Analysis
-
max time kernel
31s -
max time network
17s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
21/07/2024, 18:13
General
-
Target
https://cdn.discordapp.com/attachments/1264644800993427510/1264644816805822464/BrowserDownloadsView.exe?ex=669e9fc4&is=669d4e44&hm=aea49c86cdb30b0e8623078a67be6103f471718730281bf73c84224d0c8f62c1&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1264644800993427510/1264644816805822464/BrowserDownloadsView.exe?ex=669e9fc4&is=669d4e44&hm=aea49c86cdb30b0e8623078a67be6103f471718730281bf73c84224d0c8f62c1&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3cbe3cb8,0x7ffb3cbe3cc8,0x7ffb3cbe3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5440 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,10887660258656486895,15499917481401431305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\BrowserDownloadsView.exe"C:\Users\Admin\Downloads\BrowserDownloadsView.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f1d33f465a73554cd1c183cbcd0a28a2
SHA1f5c16fc4edff600cb307f762d950500aa29a1e8b
SHA25622d8c228cdcfd3e05431d7377748014035a3488ad3a0d4aecc334e724245a1f9
SHA5127cc94f77f3943143ee86eabbfddcb110ce52c6ff0975842e3a3d06072f51f2c48914ee61f24484a539888ad19a7e6a1becfb029485cd5984bc736434a63cee95
-
Filesize
152B
MD5575466f58c7d9d3224035d23f102d140
SHA12fce4082fa83534b3ddc91e42fb242baee4afa1c
SHA2569da0e657652daa1ef86af7c3db62b0af9cce372a5f765c98c68479922ccf1923
SHA51206503e718fe967076dd8a061b57debdc663b9616b005f8567099a84fc7184880633079335d622c243918efc3356b40e683708fb0583084abeed7db6168a212ab
-
Filesize
116KB
MD5420d63a49ed95aa020d7abcddc2e0ae2
SHA13d13a3bc1a27c2c6893cc51bf49c19c1fda42cd1
SHA256add260e46e2c7975ba09eaf032eac864f9c5ee5476a32ef3d994a328b6fc13cb
SHA512536e275f114d414ef0be044c9bf211b260d5d492a39d460beb57c00208035f9ff4f51cf02b9c116791b327925be0e9ef9671435b6990abe88f3521b64147901a
-
Filesize
5KB
MD59efe99b263c2a0d8649ee2baea0dd1e7
SHA1422254f7befb603941a7e7e6819f80e26e459d64
SHA2565751aa59607ba3aa0a46fab051fc99926729b9423df86f3693268972ac92e682
SHA512d4be851b798304c824aadd1a103245eeb58e6138694446f6091c3158b6d51fe0baf5ea6ac8d86ff3612f5f393c13e3ea81890fadccdea9ffd319a4309f13a2b7
-
Filesize
5KB
MD5ffc46fb68a228b624225c0d21b01591b
SHA191c57fdf7ce9490e43703e99054c485c27a0f9dd
SHA2562891117d180de32e13516456dff85b596ede8a85caec0f7aefffc186da92bdb7
SHA512e214c3b691399e659ece6c59895069e7458e5f0e19c386a825757e67abb04c1b84bc1b86059f249072f4af7f3dbb1d3e893a1466939b522cc5392a137b00c866
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD57827960516c6413c6c762c84ca2cf33e
SHA146587c5b32ba7605625cbe0c1837be5ad3c5ecb2
SHA256338ae93545f80c8a70fa4a46d9642c4bca9628d94f8fa6a0138aa8019de7baad
SHA512bba4c585a57fa425edd9670142fddffe0bc83e74d0983d531c8a1f9bed3c160a9942cbc2d35c3a0dee2437cbd4257d5a36d4694aa33c3b64b9d9b7b0fdcd8cab
-
Filesize
11KB
MD5ec36246ee37a31c811ab1e9df38fb264
SHA1b279456c902002ccebff0eaa5667756ce75fda25
SHA2567aeadc6ba52955d53e0fdc765db8588d13aeec7379cc6ca167ed30b6aea9643e
SHA512f5731eb6c1b5ac29afd14be62e75267f21a70d22258334abe282b25120c43b06e369bde8e0c947f2dce0a7878429d5337cf04b2ba87e18629dbd69fec46e1601
-
Filesize
232B
MD5df485ead23fc1de15f0aca439d2cb32c
SHA1b96b233c3578338d740a3f9718a8f83ea7316778
SHA25600fba22616f095d06363038af7c785eb21979b2556a91559049089f35ac9655b
SHA512500e90912a010892e77b5ef51215947bed9806367f09bca473d4eed82c6ddd6edc27d22fa1fdd94fb52e7a6eb623c1e63eed3f65147e399aad6f975dac464d0e
-
Filesize
475KB
MD532d8860e3ad7c0040f3bc37a32aa64da
SHA1b15b8fbe5e68d7e340e4ad8c7c101a024363a86e
SHA2564a506d6fe197eb77e2c5620503fcf2f0594b007498d29fda12942399363a1033
SHA5125742e84c8071bb08b00c54b305662d9b76c12019efcbd5714b52cc1095d9b0ceba2d49be63b01d3c593508c62af8f1788facc070fd1725d0f6dc3011bedd2ab0