Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
20-07-2024 01:40
General
-
Target
WinHex.exe
-
Size
1.4MB
-
MD5
0bc48abad1ce6dc97a649e42f31d668f
-
SHA1
66b405640d43de81951e6202c2d7c239949ed6a6
-
SHA256
8fb578ca01388b5e2d6749418ee072d1b52a7c03e0aebcf0265f88f74d68e138
-
SHA512
a5f4ddfa5d9123b9705b77b8ca801e72bcadf30a6e8c380284f4ab5357ad02c88a31471e8c09b469d70d2158861cc793fb2c91303f183779727c5bb63bfed19d
-
SSDEEP
24576:3AmWVRjgsSykFQtV7GF/1JmbxEzl3trUuzOsGfO5hdOhPhvd9lWhM5GUMn0Tjl:qttV7m/Lm8tHMO5o5dzwUlTjl
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinHex.exe"C:\Users\Admin\AppData\Local\Temp\WinHex.exe"1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\winhlp32.exewinhlp32.exe -x2⤵
-
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=5288812⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3b1f46f8,0x7ffe3b1f4708,0x7ffe3b1f47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,13032399822689639038,2665075877493737761,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD504b60a51907d399f3685e03094b603cb
SHA1228d18888782f4e66ca207c1a073560e0a4cc6e7
SHA25687a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3
SHA5122a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91
-
Filesize
152B
MD59622e603d436ca747f3a4407a6ca952e
SHA1297d9aed5337a8a7290ea436b61458c372b1d497
SHA256ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261
SHA512f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a
-
Filesize
5KB
MD5f9ad7d85ef4ba0bea4a1575fd427c7e2
SHA17311384c99e5a3cd376050e01e7bbe88bed63d2e
SHA256dcc1e3fb12f0b1047e9143c376b594534c502d454dcf3fe16f868a3cf36059b8
SHA512bf807db2e1f6926c8ec198a9545fee8d064f55184354d1c9d129b6b51c0046233c19405fee987de9b20e7bc31e27b6fcb51adf6a501fe6c86cc1faba776dd8cd
-
Filesize
456B
MD5524afd3869ae931e2dc4b3fe62a32726
SHA1f21b0e674b4796885437a69b976fd75eca199828
SHA256b945c132ac1a6df996743a90b618cf2c473fd0b9e51a3442ef2312285a2c5cc7
SHA512a0cc48be82b3cf328a4812f5beeeb3d89b42bc9ac47d0740fdd579f53ad44badd0ce58f46acda8951f5a1fea4f606c338cbef14e976e886b7021c98c65ca5db7
-
Filesize
955B
MD5f3f6c461215366ecd93dc73da2d508d6
SHA12aa953dbef925190b99ad7c54a8c6e08f541489b
SHA25602798e78243f9ef17bef1c89e4e1f2d65353cc8bd3ddcad07356d844c5787134
SHA5121e454413fa0d1c1f9646dac2400840e67d2e237219288c967531eced58a0d0b65c15dfe831dd39cdeaa784dd3014b33492b249774dc1dbb103ec4e1a792f953f
-
Filesize
189B
MD51c71d79b135a68f3ecbc4ae68c2dc88d
SHA1aafa539f26effcddc6a2ccb828433445e37fc2eb
SHA2561e463ad8d85bf63ddfae93296b5de4b8c69041f3f95eb1b39c1126cf2eba3591
SHA512a81bb105277742ebde0b1f93a7dfdd49de3c33f673cac33fae3ec51e6ca595c960fc7ee5dfc0c189f56ed5fb559bd1a19432e89ae3a5adf53a5bf6d4b2268d1d
-
Filesize
6KB
MD52f4c9e84c86abbb697ae3216bed9e6eb
SHA11662ccf105b26b2439e90efc3e9ade6b4a19c049
SHA25608c20e7a0b1f212e7bb834c11929dc65f7565e2708349e9928e249a39416cd85
SHA5123dcf5572315e43d273fb7f707a49d97ac9773b2a78c5db51f8e568ff482bcd761a6d588cc6cc1c916d930ddc1a9bfa1915ebc9f75e0f287f8824b85ad1fee79c
-
Filesize
6KB
MD53a3141719a53f47b56fc25e4621d18ff
SHA175dc88bcf865601a1c6229d67eb770c3ba6add28
SHA256632e3fd8de66e5b584250e482f02464866123288e35269f8a73fb11dc23be805
SHA512d1850e05a2d39b517ffb2b1c7fd3c36d9cf90a7fd327c8b92053dd0c61d79003afb83b1c0cef019a6ae219338422463ff11cb3c5b2ebbd95d66cd34a0fab0ef2
-
Filesize
1KB
MD51b3252bd0b393d69325044ed42cb9767
SHA1fd7991a7525b2a75b23ad25d1e13c500121045ba
SHA256a1687f8e463c416032a097f61177a9e260714d3988f1fdd5e895e438d7bc4b00
SHA5127c37c4b9ba851197c7d75fbafe36417f2cec89d89d2a146eec24f5ecbb7b12d00d371f8e6cf867e13d77aeb0c6a6ed37ec9902498989cada1779a7a80f2753f5
-
Filesize
1KB
MD5bef20d4c6b811f4353f75cef48c35680
SHA1a11c3251f9a2520a3b035e581c11cfecb78b8a71
SHA25643ad576d5436ad50d9e1e21f97f4d14fb1ab1a0f0157723e39d3e7201d1c15ea
SHA512781185a916fec8cc1944551aa2b6f6edac52dce3caae8f5a7b19675a0e29ac443f327c1d27eccfab2262f2ba3c8a375d359389547e625e77649e335d10446871
-
Filesize
370B
MD54351cc4ac36d964f7f459cb7280af9e0
SHA112d396759562adc149d36bd9a8f6478966196abb
SHA256e91eb3da6c24c46f39c5ce1804816c6b0ec8781789dfb83a1b254059441673c5
SHA5121457609fd2a720b463cc4b23b42b2271637044d501a4403af252ce9df81d1ce3e24e18efeaffd7b8150491932c244f1b52a4ad9a612f7928361fa0abfc057acf
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD57348caedefefac29afafad442e0fe164
SHA131448133cece5c7510c5678085d0d5d5b4692afa
SHA256e4c27024855e6f974124e3e22e11d5d14452729a01d1fff1595f2334bd74424a
SHA512993797bfb4db79b952db4dd573c7ef08435a938fe0899ca84ce784d9a6405f9dc58ece5352e3f9c79972d53314fe5c5a1d82c1563a293e3e2af34b7ea40238d5
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
172KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
172KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
172KB
-
Filesize
172KB