hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

10-07-2024 20:43

240710-zhp35s1fna 10

10-07-2024 20:40

240710-zfyx9s1eng 6

10-07-2024 20:37

240710-zekn9a1ejd 7

Analysis

max time kernel
105s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 20:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

7^/10

bootkit discovery evasion persistence trojan upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

Executes dropped EXE 5 IoCs

pid	Process
3824	AV.EXE
3572	DB.EXE
3400	AV2.EXE
3384	EN.EXE
3752	SB.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000235a7-406.dat	upx
behavioral1/memory/3384-429-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/3572-441-0x0000000000740000-0x00000000007D3000-memory.dmp	upx
behavioral1/memory/3572-438-0x0000000000740000-0x00000000007D3000-memory.dmp	upx
behavioral1/memory/3572-442-0x0000000000740000-0x00000000007D3000-memory.dmp	upx
behavioral1/files/0x00070000000235a8-434.dat	upx
behavioral1/memory/3572-414-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3572-461-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
25	camo.githubusercontent.com
31	camo.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	SB.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tsa.crt	AV.EXE
File created	C:\Windows\SysWOW64\msvcr120T.exe	DB.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D	AV.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740	AV.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
908	msedge.exe
908	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
1044	identity_helper.exe
1044	identity_helper.exe
3076	msedge.exe
3076	msedge.exe
3572	DB.EXE
3572	DB.EXE
3572	DB.EXE
3572	DB.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	DB.EXE
Token: SeShutdownPrivilege	3752	SB.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2884	4680	msedge.exe	82
PID 4680 wrote to memory of 2884	4680	msedge.exe	82
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 4012	4680	msedge.exe	84
PID 4680 wrote to memory of 908	4680	msedge.exe	85
PID 4680 wrote to memory of 908	4680	msedge.exe	85
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86
PID 4680 wrote to memory of 5116	4680	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca15846f8,0x7ffca1584708,0x7ffca1584718
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,13151481913736458431,13920926582642760302,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]"
1⤵
PID:5060
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies system certificate store
  PID:3824
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins4000.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:1556
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6bddb4071a85cdbe771556d994385576

SHA1
fe27dde24a8e39e82d887c7723d4c1d9b35e8362

SHA256
85549e9bc8985477a2f1d29cdc33a552397f287743f8191046d8c58d121ab340

SHA512
0083a670fa17f570139bb5db1f678a0d58f6ec2ab8c4f7cce5410820a4a21cbfc6dee7cf21cc5767019fcd3e8d8a80fc45827ae5033223dd9fc7c0bc5e6bb363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
663B

MD5
ce74753f000ceee62e46504c3b4905cc

SHA1
2c6d510ad7fd1f386215a138baa771ff0bc6a426

SHA256
a4ab20b1c1c7d5cd62f5388ba14a98172be6b07e27d6545f072f5317f70ae2f5

SHA512
fd80fee2ebfb64ae11b7c0ef29224c2158376369eab4a856f763373ee88dcc70aa9f4d6401d63ff1327d3f0f6e4aca4a2775813a3c40535c95533800ddb39548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f954c1c7c841dbf8c4c420beb717a320

SHA1
04cd81fae57e3c26da7f2e43da9b4d97fc51dc0f

SHA256
fbd89d402078cfd4f5a2bb8f6ef5d8ff8707c09518cbd30d96085f030c12bdf9

SHA512
f9bcb0ea688bdb2bc5fd37604b5063e9acc337277741a29fd8516d3241429e77deff0847c38834a8478a4b0032051e30a8bf81ec2912041ef882667e079244a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f7a18964e712fdcfaad9144ddf0f5a3a

SHA1
256b6f8c93645dec1b57f7c562e7a55712cf7892

SHA256
bc4e6b491e718cba56618bb8b24c250323a834b504acd1b3da1c735df94cbe51

SHA512
6f7711231b1d0664c1133c897cb9fb812de99862f9468777ee0963d67f118a36ef8dc9216774f390adb3807ba83c2156ff21605408472fcb50079430b06ee221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c66b7042a0f51a0ff251da4822246c01

SHA1
bbda4cd922a5cb96815fe9f2d727ce48821c45be

SHA256
8fe1eb283f67a3270a66de4b41ac1bdee35f0768b44dd11bdf028227c0dd05f2

SHA512
18eaed2d306878121a9e84ee65314ba2a36dd6a90cf6a4584bdb0b4097d6719f2c236b13233f6621b101def24b5778ecd9ddfa591e443cdb29fc80b7ba60f0f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a123c48de802fa782410ab19530a775e

SHA1
fd7ef3e16838a2552b36b279b7756efb61eb0e43

SHA256
1495b5ce7193ed3087896a9f65360f8ad33cf870271052e7cf2c837eaee28ac8

SHA512
c113b0d6fd686694a68b15ad00ea7d64f95161b37149d7513af23e3f458d96290804f9e6fa246d9d1b3b62662905735f15d8042f4ad84de34357f3515902908a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
80959bce41cfd7619dfc7e544dd375ac

SHA1
2b2e1aaf619fd7126a56f7233dc3cd8bc53dceff

SHA256
398f392646ecf32b16210d5ecdd6c1c44a001191e52f9be398ee9acf54c0b07c

SHA512
b679844ec5c598e54a7f91d26dc6d687719e8c5ebddd923f7876823c5557b31f3384ad224415b404a252f18dabc5df33aceb19ebab3beab7ef8978e817ddaf5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5c83a7ba51b2e0e58aec512c52cfbfa3

SHA1
c93776ee456c656e7dcc6532d1c634f4e99aee35

SHA256
ddff8ec04b63f10cdf48a4a11d9e2e9cc7ab756bcae5c0f38e4a327ad100baa3

SHA512
4aac920dcdbf6a5ef26baf80a390e52c7a8aac2b5dfdda74ad26255e0c9dc2d6bb4a66832989eaf3dcd5a53310645a5b679114ded2e77c328902afd77c806c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e561b44bc378ddd3850389f5d35edc11

SHA1
5040abd3d7664e9222f7adab5c6c529ca71f0cdd

SHA256
f92bdb58a041e097f931930cdffffcc8f1920099e18f9db77c727e055a12d7b5

SHA512
3dcccf5b4fef4e9d5a51750b3e09287ad954b88cc6463843b6ba8b5999483f3dfe1a7aaafba0be80e0207fa663f512972e2e72d6e243156ea824ff597108e5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf90a93c5724b2bac7fc4f5784bf7fcb

SHA1
a785a89cb716357c6707a9fee2eb0e5a64d0befb

SHA256
40731a17dcc35e71d4820f6f782b2425c6f2861802bb157a92daae6b86042007

SHA512
1302199e73de40c6cb70e77fd8eb2ca3b7c350bf88bebf85b01d27e1fb63723072bb12894afed0f1108af8ae7f25766e9b76fc90d042b07c6a39cd78b3e0c427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5832c3.TMP

Filesize
1KB

MD5
9a060b5ec77ebc495fdbbfab4429a84d

SHA1
d2b7b31edcb5df63a2567c6e240852a72a9eb6ff

SHA256
02f4990789fa4ecd8bf3bfa6e8ccd7a4cb65ff7ff190c1c201b838dc589f097e

SHA512
0e5ccbaa84b1e693ef611dcccf1825b8444190fcb4b934faaaeb9e0ecea88c6da9ea36c071a827b4518834d84dec89234ea7a878da69634fc2b61c590f7df946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ad45aa58037c244acdf8417bf359a17

SHA1
d97e4e9265f27a4ca39262d89fa87485523a2cdc

SHA256
6be9de34e892b6a5c05d566f72c4350d233b97a3566098e813dd319d9a2eba89

SHA512
803a156e45d0757f923e30df41bc61e8a5f06b98f62c5760f7dcdf9fe0bee65353b2793271724e4cbd4b0d92729478b05972f998ceb970de5ecacebc6860c9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7d737dfc67d3934e45b1ac34c9c66b2

SHA1
5267313a3b1dbe9c73394f5fb7aec857a081b588

SHA256
60aa794e1158c5bf201af43a5d7bb928a568c1800ce355c1d7fb02f333123d24

SHA512
35ef8fcc734822bc31ee8d15499814be1f1f1b3fb44350bb9fc2533e40eb3f1e3ee60adc2f86c48b1d0204994dfaedf49d17ae1dff98ceba6296fdee47ade775

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\Downloads\Ana.zip

Filesize
1.8MB

MD5
cb6e4f6660706c29035189f8aacfe3f8

SHA1
7dd1e37a50d4bd7488a3966b8c7c2b99bba2c037

SHA256
3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4

SHA512
66c3351ce069a85c9a1b648d64883176983acd34c0d5ca78b5138b7edc2890b34408e8e6fa235258d98c105113d1978a68a15262d6523a82abb004f78b06de38

Download Submit
C:\Windows\SysWOW64\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
memory/3384-429-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3572-441-0x0000000000740000-0x00000000007D3000-memory.dmp

Filesize
588KB

Download
memory/3572-438-0x0000000000740000-0x00000000007D3000-memory.dmp

Filesize
588KB

Download
memory/3572-442-0x0000000000740000-0x00000000007D3000-memory.dmp

Filesize
588KB

Download
memory/3572-414-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3572-461-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads