba5c86648fd4b7b07594b05ce6d0953148de5cf809db0b8b8c82
SHA51296c9fffa6b825d146d2d9166e90143dd0b40df70444eddf8d75316af6b6243f9e0994ddda698a8f2b2f63d8f66a8ff70df6b0c482663b4aac23bda2690626b5d
-
Filesize
11KB
MD5794c0f888dbe8b07561644e76bf00259
SHA1adeed3adf1c40aef1ac334ae1a405e29508d44ff
SHA2560f191d97482625910a431854ce809e4ba3b4d648e34b206f00f989f039eda7e5
SHA512712b59661906889b2c6c224e090c4e924d1e7c2c1a351891be655a43f03df22eda5c905d3eac78f1f9ce68b649896ca6f346d7edbb268144fc5ac60cb1fb228c
-
Filesize
10KB
MD52f23663111658be2ba0b273463ff5e60
SHA1c2af77369b83a0177bfdb90c11fad4c5f897a983
SHA256eab4709a1ad32b0b87a53d307893899eb3ee26c6a59a1b34fe83062c79817513
SHA512e0fdfe555a47709cbf14c4c22498c89c3e8fd61c5b40806b9dd06aee20fbdcd3d9c4f7861d1183df15e9c64ed25828f97c8292bc6b4a700d3d4586433bf45bd8
-
Filesize
507KB
MD52b49f6b23abf94845925fed00a57d515
SHA14d3212fc74d5fb13f83f4d990c47165e70e4dc65
SHA2560db433e95fedaa65bf599771a91a55ad495c78bc00e81201e937429fd98559aa
SHA51265b7d809096becf1ccab3e62f3cce6b41ebec651fc60a0928f3e7b9045da1d844bd059e1a18ed0863eb4b2bcdfa8ac8b201758a33a3cc4ef150c3025e15a9e1b
-
Filesize
163B
MD507db9d87cff0065606d329a38f7b6c12
SHA1302fa1587909c53a8c781e7ebd3c7c86381b4dc9
SHA2561f85afac2dabb1af360c790e5a757c0390a3b0ad80c61ec5787818134604d02d
SHA5125a4fa5bbb4ade07afe67539856ddf40006d78e9e7a2f7b25f339b16583310386e4946e4b8baaad031cf181e4ab77f9d028241bcaa78c9a872fdc1c4c5ae7b29a