Analysis

  • max time kernel
    98s
  • max time network
    93s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30/06/2024, 17:19

General

  • Target

    https://cdn.discordapp.com/attachments/1193268220015153298/1257017374381572220/Funni_Game_1.zip?ex=6682e028&is=66818ea8&hm=290da57df7d70760983939df2c9f9eb947878930aa65a3109b8005881fd09c3b&

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://cdn.discordapp.com/attachments/1193268220015153298/1257017374381572220/Funni_Game_1.zip?ex=6682e028&is=66818ea8&hm=290da57df7d70760983939df2c9f9eb947878930aa65a3109b8005881fd09c3b&"
    1⤵
      PID:4684
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:992
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      PID:196
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4380
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2244
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3656
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:2128
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4172
      • C:\Windows\System32\SystemSettingsBroker.exe
        C:\Windows\System32\SystemSettingsBroker.exe -Embedding
        1⤵
          PID:5028
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localservice -s SstpSvc
          1⤵
            PID:2924
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
            1⤵
              PID:4388
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
              1⤵
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:3684
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s RasMan
              1⤵
                PID:4412
              • C:\Users\Admin\AppData\Local\Temp\Temp1_Funni Game (1).zip\Funni Game.exe
                "C:\Users\Admin\AppData\Local\Temp\Temp1_Funni Game (1).zip\Funni Game.exe"
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:2932
              • C:\Users\Admin\Downloads\Funni Game (1)\Funni Game.exe
                "C:\Users\Admin\Downloads\Funni Game (1)\Funni Game.exe"
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:2476
              • C:\Users\Admin\Downloads\Funni Game (1)\Funni Game.exe
                "C:\Users\Admin\Downloads\Funni Game (1)\Funni Game.exe"
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:3536

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E49JWOHD\edgecompatviewlist[1].xml

                Filesize

                74KB

                MD5

                d4fc49dc14f63895d997fa4940f24378

                SHA1

                3efb1437a7c5e46034147cbbc8db017c69d02c31

                SHA256

                853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

                SHA512

                cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PXKUCEFM\Funni%20Game%20(1)[1].zip

                Filesize

                29.0MB

                MD5

                2be87accd2d42d82497353ee0e838910

                SHA1

                8ad4987438d04496e1b9c5736bc29050e3484d23

                SHA256

                8ee9b22b75f390d5c570d5c2f57a0aa21328f79308ee8b3cb87ebfa43669be9b

                SHA512

                40b24338b32672e9d885138ffe3424b9a0ebe7bb5c0cc8ca2776c5c2eb00aa397abbad0501cee9d308817be06ace8a93b387102f408fc371cfcf5c6395b467e6

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RUKV4CIT\suggestions[1].en-US

                Filesize

                17KB

                MD5

                5a34cb996293fde2cb7a4ac89587393a

                SHA1

                3c96c993500690d1a77873cd62bc639b3a10653f

                SHA256

                c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                SHA512

                e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PXKUCEFM\Funni%20Game%20(1)[1].zip

                Filesize

                78KB

                MD5

                a1a674360b60e80e37db16e0b29f5e01

                SHA1

                8f15143c61823c71aa7a677a697fab51d36bb9fc

                SHA256

                ee3f3510f161401e041d8c77150fd1aedbc699e75f65f20efe07f3666214f8bf

                SHA512

                f7c04eb7ecaf13009c4b93bfe6871d5865a4f717defaa2eb1b8299653184744bde12cd17bb176bb3df2f82fabda79fd18ac5cb492aaff5999b2745f6bf7dfc87

              • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\Z7KMKU3H.cookie

                Filesize

                223B

                MD5

                5edae368cb903068e04b8e1f6e5018f7

                SHA1

                35d7dea29ab593332adc7bbc100165f1969023fc

                SHA256

                3a33924c64519b0fea61d3eb15c5ec1d9fadc5d0a9e3272a3fe0814f1e76a8f0

                SHA512

                c5d8f117c4a5174fbe96225b59516fda17ed31d33f5bc649fd0953615310350b0324bd9bd64af3899f60b482aa7790e1b41bfa4e35af5b224fd12ff401b12988

              • C:\Users\Admin\AppData\Roaming\Godot\app_userdata\njo;\logs\godot.log

                Filesize

                304B

                MD5

                82d64dc11f83c988d1d3ddcf292e3233

                SHA1

                7c5f765110b21d6da7943d08bdc2b05e867db167

                SHA256

                117cec9bd537a8acb332343f7dd406bdc969a74fc543cf234b82f0988be2ed39

                SHA512

                e42d84cde1134396cc66073256f8d2fbc2db06a97a52bf59d697ec4f9af5a50a33437385ee1eb3ea9e2496ba0bb3626fb0267ba75dea337a17dc60924a2da094

              • C:\Windows\INF\netrasa.PNF

                Filesize

                22KB

                MD5

                80648b43d233468718d717d10187b68d

                SHA1

                a1736e8f0e408ce705722ce097d1adb24ebffc45

                SHA256

                8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

                SHA512

                eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

              • memory/992-130-0x00000275E50A0000-0x00000275E50A1000-memory.dmp

                Filesize

                4KB

              • memory/992-121-0x00000275E6600000-0x00000275E74C2000-memory.dmp

                Filesize

                14.8MB

              • memory/992-129-0x00000275E5090000-0x00000275E5091000-memory.dmp

                Filesize

                4KB

              • memory/992-16-0x00000275DE920000-0x00000275DE930000-memory.dmp

                Filesize

                64KB

              • memory/992-35-0x00000275DBE60000-0x00000275DBE62000-memory.dmp

                Filesize

                8KB

              • memory/992-0-0x00000275DE820000-0x00000275DE830000-memory.dmp

                Filesize

                64KB

              • memory/2128-75-0x0000028238E10000-0x0000028238F10000-memory.dmp

                Filesize

                1024KB

              • memory/2244-45-0x0000029BD3D80000-0x0000029BD3E80000-memory.dmp

                Filesize

                1024KB

              • memory/2476-123-0x00007FF758AA0000-0x00007FF75DC30000-memory.dmp

                Filesize

                81.6MB

              • memory/2932-118-0x00007FF73AC00000-0x00007FF73FD90000-memory.dmp

                Filesize

                81.6MB

              • memory/3536-156-0x00007FF758AA0000-0x00007FF75DC30000-memory.dmp

                Filesize

                81.6MB

              • memory/3656-64-0x0000018D199E0000-0x0000018D199E2000-memory.dmp

                Filesize

                8KB

              • memory/3656-59-0x0000018D195E0000-0x0000018D195E2000-memory.dmp

                Filesize

                8KB

              • memory/3656-62-0x0000018D199C0000-0x0000018D199C2000-memory.dmp

                Filesize

                8KB

              • memory/3656-57-0x0000018D19C00000-0x0000018D19D00000-memory.dmp

                Filesize

                1024KB