Resubmissions
10-07-2024 20:41
240710-zgssmsyfpk 610-07-2024 20:33
240710-zb9tzaydpm 810-07-2024 20:30
240710-zal2hs1cmg 6Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
10-07-2024 20:30
General
-
Target
https://drive.google.com/drive/folders/1GU0wJLW5BTUuN5f1xBUsx3hHfUDAawHM?usp=sharing
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1GU0wJLW5BTUuN5f1xBUsx3hHfUDAawHM?usp=sharing1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8bd7e46f8,0x7ff8bd7e4708,0x7ff8bd7e47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5180 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,9889243333515345381,15403800226586887472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2996 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\RC7 (just a little fixing-20240710T203152Z-001\RC7 (just a little fixing\RC7X\bin\x64\Debug\net8.0-windows\RC7X.exe"C:\Users\Admin\Downloads\RC7 (just a little fixing-20240710T203152Z-001\RC7 (just a little fixing\RC7X\bin\x64\Debug\net8.0-windows\RC7X.exe"1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52f842025e22e522658c640cfc7edc529
SHA14c2b24b02709acdd159f1b9bbeb396e52af27033
SHA2561191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e
SHA5126e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05
-
Filesize
152B
MD554aadd2d8ec66e446f1edb466b99ba8d
SHA1a94f02b035dc918d8d9a46e6886413f15be5bff0
SHA2561971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e
SHA5127e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994
-
Filesize
28KB
MD57f5a5d45ee4ea0bd1ccf5178c63f43c0
SHA171cafbec33de805f8c65c04ab40a7fc072420df1
SHA256e47f30921e1d3fda22de0ed56c9847b80e379396ea95d3fe60e04cf9e4c9773a
SHA51211dcabf8a16fd008783be04cf72e9ebcdc3b37a9a92c0769daa32fcec0a7ac5f1380d5e7636dca14eee05e5787419d2f5782726c94846c39085b325099c123d5
-
Filesize
1KB
MD5368833bf302fdcd55f1d7e583438f571
SHA10e5339b4cd6a3f54bba18aefc79eb6de11198498
SHA256c4530ba244013ab22b60cccc89949c44488cc3aa8c980706129d66a34c6f547e
SHA5123157227e7c1c63ce4580ae3e15666f1bada8657b326c1ee7d6c750fb86ca91ac1934bbab52595d623d7bc57a26917f1e7c8f8118b9250d101e5614c7f45ad47d
-
Filesize
1KB
MD5229841998cd8fd13aa3ea5d8cb4a5e1d
SHA197935184a8a9a11f29e6689b991f50b024fba826
SHA2561b0992fbc62ff0cf1f9994a47246a91951f49233a2d45235bf932e5c93e046bf
SHA512ee3531a1e04a151ed9378197ecaa26a8905d3aeb66d8ea3e75c93c3a204b80e4c5ba3e1439c3f9424b3741b30673a8c8f3e98865e04b60c7b82aaf1651e42af5
-
Filesize
4KB
MD54fbbbc91eb91aff61cefe9d2e601faf6
SHA1ba8a0ca98e29e7ee199cb67febeab1003707a1b3
SHA256ffa82dc32fdffd0d4de725a20e87beac5b0fd1492fd46e3812b9888830c2dacd
SHA5122ea3c8ed74f2a1cb15fb941d94c0be48904889b461a8e3a65787b44ce19c938a5fd44f3bea11afade863e15fc8a88a4de1a1897c3ca2f9dcd2e8d7f6b0637d57
-
Filesize
6KB
MD5fcc0a3943b3cab7fcaaef06e09e736e3
SHA1c37d64d05d5ff902acb407efc6c9507dc0141bb9
SHA2564612175c01fcab29f9fb3a118599cbcbe1bc621755a44155784ba08df3f40f15
SHA5121d65ffd37a424f7a82c57e4ce53a020a71096cf2c0705aa79d8e8d902eb00aa075550e6e848a8b64aec8ad7b8999229773cdd8c76da9a71e3b4afb869b2e4389
-
Filesize
6KB
MD5f1e86e2b71a5091c0118ad6d04a5d9a2
SHA10ceb5741efa0ed01f1de9b89248700ecd8c28ad4
SHA256320e226198eeb5116504ed62dd776cb4c74b8cc8de9c487c12d873ba98aaa247
SHA5128d539afb2caf1b7be2e7f1149a06b9e0c41bf91875907062d6a915686662860f3ce1e6f33d2640296f156fd4517e2664ac501bf9709a8cc7d90d8dece970fae4
-
Filesize
6KB
MD5fe3b583b4416070e106bc4e3d1bfae4d
SHA1dcdd2d950b1543c60aeba33c159e6f68b3c901d5
SHA256da017118a4cd3020da7e47a39071803bac695b8dfa5a29173fdc010c5d30fb06
SHA512b5328d798e4a5fef06e845b268669395f97e0f1ba77de648298a46aa27a1190feea42ce874afdbeff1a7bc622f837f4f45d37ca0b7d6910627a75e552c9c2e21
-
Filesize
1KB
MD587f7bcbe418b2fc21498d0f5243d68e6
SHA189cca73f37a5687436c902f67bcf53de425b3a78
SHA2560d7d6f68ee6eb64756cd5120da58696c119b1d0bb8ac67fba6957694b191484f
SHA512cf93a9ecb6081083a56e90284f3b2bd829eacbe1f1d0c9b41a46817d6d606a7eea0b9975eb688a1827f0c0c3e78ebda19036b3c254f9743e2f16f0ce6271c991
-
Filesize
1KB
MD5337014ef5a3f392dfbf8e9176b39c82c
SHA1e5bf5af6b2543348ae53b4c8c72256d8502d9f54
SHA256bf3812ab91f991929e7a1876af527f6e2264a52ae4238264218b99d622405411
SHA5129f98d590fe3a3855a2a30721860d19ba667625acd0ab7b027cd760e64cab910e8c3045de5d48b15b48f43744c9ee1f6d5cb23e247a32dacd430df3334054f120
-
Filesize
1KB
MD5b4bd501cb813e1fa962b88db39a2d2bb
SHA127621b146a756c651d7ce6f551f0b10bae9b85d1
SHA25696d6f511eae787a9eacde2362dd34117fe06c5543bec5fc64705f8c7077a0a14
SHA51209fa23e9ec130e2f0d928771168f4346ddfbdc89b089b42d90192451d248c29092c8c2b79cab23205de3ddde658de471b96334efd6e6f34950323e517ecdefa4
-
Filesize
1KB
MD5bc10835719417c242ef107b335f662cf
SHA16e5d76931c22e9c90550fe37b9503f72a182d6be
SHA256f6373773a5c52afd09b12d294a415de2bde4928272ffc38e0952f9ae9f3a6a79
SHA51207226bf16043030f4fcfc1067bde1cbd53e18ed152c206e72f38501c26f30dc961fd2d5752d6fcee750ceabb102191c94c8c05fce18204145cd8c436bdb5b3d2
-
Filesize
1KB
MD5988b26c803746f6c6c592dabbbac6c93
SHA18d3740b4815fb3eb1074d5278b76068d1b74e81b
SHA2564be642af49d25f1f9e62ba665af39a8d0faac59b5b365665caa0fd7f430b5d4b
SHA51261546fb3802b54d455911cd94ede1a2e479d667273facf4b2b0846e532679f5e430d0293c5c5e3c28bb0864901d000c3b59df8a8c9266860196c1b735b44e424
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51ad96af4173a15b77122ce85ed4a9f3b
SHA19ddcf563265608105c5b058683908b8cc6c3ae8e
SHA2566b210f5cf432a3510cb234e87c3042089edeed2aa1c8727eddc7b1036fa654cd
SHA5122dc623790d33625aaf042850b9def0b8bdfcf02fe224c3eadf0c3b94d69585389c9f53f6e584c56d3a919ced2f6f78b0182f59be4f47c2623f34cdf24944ee51
-
Filesize
11KB
MD5e79a6a3de5a005ee673a2a2678340b2d
SHA1dfd57588a5fc55e4736bcb97d04f5a1589e1d67d
SHA2565d259f1ed2c66c2336c66674ba9a60f7dcecddea37609572ca764e6c8efa7936
SHA5129f7bc41f1ad1cd2a260493c11606f71e880f5a673da4b1e1ba8cc6662ab9c1db568ec30ddba9003aa79c34917d10968a900ab4a04370142a162a01e5d60d551e
-
Filesize
2.0MB
MD5139952fd2e1e21da7eb7560de96e4b91
SHA1990194a1158ac91e72cb2f41b74afe0b78845e52
SHA25697dc54464b5d48afc2d7ef10cf250bcc4226d9ba48c85f408e8e56033f061ba0
SHA512a72884cefb37310718e3b9eeef49d352f35e1a97c6a9b2cc2c9942f11576ba57fb212e2e87ef193427a696a343951011182d1479c335a155e5b523225ec2f913