Resubmissions

21-08-2024 19:30

240821-x76q3sweqg 10

21-08-2024 17:42

240821-v92h2avgpj 10

12-06-2024 16:01

240612-tgps4a1bqh 10

Analysis

  • max time kernel
    51s
  • max time network
    65s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-06-2024 16:01

General

  • Target

    c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe

  • Size

    856KB

  • MD5

    733766ff5495f04d82744291993eb69e

  • SHA1

    2830778313fd7fccc6c8129d419b1757368078fd

  • SHA256

    c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef

  • SHA512

    cf3bf548e743894888ba3ea191a289f09d9f36215e1306aa21e61f0ea81473eec6df01a6e7f05f9251ecb9cc71c654934a53d4916c4152bf8fa4a95119e98cf2

  • SSDEEP

    12288:0zqKbHTadreUv6e2faqsW8lEsbjwepi8K2cE4b5wxH5/uek6JA6QfmpFiMtMv7u3:yPaFnCec8vj1p7pc5bQZ/uesmoqt7jF

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe
    "C:\Users\Admin\AppData\Local\Temp\c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc778b3cb8,0x7ffc778b3cc8,0x7ffc778b3cd8
        3⤵
          PID:4304
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
          3⤵
            PID:1152
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1248
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
            3⤵
              PID:3020
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
              3⤵
                PID:1884
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
                3⤵
                  PID:2604
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
                  3⤵
                    PID:3852
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
                    3⤵
                      PID:1208
                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1648
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2844
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                      3⤵
                        PID:4880
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
                        3⤵
                          PID:3844
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
                          3⤵
                            PID:2736
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,10536338290697686440,15481697426209226525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
                            3⤵
                              PID:4320
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3000
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1744

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              2dfecbb576ee9795c5284da8a2a3c7f5

                              SHA1

                              f1f0a6a97850aca2b4ab267a017564af02f24948

                              SHA256

                              dca6901942fa748fc01339192c0738a06847d8497c9c61298f1e5df1f8352fb0

                              SHA512

                              d664cc261113427810dd0b2d32763ddd08611a528fe6b285782d6b8ac03304b72a90fe7f3f7142e825ab8d948d5c9cf52f420546f3796b2ac23f3d00f3c17389

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              6486ee9e961a437dadb68ff1544d18a8

                              SHA1

                              05f4daccca0bc1ce73fe71ad2325ba5dadd3df25

                              SHA256

                              9a98b4686c9e90672a548c873943b3027fb111f7992263111d912318429f5834

                              SHA512

                              ee3659f68a46f37f340f98b85a7aa289e700c5ced2a4f0104673bb5f18cc82d1e9b838ec0278407213c6ed2073998e7aad78a7a39390b7e460c8e26dfa91d0e9

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              55497ae7add1841f4511d33c549a848c

                              SHA1

                              b9ea59e5389bd471fde4fd9c3ed18a7ea4fd0489

                              SHA256

                              9e8400a83fad8741d1b60217993902dbfb87a8f2dad03a8f7325942cc2234874

                              SHA512

                              7487f0ba05a7ba19a459e77ebf23571c0e022ebca250e0b3b699674c6d3dea9faa5e67d63c1b5a2f4b8d3abec31e2472658620c5e4e21e53138d76e050f5769c

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              c5c596f1adcf7715c4f329da771cceb5

                              SHA1

                              b668cca0308d6a898d7de26644d878201161321c

                              SHA256

                              cc37e42650c3293e2f3a233e5fe5cb74634cd3bf1e39e2c05cf42e7c12709d12

                              SHA512

                              f00e98891280ee99639648d6f907ad56142848c8cb846db470f8c11d17a0319d02c72f3539c4dfed72b53907f408c36d3bde1c1fba5e7a6f1bc0215c7207a528

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              206702161f94c5cd39fadd03f4014d98

                              SHA1

                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                              SHA256

                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                              SHA512

                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              46295cac801e5d4857d09837238a6394

                              SHA1

                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                              SHA256

                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                              SHA512

                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              11KB

                              MD5

                              a21537a546206faeabcbf29335545bd6

                              SHA1

                              2e275dc6b5e6423111c7047e53f737711cdcf74c

                              SHA256

                              97f6996b9838ec424a0c73e82331adf83947c882ea9fe6dd4e624fce72a6e0e3

                              SHA512

                              26d5ff44e53051d0fb177b324934f0f4692173f92c6007d9ecc5e46148e441a30f5b8d8b2b8d3405f046c5da80026861c013fdbde144cd95f5704498d9318d33

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              11KB

                              MD5

                              9c7d4b9d13439478c2adcea9d9bc8cc1

                              SHA1

                              c5224798dca4591d6d8eb2b2f609450c2d89b567

                              SHA256

                              b539e3f110ac350f3fa4d2d76c1249b0ff8411c833370e5cbfa2e582ad8330ca

                              SHA512

                              dbaf238953e65b493973c3a7916fc727f2e49edd6847e6b0033e67217f2296ea70f131a676f30729bf72e19f5ba1bffb8553ee6def2bee3c285f5c3719652291

                            • C:\Windows\csrss.dll

                              Filesize

                              655KB

                              MD5

                              7dd38f8951c2fa66a1291c7d297e1947

                              SHA1

                              a3feb1be32160c5196bba30830c1543958ac0045

                              SHA256

                              c6e185606e9ed62db354b8b8a298f470c01dcce8c5a4f409bfc5b918b5fd1c09

                              SHA512

                              cf6575bbcf7c8442e98d3e05519c79eb58a1e268acd1b66ce1fd8e9e8192a3791ce02474e5a41c4848644806dbeccb40dba93e6ad57bb37a5fa78528df0536f6

                            • \??\pipe\LOCAL\crashpad_988_GCUYYPUQRUIFQKEW

                              MD5

                              d41d8cd98f00b204e9800998ecf8427e

                              SHA1

                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                              SHA256

                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                              SHA512

                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                            • memory/4452-30-0x0000000010000000-0x00000000100B8000-memory.dmp

                              Filesize

                              736KB

                            • memory/4452-29-0x0000000010000000-0x00000000100B8000-memory.dmp

                              Filesize

                              736KB

                            • memory/4452-34-0x0000000000350000-0x0000000000434000-memory.dmp

                              Filesize

                              912KB

                            • memory/4452-0-0x0000000000350000-0x0000000000434000-memory.dmp

                              Filesize

                              912KB

                            • memory/4452-28-0x0000000010000000-0x00000000100B8000-memory.dmp

                              Filesize

                              736KB

                            • memory/4452-27-0x0000000010000000-0x00000000100B8000-memory.dmp

                              Filesize

                              736KB

                            • memory/4452-24-0x0000000010000000-0x00000000100B8000-memory.dmp

                              Filesize

                              736KB