hxxps://cdn[.]discordapp[.]com/attachments/1223725326270468177/1231343811008004106/Rose[.]exe?ex=662579c9&is=66242849&hm=c011f78837066878f57051d8abb23a7eedf4f244c7f2622248c159680556d524&

Analysis

max time kernel
329s
max time network
333s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
27/06/2024, 11:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1223725326270468177/1231343811008004106/Rose.exe?ex=662579c9&is=66242849&hm=c011f78837066878f57051d8abb23a7eedf4f244c7f2622248c159680556d524&

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3856	msedge.exe
3856	msedge.exe
3684	msedge.exe
3684	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3684	msedge.exe
3684	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 480	3684	msedge.exe	77
PID 3684 wrote to memory of 480	3684	msedge.exe	77
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 4520	3684	msedge.exe	78
PID 3684 wrote to memory of 3856	3684	msedge.exe	79
PID 3684 wrote to memory of 3856	3684	msedge.exe	79
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80
PID 3684 wrote to memory of 1152	3684	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1223725326270468177/1231343811008004106/Rose.exe?ex=662579c9&is=66242849&hm=c011f78837066878f57051d8abb23a7eedf4f244c7f2622248c159680556d524&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe37193cb8,0x7ffe37193cc8,0x7ffe37193cd8
  2⤵
  PID:480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,317644857842400897,3555170363766582316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,317644857842400897,3555170363766582316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,317644857842400897,3555170363766582316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,317644857842400897,3555170363766582316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,317644857842400897,3555170363766582316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,317644857842400897,3555170363766582316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2628

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4072

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c14f5aa0a516b6744f67dd5e82a34a3c

SHA1
5826e478ae21702313e6fdb10c087102613cceff

SHA256
d83f2e7982d17e1ceba895399be00afab61662ed123b190d8b246651795bc4ee

SHA512
65a0bc40e89be57e0390c380465a1884977981e5705bbf9980cfd26a56b6531dec1fa5cf5048222f97caa745b0c1183763165f0d438da59f855998f60e490338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bfe83a4f5775bcb467add4bf5188ad64

SHA1
7151929c27693e3a2e9bdbcc8bf421e3cb9cd602

SHA256
1ab09506243bdd3719af6f098f56acfb194e1842f1d68273f549557f41118c73

SHA512
4a7504767f792de8dda4ceb6c6f99d2048e520379baeb33783b8325ae10bdf6039650e7bc7a97a03ab71e73c80cd0b1dff1f0319a24de28420a425a67afcea67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bc27cf05ad94860b0242e50814eb1be4

SHA1
1cc081c7f70505123d9a2f5a09bfc1a3798adb75

SHA256
3c74d18e58e1f7ff0b3a6dcca5d9f45204a3a57b4cb93bbc6798fd2af5976683

SHA512
fe3169fc03fee2d5ccf1d9d2f396e6b887057b637fecadcf87b8785de5ce7d07bf5dfbec85509c5c09c5033aeaf3713e7eb08b04a79046158310f79f64118994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit