Analysis
-
max time kernel
68s -
max time network
72s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
10-07-2024 22:22
General
-
Target
https://github.com/DuckySploit-Rob/DuckySploit-Rob
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/DuckySploit-Rob/DuckySploit-Rob1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffa28fa3cb8,0x7ffa28fa3cc8,0x7ffa28fa3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4772 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4791639516175768392,8570993159692574257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54656c526f71d2c1122865ef7c6af3ff5
SHA161684265064c225f323d304931ff7764f5700ac2
SHA2567172417b8464d5c2f52edfc867f4d83e475b58fd316b1916cdde30ed5bdde80e
SHA512c3e4fc0baa216ef561a448e42378af01a50e0ebd9b5fe554c9af0ea3362b9ca2f4a1b99cfab66c18df085250dd7a5ca1b01ab256e28156d657c579f5518aa56a
-
Filesize
152B
MD5bc5eae38782879246edf98418132e890
SHA146aa7cc473f743c270ed2dc21841ddc6fc468c30
SHA256b9dd7185c7678a25210a40f5a8cac3d048f7774042d93380bbbd1abb94d810d7
SHA51273680b22df232f30faa64f485a4c2f340ba236b5918915866f84053f06532b0a722c4ee8038af3689ac04db41277c7852f7a11a0a15833ef66bcc046ee28afb7
-
Filesize
85KB
MD5008d0ae10f41631bb124d78799baf5bb
SHA1cd5956db2574b3e718d8e87f3e4af79e2a3b5e0b
SHA256a0aee1664677fce87357ff299c236f12803be313c1838a312d779ccf1ce0e590
SHA512e4c1c5a8d88b6e0caa60b3c6ce02c05b0b2653c478a788d9d6c330d34439a5f91acecd67dc6baa4f40cf8f4cf21a684a13162562df8e2406cd06ac3145c6216e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
5KB
MD5f8854479bcda2bc34c355cf0ad15bf3d
SHA118529d64701a4a686338657a9255dd00a173ca26
SHA256c07f13a9e183f2d6079f92d0305b73565aa8ee77d16bc9ddb54d821127806ab8
SHA51264c6dd43399cee9ec7438c9e00826c74204804a28e77881fcfeb3f0c7d8e93eed1ea528ce1c672df121908045b05ce9d6fa0fd94063e2bcdc873bc842951a00b
-
Filesize
6KB
MD5455e47dea5e497784055494b54f9641e
SHA13773aa2c462049d13059712237dbb29e6144e407
SHA256481f6f5112a55d829c9685726ca2649271c8ece2b13a0c0326a0aba71bd6f898
SHA51294249cc04590f7b950f71e938b21e39facdb58cf3d8a333350d4333be63dccf39d8935cd77af30b8a596274bc9febbb337c5af6cd3f0d08af8471cad0cf6b278
-
Filesize
7KB
MD5eec625fe40fd707ebe1e6a6a631e9089
SHA1651ede429684d2cda70aa0aa6c2bded8636853a6
SHA2566845e8c6c96b6e80cb8a26152ed919a3ccc81f895663449b629dfa004cfebdca
SHA512a7d30ffed214f9d6c073731c545930965fcb84034e802e8323438cc977d957ee02ca05c9efb058f0a1c78ee2b2883c22f09f53ff40f5bc9948d1d7378b33bd63
-
Filesize
7KB
MD54dd73072e060a40d3b80129133f1f3bb
SHA14bcbd49169bdb12fa47212bd3801d465cd3a3782
SHA256876952c01df2770e143e1f3ec38213bb159c0aaaeb2075f2bd72bf37a870c46e
SHA5125e38f199f0698d4c9aaafc8540f14c0d40d228bcd3a7171b5d2b2622f755765dbddbede9a7326f0ee33a1284cc8238e70f851713e12cce6a7e7f5969922f765b
-
Filesize
6KB
MD5d518d19ebcae85a9658c0f126deae059
SHA17847e6a755918b22f799fb6cc4104dc7e2c13d58
SHA256f174b315b0a3d167596291c9b5cc7a17b75118ea97bf1a8b3b2fb70025fcef26
SHA512b1c8b1e23c27ebeff2ec6d64a0284a72864023da56cae1507e89e002075276d0329285931892f3664703eb81d7762d004ce2b8af4827bb0653ffc1d5e691d954
-
Filesize
240B
MD5dfd1b9386db05f8c1544987bd3297aa7
SHA1bf6ae1da901e42887482505cfdbf34fce6e2a39d
SHA256f865af5197f5e025582128d163b13f9c7d8c201997d161117bc3731cf8481e6a
SHA5122c83a04bd285f3add12191f87874789204dd592268778445410ceb40143b4a05acbacab95cabf9d070bcb5e175d7ef5799fad8096859f65c9d1a51bfd8fbe9cd
-
Filesize
48B
MD5cf7bb7f0041b4e4a026b97987067ed5a
SHA159737008362cafd4844c9757b040061ce5a0dc76
SHA256ef842356f2a7ce9c7f061a015b17bee297a8bc3586a2e7a1f627c90d4b22e690
SHA512f68bec59b14cf5960c17e1d3211d226c8b6f2e27404c1931321be220f0345de30832f9c964cf6f50533426a329d40edfe9919e997e875c334803ffb6286fdb72
-
Filesize
2KB
MD549a8f44843597bdd7377f2a9306c3efd
SHA160827c232816904ac7844ccc2c5eec8d7de46aed
SHA256d9fe618e5dceb027545b59c8514948a11cd560a94dfa2252e56f3ed2b480bf94
SHA5125c15e49fe54c6d400cfdfa036d22a18102c176df5a753c4e9891d7ce2acec8d4119feefcf78d976c58cd29fd448de16fef349225a9d10f15c4a5daf479757f03
-
Filesize
4KB
MD56cf21fc4c07a718863e58e13debdc2e3
SHA15673079b24b57979a830eec25885e050ee33efc9
SHA2565860ce7a8e898866c350a795690f33d81509b1151c73930a2cbc60dd586b245c
SHA5122da74678048409f10fcac1786fddb533be9617101dae1a56f572b344509f00e4eadb3c8ccb9178829fba8f661c1832a5c6348cb12a7b8b8e59673f6e3c686355
-
Filesize
1KB
MD5345817dcfefbe84d481d82578c6d1847
SHA1371c5f1ad2d23160d412c61a8fc7521e12b22d95
SHA256037fecbadfe0ccc5c1d908c6220b743586582b691d524f79c127038dfd748d99
SHA5125ff18494a0435d632813f460dfeb4760ee2692e49864b7e8be16e6525af0e1c8783a95af5a3d14f17bf22f33023125207ffe3ad07534794cf1fbb6d382d606c7
-
Filesize
3KB
MD5c6101666ae4e0395bc388b0f543a2515
SHA1f7663b49c8389efbe07383cf193ffa18c1f10c9b
SHA256c9d39c052095598a0fb52b11b208c6f7963524a02eab6e6172dbc5a2cfc70f02
SHA512ccdd7470d78ae73a587069db849891909d870dc66b994dc5eae80566aa69325676e92e03065e019593674602da82ce92d61c0b71ef9f725cea9b52b556b02182
-
Filesize
1KB
MD54c1937b93cf1c72ce55cd61a4c5b2fea
SHA197195b936dc95fa06dd0a5dd1626e4e50b7d0236
SHA256306e3c1537f505a85aca424b199836a89603859e56a64657ef6ee7816e0df9f4
SHA5127f940e0dc72b968e3979dfff028bbcd18f1a9e8c2cbef5a0c79b14cb7ad2b8b206e873b80e2f86848ad74aa78ab3b2cbdf92b41ceefd43a1802d092205d4d588
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD510a3d0361f7aa4ed4af1aa3c4e3c8a8a
SHA1c10b14b20ae17c58a51020862331b5df4721398b
SHA2560fab05386cf7c02cb04bf3952e85394969306bae3f2c05537165bfd48d762eaa
SHA5124581ad243baf0ff291c51e75b0fcf44104f954fba06a063774c50aac1ea3fffec6b2b160224b80b93c63922c6bba09db590cf1193ec9da46b5b6881f07a53725