Resubmissions

13-07-2024 09:54

240713-lxbx6swdmm 10

13-07-2024 09:50

240713-lvbvdsyapd 10

13-07-2024 09:46

240713-lr1dksyajd 10

Analysis

  • max time kernel
    1734s
  • max time network
    1764s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 09:54

General

  • Target

    6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

  • Size

    145KB

  • MD5

    9f16d35de8c312ba0b6f9efd558487fe

  • SHA1

    93040ad968110a6c96c9e2f74f6902aa52b71057

  • SHA256

    6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e

  • SHA512

    1534d12e38937d0c9597f67540b1c849728a637eb7dcd1286e28c9bd72a463bdbc492247beffd16e47986157323134edc84eb1d1f2e857d5c4a136427fe99699

  • SSDEEP

    1536:6Cpb2XbbPD1c2lB4a9wL7vkYq0Hk5rR5JkVJ4y/uU/rLV9YYccquTrX7YeOzk+7J:ZyXbt4aEcTrR5OVZ/rLV9Yrcqu3

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe
    "C:\Users\Admin\AppData\Local\Temp\6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Read Me First!.txt
      2⤵
        PID:3228
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c @echo off & echo github: https://t.me/temon_69 & start https://t.me/temon_69
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/temon_69
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc49f746f8,0x7ffc49f74708,0x7ffc49f74718
            4⤵
              PID:1572
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
              4⤵
                PID:4168
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4268
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
                4⤵
                  PID:3156
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
                  4⤵
                    PID:1172
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
                    4⤵
                      PID:1888
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
                      4⤵
                        PID:540
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
                        4⤵
                          PID:4872
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4536
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
                          4⤵
                            PID:4148
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
                            4⤵
                              PID:4908
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
                              4⤵
                                PID:4500
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
                                4⤵
                                  PID:4388
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,10160210258351865092,17625193998730192248,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:2
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1864
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2880
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4852

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                9622e603d436ca747f3a4407a6ca952e

                                SHA1

                                297d9aed5337a8a7290ea436b61458c372b1d497

                                SHA256

                                ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

                                SHA512

                                f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                Filesize

                                72B

                                MD5

                                6a26b5db6444f0c6729911687e925862

                                SHA1

                                7ae080cfb8d8fcba45b66327926f6d839c2cc2be

                                SHA256

                                6c897062fc2cc129678673cf8db3f68fba97819981dbd9c2d0a6eb2aa2fbbcbb

                                SHA512

                                b2817f25df0c90226fd288bb5c14e743f327f10ff7d7646a71477af730808980383423e71fe0f2790c769105dfec0068f9e5f70dba9c200fdf9efb7135c96942

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                Filesize

                                242B

                                MD5

                                e384a795d1e597feb0a5bebd13dcde50

                                SHA1

                                7ce66637789b61ae163c1de62dc996a99cdef796

                                SHA256

                                42a6ef02d02be95231cee980c97d4398ac167e7264a5cf838b3e3a2ad2a3380b

                                SHA512

                                36f58ca4b73ed5fdfd9b2557d09203189dc9cb3db29ee9716f89bb75a8f6d1c32cca67e597dfefb3b9074be0a024ba51ff40d8024439ccbb16d17316abc2215c

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                905c548adef3ed849b06bfa7d82b98e2

                                SHA1

                                b5f2af3fa61a3976f7f38052383021a8d4c6bfeb

                                SHA256

                                ff47d07d1f4218979a5f56e743ab522abe6ee85af50445c571b7b4b0e9647083

                                SHA512

                                168fe6ca43b7d2f43a8eea246d2f8edcd8611a8269d25296dec8a19a948cd2c0972febf245b933798dd2bbdc6d69f33306c82301c20780f2c5c36cf0ffe5dd6a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                343570ad89d620fd747de91e712d0b1a

                                SHA1

                                398f9333ad0982f5d2278315f2a83a119cdff12b

                                SHA256

                                4ed3aac076f50c6dfed55383ae14c0e4725bb7659048651ebc54f36685554482

                                SHA512

                                d14e2303df12e92d33b19435b91a0539acb0c60c31a60bd05f2d5d90e261ac37112e083b579d9e48c646b86dbba24c4cb273f134d445ffc3e8cde14da7370b7d

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                e2652ea9f6ebb6f48a4d36091bb9e64a

                                SHA1

                                b9a08709b0ce607ca91ba3548f747221a0d9ffa2

                                SHA256

                                f7eed943cc7aafa8b39c84a630b5247bc1d6391f60016a48e7b72838719324f6

                                SHA512

                                d7415422357985340a5d321e18a991b0f4deff635298d6ccfdf344c4fe04294191c1ad52d9dcaf0b1d9c8e7798fda1cbe350da56a02824beedaad375e98a8fc6

                              • C:\Users\Admin\AppData\Roaming\Read Me First!.txt

                                Filesize

                                266B

                                MD5

                                5efe8b27a75520511406ff8ddcbc93bc

                                SHA1

                                d3755c5c29e04f356c6852f64e6a318885d93579

                                SHA256

                                426906022fed3ebb1427364f16717af29af909bbfa08b387518ead501ef1c7a8

                                SHA512

                                6ee99458c294e072e7f4bfaeb34bcca1364b4440485b18dfdcf27aadfd7fad67fff11c3238326f7fbd30be8f3670d2c200c2dc9c5f38e36f0dd14d83ca3a5e7b

                              • memory/1636-17-0x0000000074F70000-0x0000000075720000-memory.dmp

                                Filesize

                                7.7MB

                              • memory/1636-5-0x00000000057D0000-0x00000000057DA000-memory.dmp

                                Filesize

                                40KB

                              • memory/1636-4-0x0000000074F70000-0x0000000075720000-memory.dmp

                                Filesize

                                7.7MB

                              • memory/1636-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

                                Filesize

                                4KB

                              • memory/1636-3-0x0000000005650000-0x00000000056E2000-memory.dmp

                                Filesize

                                584KB

                              • memory/1636-2-0x0000000005B60000-0x0000000006104000-memory.dmp

                                Filesize

                                5.6MB

                              • memory/1636-1-0x0000000000CD0000-0x0000000000CFA000-memory.dmp

                                Filesize

                                168KB