Analysis
-
max time kernel
73s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
24-07-2024 14:00
General
-
Target
https://drive.google.com/drive/folders/1lJeAGTiLzgGitTddNHLS-0BF7AJ18CVF
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Runs .reg file with regedit 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1lJeAGTiLzgGitTddNHLS-0BF7AJ18CVF1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2dd446f8,0x7ffb2dd44708,0x7ffb2dd447182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5148 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,4832450512261229775,5586428564873509966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Fortnite_Fps_Boost_Pack_2024\" -spe -an -ai#7zMap25217:118:7zEvent269571⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\Downloads\Fortnite_Fps_Boost_Pack_2024\Fortnite Fps Boost Pack 2024\Registry Tweaks\3. DisableTelementry.reg"1⤵
- Runs .reg file with regedit
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\Downloads\Fortnite_Fps_Boost_Pack_2024\Fortnite Fps Boost Pack 2024\Registry Tweaks\4. DisableCortana.reg"1⤵
- Runs .reg file with regedit
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\Downloads\Fortnite_Fps_Boost_Pack_2024\Fortnite Fps Boost Pack 2024\Registry Tweaks\5. OneDrive.reg"1⤵
- Runs .reg file with regedit
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\Downloads\Fortnite_Fps_Boost_Pack_2024\Fortnite Fps Boost Pack 2024\Registry Tweaks\1. PerformanceVisualsLow.reg"1⤵
- Runs .reg file with regedit
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\Downloads\Fortnite_Fps_Boost_Pack_2024\Fortnite Fps Boost Pack 2024\Registry Tweaks\2. DisableUnnecessaryProcesses.reg"1⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Fortnite_Fps_Boost_Pack_2024\Fortnite Fps Boost Pack 2024\CleanCache.cmd"1⤵
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Fortnite_Fps_Boost_Pack_2024\Fortnite Fps Boost Pack 2024\Nvidia Profile Inspector.txt1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5584971c8ba88c824fd51a05dddb45a98
SHA1b7c9489b4427652a9cdd754d1c1b6ac4034be421
SHA256e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307
SHA5125dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726
-
Filesize
152B
MD5b28ef7d9f6d74f055cc49876767c886c
SHA1d6b3267f36c340979f8fc3e012fdd02c468740bf
SHA256fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37
SHA512491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75
-
Filesize
1KB
MD5549cbcf16cbcb6093c9da67991379a0d
SHA1bc8247ec04b8e1c813249af0d6d8051e234a6d99
SHA256975126d1b7a5f94e6217ff7fa49951f9f2965cb953270980323b0625eaf21392
SHA5129c9fa18600273251bdf6ccd17824b514a811dae3d672ba7b655ce9dbc1ff805b915646d3f25bb4d2724d84d1f19c604648569b56d818d33e2cca4052d48bc7ea
-
Filesize
3KB
MD5e88c3da4d31e437390bae1ea9053aaf4
SHA1b36bfa60949a15628caad5e402e697b4bc1de919
SHA256304aee23144f842fad89a04f69a4d2b02e0e5f1229fbe564757494cbad31eb43
SHA512217bf4a2b21407310d19cc9d5cf24cdcaa6e6ebac1dfe9f71ed5c5f2b4b52ea81ad67cc76013b3c4489f4373361a9a3e1c1fc77866336f79f6d7d6cd7bd369ad
-
Filesize
5KB
MD5ec8e921ddd5b97980b903a01fecf9542
SHA1d5d1a822ecc43528d3690376deeae3c68e6fe0fc
SHA256281e5ba7bf64123cb096543c674d58174beb151268e9684bc48d5a16cb608f43
SHA512a1443ac5ca9c46702b49653980f77787dd600f2f1557b1b5b1ea99a14ad3202928483583c572088284fb497d32ca4d91ef4dd7da8a39c469b0432bddb722f300
-
Filesize
6KB
MD5cbf79049f561c45f03a830f96222a7fe
SHA190c00066b300621471469aacadc5654696d82586
SHA2568d9958968ec0cf7301b5d1aa5a2880a10f397762c7c371523e76570d512593e9
SHA512b11cc157ab5b96d6cb348a3dcaeed61631ad9dc6dcf105b99c4701a1538cf9014870b719214ac35dd76221adf7c156ab95a6477235146bce2f6a7e7139f7ee38
-
Filesize
6KB
MD58245b2e1241aabb8debb31080c67eb3a
SHA13d2a17ea7df6d4802292187ae0d118ee70c5dde7
SHA25699dea9a537c7ac275dacac8cb17d0cb706e46ff6d96d4e98598f1e0211b09f40
SHA512316b3cda119f19672275f62de5d343009c1226e8057f7c793bae7a9bc93f44fc81145b242ea9d6f1ac1aa831211c4797b3f691fddacc5226eeaeb2fe930ef281
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5045c53b175b981fba34f4a0fcde0d7d4
SHA1330fa2610ed189d7e0f839e6962a435e9fcd16a5
SHA2566802bd4619f7ce4255544472f8b916383e9f934392c005d1e3a50d82dd87150f
SHA512d476731a449626d2abbf1c89f348afa3a144680d702be333e090bacc2d255f8ba89abbaec5b4dae31d5655ac165af6043a9aa0ab5a7143f0e7bd429e02c8fd03
-
Filesize
11KB
MD5e5222e7e707c56d98b57ef7a6d53e350
SHA1d4fcb6e900bb37e76565d5b9dac3d10c3c35985c
SHA2561ff72898a99c8aa590d759aafc73059c0070036623bc4926730c3bf8fe885327
SHA51299a362d10d6ce52310f26d2939a35f0370d7e9f8fca50ccfbca157575ff9622334dbbc1900390603b836f71bd172490f2a162576a21634cf86e7bf75a53e7d2a
-
Filesize
3KB
MD5419b6c98c66950529a9e981ebf354b46
SHA1b9e7b0450096c38fbe9a989efcdefbfea2500cae
SHA2562da5ac7d109fe6662007ab2bbb5e1a8eb5a73e2a17afa44eb7424400bbf3c7d0
SHA51254181f160413d166f06e3598d437f1404efd9ec469a5d55f0cc7f3672f9556305283a2b0025691510e9c139da5ca7e29ceb4b0216f075c8fd8dfaa55e3c47dea
-
Filesize
3KB
MD516db0257fe96d48ad04f353b13edaae9
SHA19dde14715604fe346bead58e0d49ef6c2c40fbff
SHA25675aca1de37eb469af4b74df917a2ff6c09791999fa970e97eddca9d5963882ed
SHA512eb9d6e8f81f8aed8eb5d19e226b8cfa5a6079aaee2c37abbc5bce18089ddd24f1053fe5a04b245b02b3bdd3bc65d88195b2ccb2b126e9980ad8f6a0e204c8544
-
Filesize
58B
MD5d51fa0c1b575e21bb2cb5dac8c470a80
SHA1b2fa89b62740e379969790b1e8c9227c7ec3cabb
SHA256c7dc21ca6c71057efd76815f22d0b19c55f165474f6a151105321c0416abf05a
SHA512e0119a3dbafd047383a98f46820062980526254b682ab066b0931f2a98c2bb0a4d388ce8a879dbecc0728eeb947f94f9335d10f96c02dd24d4185d41accb74a0
-
Filesize
374B
MD54822dc0ec847ee9b57920f49f71cffe8
SHA14702d7c39408b6315951538dcddb1d107b557d0f
SHA256e5edbf225e4cfe44a3282c9005ed7502132bc9a19b2b19a9fe51335ee0860d72
SHA5127c91927735c3e80cb4282511452751a98bfd292a5ce5aae7f94dd998966f9f4ce6747bfdcc090267af1c6380b6e943c94844656f96910f300bb8229f454b098a
-
Filesize
491B
MD593c292d155d80e19c666b10a69a86b24
SHA16e0045b614b24a5b9d795c629960370dc2d7fd2b
SHA25605427f85cf678f3567dab23809c30c6cf6087037d699ba6e4a8788e6f8f4e1a5
SHA5125877bd76b32fdba6b6ee051878de9209356143abc06ce93a4ff8d40adab293588b67df7fd34ae068c11c1ffcaab132fbd2aa78216fa402a1abbc728f786bc87e
-
Filesize
469B
MD5942a90b5c82753c6c58e50fcafb49d49
SHA106c1190386c9017c3b3b5ca54e563b21d5a95ff5
SHA25639fa7cc313361b103e4011ac8c24827dcbbc0a4c1d130787883f3237c01b88cf
SHA512c59b24c6bb400ea1be3916b7d9515723b2744a9c9f571084b02dd0f2a57e27e9af1c8bd44e5a3c6127237cf4db2ce695592bb3cc71131bd5636ccd42b0a0afbd
-
Filesize
161B
MD535ae8dde3459ac398d146004f8c63fc2
SHA1359b8bac2126f4697259595c3b53660aef2303a2
SHA256140120a6835cf384dd961aa2898dd78a7c69525d47623eb09867204a25618118
SHA5128aa067555d11b97cb5e4149b75b579866e02eb4304ed4c4377e2bef38e22d1b8d8a373bd2c647fb9d49c710931e4d43735a38e14e690c9eeae8115147884df02
-
Filesize
282B
MD5823e73e542a3bd7d6a84ebce84507684
SHA13b4a3e1dca11252b0093cc52dc408ca8a99dd5fa
SHA25665422798eb59ebff87d2d777bb729941e1dc1c38e5a64eb6acd30220baf01a06
SHA5129b200391ae3a97c9f499f7ccd58c0fbb541552df0c4838abf1bfe2dd383d608e7c25c9c1206cb8c43687c593855bacc3a652821ed26d6e94d5593b24b4e0c3f0