Analysis
-
max time kernel
1468s -
max time network
1441s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
11-08-2024 03:38
General
-
Target
https://drive.google.com/file/d/1kcHiXiEBmynHi4Uux4jIYVtz4yqRVBtD/view?usp=drive_link
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1kcHiXiEBmynHi4Uux4jIYVtz4yqRVBtD/view?usp=drive_link1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8440d3cb8,0x7ff8440d3cc8,0x7ff8440d3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,15863901893186533632,4343290797659829438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5026e0c65239e15ba609a874aeac2dc33
SHA1a75e1622bc647ab73ab3bb2809872c2730dcf2df
SHA256593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292
SHA5129fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569
-
Filesize
152B
MD5228fefc98d7fb5b4e27c6abab1de7207
SHA1ada493791316e154a906ec2c83c412adf3a7061a
SHA256448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2
SHA512fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56
-
Filesize
384B
MD5aa1b4075c61008a715ca8d5e195dcab9
SHA1198448fdbc615ecba674c2d66bd7fac15e851ed6
SHA256423593e99297c59c3ebc7959b8497a62a1820720b10f5bc02a006d2eda7e3672
SHA51236a192c5b2269ae74c4017c8b16ec90c3144585e9e9a6085b437c51e685eb6fba74c76e3ae01618c82ac1180953772e95df46fd45bc321c86e6851fbc275f940
-
Filesize
3KB
MD57dc206c66b5c602c796204ff769d7b51
SHA12bc80907c4b017e9343ba16f5ddd886ed5a470cd
SHA256cae2c74824ea415dcd1be96494ce00f18fc0e2e82ff932fb8a7e9a459c016514
SHA512df481b9d63fbcbf2d4d130f154a41327b04d14ef92d88ef73b1b5a0e19104477d1fb3ae77decae1922aaa1a39c8d5599d7baceb61add9e2da3c6afdd6656976f
-
Filesize
5KB
MD58dee7fe5aec8a079ce5982ef847821dc
SHA1987066888f7f8577ea7aef066513f5047ccee7c1
SHA2563ae7d2b8b0a89c4785e2d97d8c2867bf583691e09a358e0e878543f33e7832b6
SHA5125b80b7eea5d0bf6381d50662fe2335d4c09ed8f7aff7f10bf02d92fc8b88a1a466dc1a47a390531dfe5e5b9dfb7d1285e8e2cf3775aa88e6937c5846096c0b79
-
Filesize
6KB
MD5cd8bb574f84e8b00776ec84480d2e89e
SHA19e22ce9ed8633ecbf020c70a76939d3fedabaa4e
SHA2564149e203b5515ac8fdcbc0a9684598e3467ff701630cd546c43a353cdc77c3f7
SHA5125d405d4defc77371619951468b7d0149022fd32e96726c5c9858125b4df2f3d19656909359fc202bbfbade5733844a58481fd3457ac6041e19fd35af2f5339f2
-
Filesize
6KB
MD5d1a3e254b5700e3796c9b0d101df5a3c
SHA11208f7b58ad229f0dfe96f3206bdc513527df227
SHA256ddbb745137b6c863133a5229777caa1329230817ebb3a255bb5077830cb56019
SHA5121e0460321138d10b70f18990858d6fcf8ed9fed5be25501a54f2feed667ff0aea5169d6e572079ad23f1d19cc6f6552ecf18abe4aab39a5caa9f1decb5b19997
-
Filesize
6KB
MD5274feb25885abe23e1ccb7bc44de34db
SHA1bf2fe4a568d8c99fdca54c55182ef4e7676ea08f
SHA2568bed03f1a8d27f8d8f253aaaae758e8f8abcdc3f014ed8bcf3a32005d9399234
SHA5123d2687e260d7d860d002a1ae7398351be5c4d8ef513fb2acb1d7becd9b5d7d270486bea9ffc7ccb002d4a0fe4a6bdbb3cd35b0ff7c937ffdc4b32721f2a1df83
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD512fb39d3d18db84a485c5d4e1cd6095b
SHA17200148b1572a04bac0825f4a1d98d57cf1b264a
SHA256e1593c4a7b9fb4085c07e0b622551cc7eb31938546559f2d26ff6d507efdbf91
SHA51274c3133673f144022371655221fbffd0f2d250438519040bdc7356aa22fe927502713cf427db83189991adfd9ef672c0f2efaa59370c6486d78fcb177bd7275c
-
Filesize
11KB
MD5fb5065148fb25171e14e969b27088494
SHA1d29d2bc52570b64e8d05b7c597a6e2191b145fb9
SHA256bf97363f49c371c3ba3fc9215fa036c4fa727bfa769afa2997c422fe20137f3d
SHA512cac0858a13517af113bc7e9bedbfa3be034ae74aef6323dd8b151f535a50aae3a7660c02851c3b379cbadb72875cb0117c2881302f44dd803017376a41dea405
-
Filesize
11KB
MD56d53db765074649b5aa8aa4b5ab6c0e3
SHA1716e37ee4e3c73eaa21469bb4e3e98ce7fd26ee7
SHA2569b4fda09b23b4feb5a2749b5a4cd0a052bb78d61da5010cb4f351903f4d84365
SHA5127200a923b82f37e0d768b58767d73c25a9c8c6acf1cc1bc95ad3fd538415de484b93be674b28ce1ea27ebeece7bc273a138fa2e0665afa8187149a1ee942b88e