Overview

overview

7

Static

static

3

2f86cbb8f3...0N.exe

windows7-x64

3

2f86cbb8f3...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    112s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f86cbb8f3b02ad6d5d94db5b2947aa0N.exe

  • Size

    7KB

  • MD5

    2f86cbb8f3b02ad6d5d94db5b2947aa0

  • SHA1

    25127a74c64cb891f2ee786ff03d67888f2b3c6b

  • SHA256

    0908b455eb36f26e79d2f426b482f2431c26e50db51c33e6a7a6878072c70193

  • SHA512

    abe6f6e55d2be0fa07fab92f16ba47f4a4a451cd5af551b0a36da8fd96b460219b17453b9b880e14171e16bcc6a0b48462ea4eed5bdfc18ef9384869e79b62d9

  • SSDEEP

    192:DLgTniCxNdaLixhqnP/VunlYJLLLTuGynqjd:DLgTniCndaLii3hPLTuGTj

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f86cbb8f3b02ad6d5d94db5b2947aa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\2f86cbb8f3b02ad6d5d94db5b2947aa0N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.blackhost.xyz/
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9749046f8,0x7ff974904708,0x7ff974904718
          4⤵
            PID:1532
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
            4⤵
              PID:3496
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3828
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
              4⤵
                PID:1484
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
                4⤵
                  PID:652
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                  4⤵
                    PID:3544
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
                    4⤵
                      PID:2272
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3388
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
                      4⤵
                        PID:4356
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
                        4⤵
                          PID:2468
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
                          4⤵
                            PID:4840
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13834203126612011552,6085940582818246068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
                            4⤵
                              PID:2104
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
                            3⤵
                              PID:2168
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1336
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4444

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              847d47008dbea51cb1732d54861ba9c9

                              SHA1

                              f2099242027dccb88d6f05760b57f7c89d926c0d

                              SHA256

                              10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

                              SHA512

                              bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              f9664c896e19205022c094d725f820b6

                              SHA1

                              f8f1baf648df755ba64b412d512446baf88c0184

                              SHA256

                              7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

                              SHA512

                              3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              f46e32dcceeffb27214d2cc7a9f2e841

                              SHA1

                              8dd88357bf52233136b599915d8b0c82741e2e89

                              SHA256

                              5ce61bdd0b54e7194c99a759ae879e2481d05e7604d95a9921098c646673af57

                              SHA512

                              294bad318c8003611588339df890c04f9e75dfbe716125a8f8c7ead33f7d95681d58d9999686cabb319cf3465a42789525b10eb16c040fa4f87fa014cbfe753e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              f6a98fc9bce3c67127307b21894468fb

                              SHA1

                              b62b91732d4f517854e6bde14037332e3e6ef1df

                              SHA256

                              d36a780b8a7925eb7935ca495c62926cd03a1194a6096a7c9141fd029316ca56

                              SHA512

                              3b8105b959c9dd546b8d21ba0cddbea7d1311f75eb718b26ad7e386829c3bb37d4442cae282ce6a687a822206fbc5c5953820d846cd713f770e3de25f3f1045c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              0a7913aae4800cf55d31a2fadb5466f8

                              SHA1

                              b8574ccf92cad9765178c524972927de0f2e20e1

                              SHA256

                              0920e8e932a076fd7648da9453bdf9246162d14d07e9e09205b3813a4c3e7788

                              SHA512

                              64105f3ea25c627a2f09c7e17408a40e3f5c0d9f9cf408d86e5984dd51fbdc10ec2157442b98cebbeceb42b053df0e13c57ef40078b8f1ee419d2d8f030e809e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\cmd.bat
                              Filesize

                              120B

                              MD5

                              5f91c8c5c052f572890bff384a345927

                              SHA1

                              5496323267d48121e0d44c43dabac89f3144c071

                              SHA256

                              d022c18ecd81e22f4d19bf331e6b1acbd329474d65d1d6372872f1a2806f99e5

                              SHA512

                              7643a8d005014bfd25413dcf64a77846aa8e18b834036594789359d8aa95c466fad0ade86e79285be9a765c8cb3ad81ac26983cd387f86769fb71c2b4d2d43a0

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\msg.vbs
                              Filesize

                              64B

                              MD5

                              2749954088953c5b04b5da7bc57f8486

                              SHA1

                              312ccefa2ae87c67ea53bdc0d235cefcc7e8c153

                              SHA256

                              5b757f6789e2c5c871e197f3c31187b0718e95f87afe04e31e08e473c5d2fe76

                              SHA512

                              aa242e09d9436cecef373679e38c5e581fa84a1db21a76c3b04dab47dba70f95c157d30afd6a3156a9437c8a567dee43e4278dc98515668a72892bf7108dc327

                              Download Submit

                            • memory/2872-0-0x00007FF965A33000-0x00007FF965A35000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/2872-1-0x00000000002C0000-0x00000000002C8000-memory.dmp

                              Filesize

                              32KB

                              Download