34cf949998994c16a7ece60be189cc683cf7004c67d7c87a6ea3b2e212538c5c

Analysis

max time kernel
92s
max time network
140s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10/07/2024, 15:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

jokar.zip
Size

83KB
MD5

e1614f0f8f1a13ea0550a01231ccf04d
SHA1

217ff8316be973d8c25b6e55ef4c9e7f2ef28156
SHA256

34cf949998994c16a7ece60be189cc683cf7004c67d7c87a6ea3b2e212538c5c
SHA512

1365b5096f7e6090574042a11964580ffce9b5903515ef7a78b52b0c7e14c0fbe9d8078ea25e03e3f4293bfdc96fdba4407713af188e133a6ebb962ca3b92a26
SSDEEP

1536:mWJb+FO/3+SdIeA4FZ4jIuPlVFVholaPnL12LSA3fJH/VyQD6:mW5c4+eAMuPnzholq12GEfJfVZD6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1764	msedge.exe
1764	msedge.exe
2088	msedge.exe
2088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe
2088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3468	2088	msedge.exe	81
PID 2088 wrote to memory of 3468	2088	msedge.exe	81
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1948	2088	msedge.exe	82
PID 2088 wrote to memory of 1764	2088	msedge.exe	83
PID 2088 wrote to memory of 1764	2088	msedge.exe	83
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84
PID 2088 wrote to memory of 5092	2088	msedge.exe	84

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\jokar.zip
1⤵
PID:604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff895003cb8,0x7ff895003cc8,0x7ff895003cd8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7408242424107490107,15079759779525838989,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,7408242424107490107,15079759779525838989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,7408242424107490107,15079759779525838989,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7408242424107490107,15079759779525838989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7408242424107490107,15079759779525838989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7408242424107490107,15079759779525838989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7408242424107490107,15079759779525838989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1998107017edc46fed4599ad24cfe53

SHA1
47e92f0646f0de9241c59f88e0c10561a2236b5e

SHA256
cc6838475e4b8d425548ceb54a16d41fb91d528273396a8f0b216889d79e0caa

SHA512
ef7228c3da52bf2a88332b9d902832ed18176dfff7c295abfbaab4e82399dc21600b125c8dad615eb1580fab2f4192251a7f7c557842c9cac0209033a3113816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21cf39beee4d807318a05a10dc3f1bf3

SHA1
01ef7fc09919eb33292a76934d3f2b5ba248f79c

SHA256
b766823dabbf6f78e2ee7c36d231d6708800126dc347ce3e83f4bf27bc6e2939

SHA512
0baf8b0964d390b9eb7fafd217037709ac4ab31abcdf63598244026c31284cd838f12d628dcffe35d5661ba15a5e4f3b82c7c2d9226ac88856a07b5b7b415291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bbd303aa7087330ac523af6aa4ba3401

SHA1
ddb63f96302d25f7cfb6933ee57de1f6715d59a4

SHA256
981d6d50e0af04f205e761e4829ed909f7628a1e75778ef0a51774f84684356f

SHA512
1bd7a39c1f8e2154cf99c64b1d8a6f33f58d3a96ce927e834985a7d96dbefc2a2c22942a403b0c30f9ace1bb4492f915677fd1ee01032891ff2771bb6aa5573e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ada33ff4f05ddbf5bd78d1644f40a3c

SHA1
7f92b1ba2dc2e1bd255448fbeb6e12dc41d7593c

SHA256
e9a9fc68e2b82a76a19623780566247179aad60d064cfa8045229f54c62d7554

SHA512
ad80ec5b10f87b123b1b938da7f3288b37cb18a38ed08556dc97e19d4d5b96c687478432043c1d27c18d5d39a2379f34ba20af5366f7a5db405ed9f3bb80e562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd1fee7db8ec44c6ceec7aad90335608

SHA1
be2574bbc349ae2d9b841c4f052e0d876780f641

SHA256
4fe6e8f6c60fcf08c7bc958050a167751d73be32876b7c6b08064b0e34975ab2

SHA512
2f55853a5149e1599dec8b96bc0d81d56dfb3f623406bffa8a5fe0b07eb87328a330d1fb524e481443da72f84f06a5aad7ebe2b2973f6b545d4ce1f1f29f0391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit