Overview

overview

8

Static

static

1

.html

windows10-1703-x64

8

Resubmissions

28/12/2024, 23:54

241228-3ycdrswjev 3

08/08/2024, 22:06

240808-1z6mwsvcla 8

08/08/2024, 22:00

240808-1wxktavamd 8

08/08/2024, 21:53

240808-1rv67athpc 4

08/08/2024, 16:19

240808-tspmgazbqe 8

08/08/2024, 16:09

240808-tmaalazbkf 8

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/08/2024, 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .html

  • Size

    13KB

  • MD5

    67d2b578e5dc47cbdfc65ed262e16ede

  • SHA1

    aedf2e8344506c3f622c7c708dca7620410d6a16

  • SHA256

    148e4c8e99f4281669edf06efe06a2d665fa52465845ebd399a669b21b65dad5

  • SHA512

    fbc12b7c0036b6012c3707d319d4c4ee9d3c67e70b2cb50e78014123e2daa39b29c540ec87e2a9a12d36bbbb48185c29de082e68e741cc4698843f0dcdc9998b

  • SSDEEP

    192:2335phvCphvpWPlphvf5+YUXmg7J7bBSagVSOphvY:i35nKn4PlnQYmmg7ZyZng

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "C:\Users\Admin\AppData\Local\Temp\.html"
    1⤵
      PID:4912
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4960
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\winrar-x64-701.exe
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\winrar-x64-701.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1412
      • C:\Users\Admin\Downloads\winrar-x64-701.exe
        "C:\Users\Admin\Downloads\winrar-x64-701.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1576
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4312
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4472
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3132
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:3728
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4592
    • C:\Windows\system32\werfault.exe
      werfault.exe /h /shared Global\afae0d8462d64a2cb897f35505ab97d2 /t 5096 /p 1412
      1⤵
        PID:4564
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2904

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VSH5XF98\edgecompatviewlist[1].xml
        Filesize

        74KB

        MD5

        d4fc49dc14f63895d997fa4940f24378

        SHA1

        3efb1437a7c5e46034147cbbc8db017c69d02c31

        SHA256

        853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

        SHA512

        cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\QENJ0G7Q\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\winrar-x64-701.exe.0dloyer.partial
        Filesize

        3.8MB

        MD5

        46c17c999744470b689331f41eab7df1

        SHA1

        b8a63127df6a87d333061c622220d6d70ed80f7c

        SHA256

        c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

        SHA512

        4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1IROIAJR\ArenaWars[1].rar
        Filesize

        434KB

        MD5

        d19dc423fc54c14e08630dd87927982b

        SHA1

        423c6fa84fad03961f51bf2451bc050f6d3a4e9b

        SHA256

        9ae7992e917ac13aa8c26a4c064e751510ba829aeb3bfb4f581b0d8407fbf65c

        SHA512

        e07bcdb6103436ef55ca62912c1d54da7d5af6b062eb7189446512ba80e44bf98fb3bed87091daa0fec2ec44b9cd97603eff256438a5eadd2ba09312daf0fad7

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1IROIAJR\winrar-x64-701[1].exe
        Filesize

        79KB

        MD5

        e6e265fae7a247f56688db1d698ce74b

        SHA1

        d0b4f07c50749bcc2e6240b1f14d5784411daae0

        SHA256

        f133fb8fdbc0af93d41ff6b642a8d49a95b8dbbaa7efd218fe55d4f0d78c8872

        SHA512

        a86b724824706f2594b010a9faf38d0d00e2e23bd4ed11c7e959579feb85ab8964be791f324ee044bd6051bc58119174ec35ddc393ef069bbb4495018d77fac4

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZQKAIKYF\winrar-x64-701[1].exe
        Filesize

        31KB

        MD5

        a2a4cb20221d951b7d1628ad4694176e

        SHA1

        3ef39793c8f789df62409dd400040e8f5a04c847

        SHA256

        7a27b320d21ba6e510f9ed9c645936f28a013da9976efb2b109df7f003362899

        SHA512

        497ec649b5ec270cb4edab72291f0d6f63ea709c6d8c453449e9944873b042252b1ddffb0a46a7626c6d59dc56431f87479dbea544acbf4e8c7659886abb205a

        Download Submit

      • C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier
        Filesize

        140B

        MD5

        87f2400fac55a52f00c98383b957c2c5

        SHA1

        05c674922020352b24831aca02c148f1790e3e4d

        SHA256

        15bba9f62aef496865cb022ca2f80056a73909b43d7084ee5fc6297d6060bddd

        SHA512

        3f6ab4eb2de75bf7e5939aa2468d32d63c59c48c4fefd7e099592a77b2b21b00a32e3e4634ed988dda1392dc3eaab760f73c0c8e8d238778c160a76b3b532deb

        Download Submit

      • memory/3132-50-0x00000252AA900000-0x00000252AAA00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3132-60-0x00000252BACE0000-0x00000252BACE2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3132-53-0x00000252AA6F0000-0x00000252AA6F2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3132-162-0x00000252BCA80000-0x00000252BCAA0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3132-168-0x00000252BC2C0000-0x00000252BC2E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3132-58-0x00000252BACC0000-0x00000252BACC2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3132-56-0x00000252BAC00000-0x00000252BAC02000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4472-44-0x000001FF1C880000-0x000001FF1C980000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4472-43-0x000001FF1C880000-0x000001FF1C980000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4960-262-0x000001A2D9EA0000-0x000001A2D9EA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4960-0-0x000001A2D3720000-0x000001A2D3730000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4960-261-0x000001A2D9E90000-0x000001A2D9E91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4960-35-0x000001A2D09A0000-0x000001A2D09A2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4960-16-0x000001A2D3820000-0x000001A2D3830000-memory.dmp

        Filesize

        64KB

        Download