hxxps://gofile[.]io/d/2TVOw0

General

Target

https://gofile.io/d/2TVOw0

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
5744	SystemSettingsAdminFlows.exe
5744	SystemSettingsAdminFlows.exe
5744	SystemSettingsAdminFlows.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	SystemSettingsAdminFlows.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	SystemSettingsAdminFlows.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	2532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2532	AUDIODG.EXE
Token: SeBackupPrivilege	5744	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	5744	SystemSettingsAdminFlows.exe
Token: SeSystemEnvironmentPrivilege	5744	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	5744	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	5744	SystemSettingsAdminFlows.exe
Token: SeSecurityPrivilege	5744	SystemSettingsAdminFlows.exe
Token: SeTakeOwnershipPrivilege	5744	SystemSettingsAdminFlows.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5744	SystemSettingsAdminFlows.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/2TVOw0
1⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4388,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4784 /prefetch:1
1⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4400,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:1
1⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5144,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:1
1⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5140,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8
1⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5564,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
1⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6072,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:1
1⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5344,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
1⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6216,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:1
1⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6468,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:1
1⤵
PID:416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:8
1⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6264,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:1
1⤵
PID:3352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x424
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault2f795758h4c11h45bbh8271h20a73a14adf3
1⤵
PID:5240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5164,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:8
1⤵
PID:5516

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5744

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$SysReset\CloudImage\metadata\UAOneSettings.dll

Filesize
88KB

MD5
c230b6b003b3131c1972fa56aeb79fcf

SHA1
083e36a67147b031f4ccb9e6d396529789977d85

SHA256
013bec06baaa081e903fdb62a50abfce9e057955170b07edf3b92ec6c547887e

SHA512
f75f4adf6d0a6a2410cf69da0574990437b6a18f9c8e93a9dcdb9d18121ddb553f10063dc0c30fa393ec990ba0db9c68e87c7c67a95478c87144483a9844f099

Download Submit
C:\$SysReset\CloudImage\metadata\UpdateAgent.dll

Filesize
2.6MB

MD5
69408426a6fe28cc42ec4e9746306316

SHA1
20cb0cda61fc86a7ee55fe29857f72d7238f11f0

SHA256
891c5381840ab53bc2a493a7f7ed004d8fa2bfc4fa2bf64a9e1f561e2579268d

SHA512
7d52243f584c3a34d434a7ae5fb85b5c9861fb965006961a13a27504c03f4635ce8d6a507986e80a8009b898d52008c0a70d65d4bc06034134362855dd178ca3

Download Submit
C:\$SysReset\CloudImage\metadata\dpx.dll

Filesize
719KB

MD5
29bda3453b0cba312463c84381f373c7

SHA1
aca843cf1fc8607226a3fb32f6424ea1546eef30

SHA256
15d29a06aecd840a42f3324e2951d28995f853c12f6164b60949d16aeab1824c

SHA512
6f50d6a368eaa34021674b36938a2690bedb5008838af43029b441d2bbe2c531debfb9693a867371752e720239f03a540ff08a5cac67a51ce8eade1c435cd4b5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads