hxxps://github[.]com/Varadskajgar/Owo-clone-bot-

Analysis

max time kernel
79s
max time network
82s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
27/06/2024, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Varadskajgar/Owo-clone-bot-

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Owo-clone-bot--main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
1796	msedge.exe
1796	msedge.exe
1728	msedge.exe
1728	msedge.exe
2068	identity_helper.exe
2068	identity_helper.exe
1400	msedge.exe
1400	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2076	1796	msedge.exe	77
PID 1796 wrote to memory of 2076	1796	msedge.exe	77
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 3180	1796	msedge.exe	78
PID 1796 wrote to memory of 888	1796	msedge.exe	79
PID 1796 wrote to memory of 888	1796	msedge.exe	79
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80
PID 1796 wrote to memory of 4540	1796	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Varadskajgar/Owo-clone-bot-
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda0763cb8,0x7ffda0763cc8,0x7ffda0763cd8
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,6167132514192279450,11357098159226923933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fb112678cf51571338b32926bae706c0

SHA1
204096a26d7028334f3363184f81f5f582470dac

SHA256
d5587acbd8bd3c10e8a1a4078115ca3c8005f2d77cdb9134fe7f7a28e45786be

SHA512
c846fef8b9344767766cc826dd0908b7da49c6e5b9c4f19bcbc92f18ae08d1669e64274750b71b68b7cc448810df9b8eab3c7e006ef33cd9697f03c8dea873f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
37baf21f6884d62dd3fae3bcac0e3f54

SHA1
86387f81e0e639f4b89ac148a2611dbe17c692e5

SHA256
fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be

SHA512
13d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5788b27bf03c0e5b9ac26f97f3d3e3bd

SHA1
ed6fb0566947b2f7a3093318092c2ed5643b93ec

SHA256
6107f0d855d1afee44863721a8e0e035d950bbdaee0e9576c6afd9ad00e47f19

SHA512
0788d95249f8d558b6f72d071b81715a768c7800c8b6f14f4668cc9b61085f5698f3c1e1632ec9e2fc1e1ba7130634825e3d609c462c6995d54dbd820328d5a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b69c10c61d6bc084c9621ac67b93942e

SHA1
f2b9178173cfdcce67258027bee9261383b82e86

SHA256
b7a48020024ec7d8064c1dc2d1ac49f1146c6aee5342fb0761b438cbd76c42e3

SHA512
91d21d2f2c487f21859644510bf0e082e00dfc5e285298f5f0bc331d2b7c0cb6d73c05c74686c74dbd056fef3b330d5f03cd089a1d96bb3a538c81f6984ee06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6d87975897bb4461794585ee5ac203a4

SHA1
962eb9a603f1772a3e5d6ed58841691962bcf67e

SHA256
2dcf7828d3c887608ff68f492b8bb2625a42d51d6dce379befc336f182b87cb0

SHA512
78dc2c90f9834402dbb5211824be5336285a4428f479eca5d9007af6f77b9e82935c1819ca5f8877a91a82091eea3a920205384df25f4debad7ac09384697337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b32ffbe34ebfad37bc577e764f354c51

SHA1
39636dd3d05f5c10b41d1da8192a5d2941a5e2df

SHA256
46db47b32dc61fd4bee8ef6678473574d6083a6ab5e462ef853f49d0851dc5f8

SHA512
8b8c33ea1c98ec50230f437471fd0f21f04e38c3003bdec40a21d2bb07dac19231350ea3890c7762744cd843ec228e562487f9aa685e8d7d43437e5783a7fcca

Download Submit
C:\Users\Admin\Downloads\Owo-clone-bot--main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 990408.crdownload

Filesize
13.7MB

MD5
2ed6d2254ec354a0403127a1b89229f7

SHA1
7aaf0e732b87c21f2ae3f0c6da83d603dd9bf8f6

SHA256
c93e08dd99cffefc503fe210527c1739c4c05e203963781677eb96a164bc854d

SHA512
2c628f094dfbe50c05075fb4621dd6d0cbfe5ac1905ac8dbaafe35f1c0b10087d092bd3ef3080b458ce4b7caba40f5e6ccf7574deb27d05c3f8ab50be321f491

Download Submit