hxxps://www[.]mediafire[.]com/file/yc0yxczwhi8j5w8/Sorillus[.]rar/file

Resubmissions

21/07/2024, 18:08

240721-wqyhpsybqg 1

21/07/2024, 18:06

240721-wp1axa1all 1

Analysis

max time kernel
1696s
max time network
1686s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/yc0yxczwhi8j5w8/Sorillus.rar/file

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
2640	msedge.exe
2640	msedge.exe
1684	identity_helper.exe
1684	identity_helper.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 5060	2640	msedge.exe	86
PID 2640 wrote to memory of 5060	2640	msedge.exe	86
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 4620	2640	msedge.exe	87
PID 2640 wrote to memory of 3068	2640	msedge.exe	88
PID 2640 wrote to memory of 3068	2640	msedge.exe	88
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89
PID 2640 wrote to memory of 3588	2640	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/yc0yxczwhi8j5w8/Sorillus.rar/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b00d46f8,0x7ff9b00d4708,0x7ff9b00d4718
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,12414438886161439798,1860582823193902722,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4648 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bde6df40ee2aacaafca67e667de21a3f

SHA1
a4569bfe7b28fcc968c1fdf5b1ac4f869fd7de65

SHA256
806bd3902ecf697b3a208ae8a00bd1fd4bc0d95a01e3e0f4c788341920974d15

SHA512
fd98f7ab0109111acd863bd0bf5f52ae50cf8816f39d5a87600dbc33f8850a3645eb57115ed883ab3773c7b8d54d4ed40a3bd8c2e9dfbca7445fe2784fa369f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
00eb399b8ea4b13bb619a5677dbf6be8

SHA1
25df8cc172b08726bfb9fba134c507b1312c0fb4

SHA256
49e9ff7615209d8e5a6349de530d004f14fecadddc162e251ebac10bb5e790df

SHA512
69762cefa57c05d1acc2111cd5bba74dc2ea7201f5e0bfe3f8d33016bf2b85f4b8a6b84c454ada964d77a7f3ecbf1efd2cf4d936b7c55ad370c42a0161a97de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8053bba4b53a9db9b9198291c939b870

SHA1
9c95039104303cc9af381c72cd43b98181ba755a

SHA256
7a8be80cb43723e95d3ce8ec413c254e1fcf7357673fed62d77394f76c1da2d1

SHA512
88da4d5bba927e9fab1be5c920e7ceca90aeb4cec56bcf6eeb61eff2d79c4ca93fea6c9b29d4637679276b9b64798c17fc1dd17afe7e705ab97ee70253d5313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b0c596dc-675d-4c5d-9a99-5908b750302b.tmp

Filesize
5KB

MD5
ad8124d974f3691be70f589df2360019

SHA1
a1989518868e84f667943b4cf17afdbf8d057d2c

SHA256
f17a341570d95681b10097ce461164d1a5add7e312170ec8bb9db3566ae752c8

SHA512
86f195db2182502a0491f97954677c74bbcb48643cd5bde99162e9d88090391059a5632c96ca9a1fb55f21f4bffc76399202f298cc15fcf94dc750764d46fe4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
52c8a3cfc5d3788096f5c0005770c244

SHA1
be263a3043eb10e19b6ea6fc1faf422db08abbac

SHA256
c542bacb9b1b3811e6e594cb71f2c670da3c640231400ae88f530641ad5952ab

SHA512
253b0f92a8854edd29f733cd76f211f2bd826e15fbfa980ea01e67737c99f4afccf8305cdad8c1912b5882886d3e1ec24448e952dc11665b098c128142653b77

Download Submit