hxxps://github[.]com/yon3zu/xReverse/releases/download/v1[.]4/xReverse-Trial[.]exe

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/yon3zu/xReverse/releases/download/v1.4/xReverse-Trial.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 578409.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1948	msedge.exe
1948	msedge.exe
5036	msedge.exe
5036	msedge.exe
3940	identity_helper.exe
3940	identity_helper.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe
3752	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe
5036	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 584	5036	msedge.exe	81
PID 5036 wrote to memory of 584	5036	msedge.exe	81
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 4104	5036	msedge.exe	82
PID 5036 wrote to memory of 1948	5036	msedge.exe	83
PID 5036 wrote to memory of 1948	5036	msedge.exe	83
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84
PID 5036 wrote to memory of 1632	5036	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/yon3zu/xReverse/releases/download/v1.4/xReverse-Trial.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf15a46f8,0x7ffbf15a4708,0x7ffbf15a4718
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4112 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,7092971905928599197,17002567376946269775,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1440 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d81a2db422d5a5f41eef2ed4c850b97f

SHA1
3a7869055f499be8cf05d942824fb6d6668ae504

SHA256
b6dfc4a1084d1d9ac105620616320bb50041c90db60843c6040618cd299b2cff

SHA512
1eb7943f541c54542d7bdb76eff9690c214f866a54cfe18ecf9d2ca97eb50edc9c882920a2c10f6dd776fe455cdce7793073215cac2b5056abdbcf9e51e92a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19e99b2709ea910378d6477ad20575b5

SHA1
12a4859eddc7bb4849a8d8d971a30cb2c9dbf0bd

SHA256
a6a48d3b9662b3f3fad68a9689899e88b366c8bf3fa5eda39f4a6f15f8533f3a

SHA512
801fbdccd3bfcd74ad3ace9c4a705edbe52e6a17b07fe6fa74ff27e48b6dea5a969fc7cbda86b3a7dc55e7c4d7f2df689494efaf0be0465a49618b0343900b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f56ca6694610a339b82cbe5cac37f641

SHA1
d20fd063144a6b4c1ad894b64ce2693fe430800d

SHA256
4cfb2ecbaabde1dece2e0766a40846a632e3f2456db6968fec56933e5b5b2279

SHA512
a15e2388f84afab82f6276a2f449ce3d1cd357271cccd446dc82be26b0c519ffb88cd58e7fc0ea20dadb9e16b384d03a9bd8ebf51174a9c17d1daae3165abcfb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 578409.crdownload

Filesize
29.9MB

MD5
d247cef99c20bc6b9f62388b73f71234

SHA1
3cca6964952cbd1470eb28cc7c4f954785b3f6c2

SHA256
48a0dcd47b96dcf1a4d783d527787e2afba2bcd15273b3499c98bc3011a2ab23

SHA512
13bfa35d2c41b04c4996fbea4bf739a8b197501e99e2bab155b3e4268fb1ee6db5aec84d40767c5c1d3a0badc1653287352cdca5866693994e69038f079b8e93

Download Submit