Resubmissions

05-08-2024 10:09

240805-l7ag4atakn 10

05-08-2024 10:08

240805-l6ck3atajl 10

Analysis

  • max time kernel
    52s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 10:08

Errors

Reason
Machine shutdown

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Downloads MZ/PE file
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 15 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff889ca46f8,0x7ff889ca4708,0x7ff889ca4718
      2⤵
        PID:2036
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        2⤵
          PID:2648
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3156
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
          2⤵
            PID:724
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
            2⤵
              PID:5004
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
              2⤵
                PID:2672
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
                2⤵
                  PID:448
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3748
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
                  2⤵
                    PID:3952
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
                    2⤵
                      PID:5112
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
                      2⤵
                        PID:3628
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
                        2⤵
                          PID:1644
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5612 /prefetch:8
                          2⤵
                            PID:1900
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
                            2⤵
                              PID:2216
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
                              2⤵
                                PID:2328
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,18193867962568847872,8728225562349183151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3404
                              • C:\Users\Admin\Downloads\Annabelle.exe
                                "C:\Users\Admin\Downloads\Annabelle.exe"
                                2⤵
                                • Modifies WinLogon for persistence
                                • Modifies Windows Defender Real-time Protection settings
                                • UAC bypass
                                • Disables RegEdit via registry modification
                                • Event Triggered Execution: Image File Execution Options Injection
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Impair Defenses: Safe Mode Boot
                                • Adds Run key to start application
                                • Checks whether UAC is enabled
                                • System policy modification
                                PID:1312
                                • C:\Windows\SYSTEM32\vssadmin.exe
                                  vssadmin delete shadows /all /quiet
                                  3⤵
                                  • Interacts with shadow copies
                                  PID:2412
                                • C:\Windows\SYSTEM32\vssadmin.exe
                                  vssadmin delete shadows /all /quiet
                                  3⤵
                                  • Interacts with shadow copies
                                  PID:888
                                • C:\Windows\SYSTEM32\vssadmin.exe
                                  vssadmin delete shadows /all /quiet
                                  3⤵
                                  • Interacts with shadow copies
                                  PID:4632
                                • C:\Windows\SYSTEM32\NetSh.exe
                                  NetSh Advfirewall set allprofiles state off
                                  3⤵
                                  • Modifies Windows Firewall
                                  • Event Triggered Execution: Netsh Helper DLL
                                  PID:2316
                                • C:\Windows\System32\shutdown.exe
                                  "C:\Windows\System32\shutdown.exe" -r -t 00 -f
                                  3⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3456
                              • C:\Users\Admin\Downloads\Annabelle.exe
                                "C:\Users\Admin\Downloads\Annabelle.exe"
                                2⤵
                                • Executes dropped EXE
                                PID:3820
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4980
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3928
                                • C:\Windows\system32\vssvc.exe
                                  C:\Windows\system32\vssvc.exe
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1980
                                • C:\Windows\system32\LogonUI.exe
                                  "LogonUI.exe" /flags:0x4 /state0:0xa3961055 /state1:0x41c64e6d
                                  1⤵
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1932

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  ff63763eedb406987ced076e36ec9acf

                                  SHA1

                                  16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

                                  SHA256

                                  8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

                                  SHA512

                                  ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  2783c40400a8912a79cfd383da731086

                                  SHA1

                                  001a131fe399c30973089e18358818090ca81789

                                  SHA256

                                  331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

                                  SHA512

                                  b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                  Filesize

                                  2KB

                                  MD5

                                  387d519892ef276e837921c3e3e40406

                                  SHA1

                                  e81e322e503e711e3a2cc51bc10c1abbede0d064

                                  SHA256

                                  5145b36b1c906eea77826844c400ada9429032f969927e04b5f2039bb6e99bff

                                  SHA512

                                  55ba51b39200f8c201314eb4dc2ba1501fc31a0dcb96e66830cdcfffc8d0b0ea88a4a67d4b98d65c8035d10339c94fe3dad6fdb9c62f53fc19b54dacd25b18ae

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  b616811da390cd3b1962f57cd6ecbeca

                                  SHA1

                                  f017fefd9a6f5136e2ace300de438185925d81af

                                  SHA256

                                  1b0a5f42a3e1ad368e3492b7870a9f3de8be89855d61a882caa39c192df2c4c6

                                  SHA512

                                  7d170d8d99ae6109631b46baef0494add7c1c9bf30ff51cf11d9d9786aece2f2b6556f3c6f2248fcf6fac6aab63aaf636de88f9f384a639944ad1441232c8d46

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  7aa296ae70ce5a4219a822e2c141bacb

                                  SHA1

                                  479ebed688f67d452e570412e9ba00c1d25189e5

                                  SHA256

                                  2ca37da46f1ee782e9b46470167eb593efa32ed719fdc4bfcc6a711323c2c420

                                  SHA512

                                  a51f09177de7d159cbf1615822c725ed8e9df891579ff1b5746389a74ac617365822e208ce336fd417488b42142c9a5970f4ca782f98d655f1acf3598b1bc049

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  c61ef99a44559d7958c881bf8b87ab83

                                  SHA1

                                  cf912b09af85ba67c35637bdebe5e48a2657af99

                                  SHA256

                                  6f545d742ed6894dc6df1c873a1ecc8a72af1544c76f1a433350a1405aa6f8e4

                                  SHA512

                                  1ae9cd4d459b46faa13469ba16609357e6cc81d837fde231d977876d7d69ea253b6baf73e4bf989c73a0c6f0a3c4150e6b3e18206aee13654e22f53ee8472c8a

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                  Filesize

                                  1KB

                                  MD5

                                  076b2b26784880572fab0b8580f2d0d5

                                  SHA1

                                  eef909959795387ef3313409551bc15da64b181a

                                  SHA256

                                  628c7a30d8763c6f725e87ead7a0be9f61c442bfc7c5c416f757ad209e0a85b5

                                  SHA512

                                  8653fa9eff774bda5c89f8983c7346bd850a61c9746540da50c8a324e9ce4fb14e4cac6f9eeeebf6949c0576f2cea778eb62b153d5566349eaf9c50b3c9731df

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dd31.TMP

                                  Filesize

                                  874B

                                  MD5

                                  b3ee09281b99b23807dd09cd86e48973

                                  SHA1

                                  85311c9c422159037920e809156a12d3ed94c165

                                  SHA256

                                  a15b59f04e0f889654494ee3858aa4055ccb00130c79b6da9b91bda0c17fb4a5

                                  SHA512

                                  30a83e809e13d79eeb809cb1074b83522dd17439dbab504988cd64357811a8dcca10b419fab9ee382e0cc7340ac0beb4cfc7a762cad4ccd11f97916260065d3f

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  10KB

                                  MD5

                                  254255801dc458b4e746f653e9642ddd

                                  SHA1

                                  a54c29060643ec62f0ae572a0512563beaee061b

                                  SHA256

                                  b38cc44616fbb5100a7de6f1427373bcdfc275aea15be229a635f1ab054ccbc7

                                  SHA512

                                  adb74b673722b3741f65d26f2e57fdcc7e0a2b798af47aaac67bf22a3f21815c96b00bbbe37d51b68a1ddb448e4c56a66d21ad1f5c16e7df8a1dcf5444e113ee

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  11KB

                                  MD5

                                  967d85e7727fe9f71dbda7418fd8e967

                                  SHA1

                                  46dac7b22bffad9e530ae3392f2df961f4cf00fe

                                  SHA256

                                  f9ce7b6b80276d34cb65519115d58f99b857a5f73f7b82ad5fb8dadb4069a724

                                  SHA512

                                  9210a1297f64a2e1ecb9cfccbfd8b099c165b61f90499ef9392e3d8abd0103626d1b677fc520961a18b8deae1ffa05834a4f4a1cebb6fdc81290b7b1b3d619ff

                                • C:\Users\Admin\Downloads\Unconfirmed 561788.crdownload

                                  Filesize

                                  15.9MB

                                  MD5

                                  0f743287c9911b4b1c726c7c7edcaf7d

                                  SHA1

                                  9760579e73095455fcbaddfe1e7e98a2bb28bfe0

                                  SHA256

                                  716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

                                  SHA512

                                  2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

                                • memory/1312-257-0x0000024A1F570000-0x0000024A20564000-memory.dmp

                                  Filesize

                                  16.0MB

                                • memory/1312-272-0x0000024A3AA80000-0x0000024A3C00E000-memory.dmp

                                  Filesize

                                  21.6MB