Resubmissions
03-10-2024 21:09
241003-zzn76szfrh 627-09-2024 17:00
240927-vjaydssbrm 803-08-2024 16:20
240803-ts4fmatapf 603-08-2024 16:18
240803-tr5bjatalh 603-08-2024 16:16
240803-tqxkastaka 603-08-2024 15:43
240803-s6b3vsxgpn 603-08-2024 15:06
240803-sg3jhsxbkm 603-08-2024 13:57
240803-q9r75svfqn 603-08-2024 13:49
240803-q4rpeszcrg 603-08-2024 13:46
240803-q2zbgsvdqk 10Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-08-2024 16:20
General
-
Target
https://github.com/Endermanch
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffae1746f8,0x7fffae174708,0x7fffae1747182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1812 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,883444011487810191,4689227951811901992,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5832 /prefetch:22⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_TaskILL.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_TaskILL.zip\[email protected]"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mountvol.exemountvol c:\ /d2⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
6KB
MD57458195577c244ad699cbf82db2862f7
SHA11339a9c65dc413e978eef422bc7fa8c71b3f5851
SHA2560e68248a111089625003e206ac795352c4ec240d1e7938c551ea629e614be251
SHA512fb87d2de9267a428f931a71f583b50b616eae4659ccf552e667e36f03a035d30c639c45d1b7b96d1eb61f6f8b2da178b9e4edac1e02831790575d00acf08fe50
-
Filesize
2KB
MD56994c099cd6049b276b206c7d868ea2e
SHA15bf49916140ebe154e53edb21105d2f85e5875ff
SHA25631f22db4ff278117134ac0e3d3e5f79ceb026e635d019e2120d27e18aeae5102
SHA5128b33c244073e9ce8e60c4a09a4f2f9d2abe67781126c45de0d29a68da1162eac56bc437ba339714cc7c77ac5fde026e88512b98a6556df2ef7ab859a5ca83658
-
Filesize
579B
MD5552c94911b4d9413d92d5095a0c64b11
SHA1e9fe0f0eebf35d168d2d889b5367fa7a12f299c2
SHA256b687ba320a6689a39d8a01f8c10dc8e5d9f25465dbea04c2851d4d38e040fa5f
SHA5121cd929ccb9992a26cc3b5c9210138d3f30a46f5388aa6a123dbde986956a74ddfb2d529b860fc3c924b6435197c175bd004bbe309834340c3ddf90484c7d8a5b
-
Filesize
6KB
MD5bf34896f852cbc6a49490a31aea3f126
SHA16dd329433f95e6bd6490ca3ac757877f431c5d91
SHA2567f8b78fd4994152a906a19b0ff80fa970b06a3977cf895dd71227097a5b4ea33
SHA512820cb955bc68f5a911a42277ad11844b02ce0ba85b51fe405f4ea8ec458c3a5d65ffc02254e864a82bcfabdda34f1585048cb90823d9f6d749321ce7ee238709
-
Filesize
6KB
MD5072d5827c675f857bf0a8acbc5f506bb
SHA1644b883c2858242990f1e23f3e5b000f716ed791
SHA256185b81bcdbb8c19e6ddb7c0a4ee5b4a11b7a8831dfee5ff03322cb468677f348
SHA5126fb39b650a7971940bd37de2405daeb9491708f6d57017df181a4e0d17ec7dd5ed40a4366f3f26f4c4bf002b45b7150f8c4c233815fdc90a81d969358fed0ef2
-
Filesize
1KB
MD5a1256062f4c4a382e5c2671a99db3918
SHA1adfe7eb79b75139fb4ea366dd1dcd9d10930c8b3
SHA2567fe3d7873072b7285ab52f695f615c08e5bdacc17860c1e73a5b87128fd72277
SHA5125d8c863e3f43b584e5560d4cfa6b3afd2e6ec4725c63af04a6b95c8f0a1a12c041ba0f5d2034a8295254dc77a73e7315e5f09ecb2ac59c0b71d1bdd085ceaa4d
-
Filesize
1KB
MD54dd404990143d451b1439404d9aa4ea5
SHA1e591082e8d9f0843ce76d2ad195c58fb3281223f
SHA25607a73a8133b9bd37f92cb170fdbbe74fe10feba3e4b0aab9d09a2abbf6d8281c
SHA512913a4f496ad0d715409a573dab909977c422367e56fac45a5a44630ffc0635dbea8baf3e86896e15c54cf4f4079016029a1f4245da7a66a194f18820ae1e291d
-
Filesize
1KB
MD53aa8136194629cffae46c7e82f293b41
SHA11a8000960b6439d7b1f05c9dbd97847955f95ac7
SHA256966650094c9fa3e5a29c3371218da4036ced79c2d23b135238a4940aa6124004
SHA512a08a9594134cf144ef797bde3c377cd26f928131b1ba8256ce4b024604e4707541c7579187f2a37fd2e7ca0cf0bd6b613d8af7fc0619ee021bed237489082720
-
Filesize
1KB
MD52274d08a60659bb5c63876c5bf90e1b8
SHA1e6eb315526356152fb92ad83c714b0fcfea2aed4
SHA25670d3d5fc5080563594a67d3f940178ba97a40ddf5d10358e07555c9dfb1636b9
SHA512e1441b57fb5b83fae3d5e720ac5ae1181aba31d98cbbd831827987ae0a9aa6c91aab10097a6b0fe803b21d925feee1a54d2c8ac54da94b4f4c8d4236ed442137
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5ca6090c213ca77eca1cca5ed3fb55567
SHA1562bcf9be0a1383553133c3d71df257b1322d250
SHA256221324d2c57672cc7e4b6d88f44ae762764177ed3393c14ad57d885d54dc42f9
SHA512e689759c7bb31e69d7ec94cadd619fc788f3ad4d9a92609395724fe6124169fb265f0166f03c4a90e4a800fbed47481a14c6c63d70cf74cc516546271e8ac22b
-
Filesize
11KB
MD511a6a8ef6cc7c9b3c9286cbdee0f9728
SHA1bc2fd01ff0f1b176138c34baba2778d7e3567a07
SHA25616525cb498b23ffeefa028293e1b38eea101f2ad23c3211699bf1351a815603f
SHA5124a2a8f768e28cc1201539dee1e9a5f29e0ba7b6a82d0a480d4c377b740353fc255b0e89ea00e0bb99d930799aebdf2b33e67ca805cfe6804e036043c9f8921b8
-
Filesize
14KB
MD5f3f982622520af32cc86d3a22f352af0
SHA199b7c8a8afa3cfc7292893d7b2253a581249d9d4
SHA256653b5c625dc6f24dcab5aaf33e77fd3c994f4783884c21d0a71b5c1fefbeb4e1
SHA51227482f0293b88c1a31dd1132401b4df19d3636f1a31f2b607ccf9a28dde0165381d65d9d0c492ab6c300bd1da0aac9e8df8c7cb3394cea35c90ce1a544a0576e
-
Filesize
56KB