Resubmissions

12-06-2024 13:22

240612-ql932swepd 7

12-06-2024 13:16

240612-qh6w8azdkm 1

Analysis

  • max time kernel
    159s
  • max time network
    156s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-06-2024 13:22

General

  • Target

    https://www.mediafire.com/file/8sz32gfyarcanrr/Software_for_cs2.zip/file

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://www.mediafire.com/file/8sz32gfyarcanrr/Software_for_cs2.zip/file"
    1⤵
      PID:4188
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:220
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • NTFS ADS
      PID:4632
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2344
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2392
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:5056
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1408
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Software for cs2.zip"
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3848
      • C:\Users\Admin\Desktop\Cheat.exe
        "C:\Users\Admin\Desktop\Cheat.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4292
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1608
      • C:\Windows\system32\browser_broker.exe
        C:\Windows\system32\browser_broker.exe -Embedding
        1⤵
          PID:1592
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3600

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          1bfe591a4fe3d91b03cdf26eaacd8f89

          SHA1

          719c37c320f518ac168c86723724891950911cea

          SHA256

          9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

          SHA512

          02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VSH5XF98\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\0KTTJW88\www.mediafire[1].xml

          Filesize

          13B

          MD5

          c1ddea3ef6bbef3e7060a1a9ad89e4c5

          SHA1

          35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

          SHA256

          b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

          SHA512

          6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\0KTTJW88\www.mediafire[1].xml

          Filesize

          1KB

          MD5

          ab7b0082640e7a46f52babcddfb2b46f

          SHA1

          314ff0cd4ba658bce57f6fe8060e549127fb66e6

          SHA256

          9dea9c2f069746cc624f16078f06fb588e968748c32a1826a97481d74de9cbc0

          SHA512

          c17a174be8918920bd6e787f601881be3b42e0644bf544574b9bba481f9fb2d775d3bc13d00bb1671ff08e2a739afb5ab9f6c76ec9193c8c0e87659ea4d3c6d5

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\O7NTE3LO\favicon[1].ico

          Filesize

          10KB

          MD5

          a301c91c118c9e041739ad0c85dfe8c5

          SHA1

          039962373b35960ef2bb5fbbe3856c0859306bf7

          SHA256

          cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f

          SHA512

          3a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YRZ6G88R\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TJOPF5YG\Software for cs2[1].zip

          Filesize

          32KB

          MD5

          d630e5f3d039167474398493c0edc1be

          SHA1

          c48fe11004f1fbe738855cc450c1d25867ce7d88

          SHA256

          d360641f416d867a4b2543c68ea492073ee2adb2a7c3145e139f7e98a93a7f76

          SHA512

          8eb27cfef56e17833b11cb885897bbc5c9e9eacd602c09bbd7be5c26218aa44dddbd75578a9c35461b4b0ee31d6aec2edcd468929ec1716669c5c4173d9d0d39

        • C:\Users\Admin\Desktop\Cheat.exe

          Filesize

          841KB

          MD5

          9a56c2963bf906217e0e57a101771dde

          SHA1

          3d67cfd291e3b9d484e79d57b3ac80bf5b7f4ce1

          SHA256

          b598614df4ec280a970f6685998e5eff8f8d761c53c40683172f03bd65716e61

          SHA512

          3bd0c71d7a570946dcd2d608af9bac94dc40469d1dfa4e7d1c9dca69bdfc4ae21827a9067194524d95ce575b2b61c93df561a6beb8c76151265c7ce8a719350e

        • C:\Users\Admin\Downloads\Software for cs2.zip.9k8lvro.partial

          Filesize

          14.2MB

          MD5

          81979cdddf844820779dd26bc6f1e54f

          SHA1

          bd6bbd6d9e176c4bff406486430f47a2f7cf0b9c

          SHA256

          b4e18395fe4d1bc1d2f4c317f7c1be68708a6bf53b5c3e3027b1cbe4affe226c

          SHA512

          7a2afb4a8c8a4df306a72bd6836615e3c629a5df16aafff258997c9b7f944ca94e9f568856d2ba821ad86d63d454fbeae750c9d64760607ad38567bce6f64bff

        • memory/220-417-0x0000026885B70000-0x0000026885B71000-memory.dmp

          Filesize

          4KB

        • memory/220-416-0x0000026885B50000-0x0000026885B51000-memory.dmp

          Filesize

          4KB

        • memory/220-35-0x00000268844D0000-0x00000268844D2000-memory.dmp

          Filesize

          8KB

        • memory/220-16-0x00000268FF320000-0x00000268FF330000-memory.dmp

          Filesize

          64KB

        • memory/220-0-0x00000268FF220000-0x00000268FF230000-memory.dmp

          Filesize

          64KB

        • memory/1608-1579-0x00000000099C0000-0x0000000009A36000-memory.dmp

          Filesize

          472KB

        • memory/1608-1575-0x0000000008750000-0x0000000008762000-memory.dmp

          Filesize

          72KB

        • memory/1608-1573-0x0000000008C80000-0x0000000009286000-memory.dmp

          Filesize

          6.0MB

        • memory/1608-1572-0x0000000005800000-0x000000000580A000-memory.dmp

          Filesize

          40KB

        • memory/1608-1571-0x0000000005740000-0x00000000057D2000-memory.dmp

          Filesize

          584KB

        • memory/1608-1570-0x0000000005D40000-0x000000000623E000-memory.dmp

          Filesize

          5.0MB

        • memory/1608-1569-0x0000000000400000-0x0000000000498000-memory.dmp

          Filesize

          608KB

        • memory/1608-1574-0x0000000008810000-0x000000000891A000-memory.dmp

          Filesize

          1.0MB

        • memory/1608-1576-0x00000000087B0000-0x00000000087EE000-memory.dmp

          Filesize

          248KB

        • memory/1608-1577-0x0000000008920000-0x000000000896B000-memory.dmp

          Filesize

          300KB

        • memory/1608-1578-0x0000000008AB0000-0x0000000008B16000-memory.dmp

          Filesize

          408KB

        • memory/1608-1580-0x0000000008C20000-0x0000000008C3E000-memory.dmp

          Filesize

          120KB

        • memory/1608-1582-0x000000000B160000-0x000000000B68C000-memory.dmp

          Filesize

          5.2MB

        • memory/1608-1581-0x000000000A6D0000-0x000000000A892000-memory.dmp

          Filesize

          1.8MB

        • memory/2392-45-0x00000211C9140000-0x00000211C9240000-memory.dmp

          Filesize

          1024KB

        • memory/5056-256-0x0000022E7B790000-0x0000022E7B792000-memory.dmp

          Filesize

          8KB

        • memory/5056-430-0x0000022E7B7C0000-0x0000022E7B7E0000-memory.dmp

          Filesize

          128KB

        • memory/5056-477-0x0000022E7AAA0000-0x0000022E7AAB0000-memory.dmp

          Filesize

          64KB

        • memory/5056-482-0x0000022E7AAA0000-0x0000022E7AAB0000-memory.dmp

          Filesize

          64KB

        • memory/5056-480-0x0000022E7AAA0000-0x0000022E7AAB0000-memory.dmp

          Filesize

          64KB

        • memory/5056-396-0x00000226112F0000-0x00000226112F2000-memory.dmp

          Filesize

          8KB

        • memory/5056-353-0x0000022E7A880000-0x0000022E7A980000-memory.dmp

          Filesize

          1024KB

        • memory/5056-298-0x0000022E7E480000-0x0000022E7E4A0000-memory.dmp

          Filesize

          128KB

        • memory/5056-279-0x0000022E7CD00000-0x0000022E7CE00000-memory.dmp

          Filesize

          1024KB

        • memory/5056-280-0x0000022E7CD00000-0x0000022E7CE00000-memory.dmp

          Filesize

          1024KB

        • memory/5056-261-0x0000022E7BEE0000-0x0000022E7BEE2000-memory.dmp

          Filesize

          8KB

        • memory/5056-263-0x0000022E7C0E0000-0x0000022E7C0E2000-memory.dmp

          Filesize

          8KB

        • memory/5056-270-0x0000022E7C7E0000-0x0000022E7C7E2000-memory.dmp

          Filesize

          8KB

        • memory/5056-272-0x0000022E7CF80000-0x0000022E7CF82000-memory.dmp

          Filesize

          8KB

        • memory/5056-274-0x0000022E7CF90000-0x0000022E7CF92000-memory.dmp

          Filesize

          8KB

        • memory/5056-277-0x0000022E7CFB0000-0x0000022E7CFB2000-memory.dmp

          Filesize

          8KB

        • memory/5056-265-0x0000022E7C100000-0x0000022E7C102000-memory.dmp

          Filesize

          8KB

        • memory/5056-259-0x0000022E7BED0000-0x0000022E7BED2000-memory.dmp

          Filesize

          8KB

        • memory/5056-195-0x0000022E7C500000-0x0000022E7C520000-memory.dmp

          Filesize

          128KB

        • memory/5056-119-0x0000022E7B660000-0x0000022E7B680000-memory.dmp

          Filesize

          128KB

        • memory/5056-58-0x0000022E7A400000-0x0000022E7A500000-memory.dmp

          Filesize

          1024KB

        • memory/5056-64-0x0000022E7ABE0000-0x0000022E7ABE2000-memory.dmp

          Filesize

          8KB

        • memory/5056-66-0x0000022E7AD00000-0x0000022E7AD02000-memory.dmp

          Filesize

          8KB

        • memory/5056-68-0x0000022E7ADC0000-0x0000022E7ADC2000-memory.dmp

          Filesize

          8KB

        • memory/5056-60-0x0000022E7A400000-0x0000022E7A500000-memory.dmp

          Filesize

          1024KB