hxxps://github[.]com/Konskylux/Monoxide

Analysis

max time kernel
50s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 04:25

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Konskylux/Monoxide

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5696	溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe
5776	荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
59	raw.githubusercontent.com
60	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monoxide x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1128	msedge.exe
1128	msedge.exe
404	msedge.exe
404	msedge.exe
2036	identity_helper.exe
2036	identity_helper.exe
3440	msedge.exe
3440	msedge.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5280	taskmgr.exe
Token: SeSystemProfilePrivilege	5280	taskmgr.exe
Token: SeCreateGlobalPrivilege	5280	taskmgr.exe
Token: SeDebugPrivilege	5696	溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe
Token: SeDebugPrivilege	5776	荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe
Token: SeTakeOwnershipPrivilege	5696	溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe
Token: SeTakeOwnershipPrivilege	5696	溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
5776	荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5776	荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5600	Monoxide x64.exe
5696	溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe
5736	Monoxide x86.exe
5776	荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe
5696	溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe
5776	荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 3504	404	msedge.exe	84
PID 404 wrote to memory of 3504	404	msedge.exe	84
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1872	404	msedge.exe	85
PID 404 wrote to memory of 1128	404	msedge.exe	86
PID 404 wrote to memory of 1128	404	msedge.exe	86
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87
PID 404 wrote to memory of 1752	404	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Konskylux/Monoxide
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd183e46f8,0x7ffd183e4708,0x7ffd183e4718
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3636841379818917346,13287923791383866480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5268

C:\Users\Admin\Downloads\Monoxide\Monoxide\Monoxide x64.exe
"C:\Users\Admin\Downloads\Monoxide\Monoxide\Monoxide x64.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5600
- C:\Users\Admin\AppData\Local\Temp\溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe
  "C:\Users\Admin\AppData\Local\Temp\溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5696
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\ext.txt
    3⤵
    PID:2072
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\ka.txt
    3⤵
    PID:4272

C:\Users\Admin\Downloads\Monoxide\Monoxide\Monoxide x86.exe
"C:\Users\Admin\Downloads\Monoxide\Monoxide\Monoxide x86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5736
- C:\Users\Admin\AppData\Local\Temp\荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe
  "C:\Users\Admin\AppData\Local\Temp\荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5776
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\gl.txt
    3⤵
    PID:2568

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4ac
1⤵
PID:2324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
da90edcb5258bd2a40bc606cd4425cc3

SHA1
eb41ea52ee4a23de8cee0952c5e61c3b16402f73

SHA256
418d4b37d478a9468b932db1cc54693244e871fef6014fa861ee91de3425a41e

SHA512
1fee8d1b94dd7c1f329c2a92c7d1860907ad1fb337e64f7860f18570b66e27dadc9bffaca9517228d9c1f8f991c13526139f86783a7534e643cacb5f559a85e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5196b8325cc1ccca003fa6bfa336cfa

SHA1
b6043831cecf94f6f55e12c0ce66134f9caa7324

SHA256
fd0b059bdeb8f408709a21916e0bb5ecdac02fa4ac1ba61fecbf195cefc48a87

SHA512
65551ac51ca8db9173fe851ab39748a3b9b782290243034460e0666cba583fd6d0bade69ce4eb570d179424c9379163c3d1d242f4f928ec22ef321c4b33df485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9ce6a947bbfa25b4d754497d3ee1215

SHA1
01b573eb444e05cb662dd209a15673e13c67f492

SHA256
29179583513aa9b0fc28b12b8ee49137a3514dc052f1b8edebecba35b0394512

SHA512
12336e30acfbbf97bfadd50f1489cae7c445a054f60ea28f5489426d3ca15d3f4355b885c7bf942574997582a7ec20bdb5d701e0570bb6c899a461d2d30656a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d74c20bdd807a9a3717a224702bb2a33

SHA1
85f80287351f7c10295d27c08281a66ce320532f

SHA256
93ae63293c07123bfe59da7278a57c0430862035909b5255a8caff349c6836c4

SHA512
09f73a768da0babfd6792c5d5845cd91b74e3b3ae43e942877e962edd01bbc76c295c37c3d2a66bca8f2ad6f47230ed75ded7e86d6149501fff1c4ab60fa5518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
68921f869201341be576ade23dc66f59

SHA1
dd96a00e049139d61108ef618309c5cf46e5bd2b

SHA256
076d74414fff0d3a298d72f0dc407f4f38a512736f799eccd18978f8fb03bbff

SHA512
4f5302cdc0bef7606995652589b73de0992abf78dca86714e0acb5be8af7e56e9c9cd40d5b8b96c845a4683afc9c1172347c5ffd8ed050a84930a8a6f0b6c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b6fa4dabd55af53350c9d0c0cd4b03bb

SHA1
edad75d1af503c96b43002c9048890c5ce00ac7b

SHA256
bca2280b05243741d2242939bfb271c717956e3cdeffe6c7e3a00271b58d6a4d

SHA512
975ddaea5b092e694d89b874c3c42faac75ec9c9c52d3cc5f78b7092ad4c2176aa98cb06514f1ef67d036eefb5a0aaa83bfd09d02b57ed1f4d4878cd2e525905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c868725160934d84bd2b4ff4fddc4bc3

SHA1
d4b636e62c5920407845360ad7979253cf44c8ff

SHA256
a2631d32dc5777736909cc70590147b290007e25b4aa3370aded482eb99a8f43

SHA512
0c4dea82c1a0e713050943e74b85a8831f5064a7645bebe237988d808f116f119bca5e837211939b55747e1954b7d929d17a78db0ae801c72dc1757026d5ad36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582ae3.TMP

Filesize
1KB

MD5
06f5a0470a05ca09c8aca81b437d2c6f

SHA1
a35b2f8da3a9cd9a32ccd7fc5d0eb87ebcaad464

SHA256
1b8561126cfb71a337a266adf686efbc5f2b8768b20c3ee101eb98f8b10502cd

SHA512
029224dad90ec4b74de6a02b0c84493534140f2efd768a64b24a21a3becaf4c80ae7f7d162db3d385e8f2856b1caf996134b2a5efef92edffa902977a75ad936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8689efc9b13fd5781d7c0d5764a360c7

SHA1
9129109e2bb656ba6fbff348e69424ccc00deba3

SHA256
dd8a82f0747bf37b680e8af41669548cb8b3e30c40d2573ef0c69c29a6817779

SHA512
d7940b6c9be772de20dfbe7cbf870e010b5d9c4e6a55ee3748c7aec4d2d764030d7d2b0d555f09140e4b0deb4872432e7a16efd88da8d945b386888b1965a0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3aafeb7dbfa35c58c29ad1be8d1d1213

SHA1
9ee4e6882fb7fb32813e039e0ac40b69a4a70e64

SHA256
873cbf0b14d33184ff97924743b836383917fd3f338b82169e9f8fcfcb5c3da7

SHA512
4da4a5c61a20bed73dfe5c961cf6493222194eb3b6832eeb0ca5e7319223c96eb122db32769a9a0401809791f99ea44770eb67f1ecac238a24fc13cbbcfe82ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
73a6474ce554ca24027a3df8036b1437

SHA1
7dae397f5ab516889234a3705cb33a867ff9f1e0

SHA256
5cbe9dd1486ce8d0413a3a897738b289ba66cdc15396c0d9bbb88363101e7ebc

SHA512
985da4ebfea6db4dcbd630ec72477f2d935bb723c83c4e614eff9734a22dc96807ac0b8c3257b6360563420c86ffd413cedd7e412471939878344c888f4ee17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.exe

Filesize
330KB

MD5
692361071bbbb3e9243d09dc190fedea

SHA1
04894c41500859ea3617b0780f1cc2ba82a40daf

SHA256
ae9405b9556c24389ee359993f45926a895481c8d60d98b91a3065f5c026cffe

SHA512
cfdd627d228c89a4cc2eac27dcdc45507f1e4265eff108958de0e26e0d1abe7598a5347be77d1a52256de70c77129f1cd0e9b31c023e1263f4cf04dbc689c87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\溗燒肨錡瀮秙讒鰪鬻桉蛎缑嫽玽旯鴽.txt

Filesize
260B

MD5
7f5e7dfd384687fe4b90962c3dcf252c

SHA1
fa908d1af473c4c9488926fc453434e6562bc91b

SHA256
22e800669674960a15e05919beaf1a63a34d51448d3daae763170f1932908788

SHA512
703babade3c3364e551ec6bed0c5fbaf795569cf1a770467a72dfe6ae4069383981a422f8f215d82ff5299fd260e8d294fac81ec878f54bb703974bd9e803c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.exe

Filesize
289KB

MD5
5c378b11848ac59704c2000b4e711c30

SHA1
6a46c53fd89b1f66d3fdab7653181e8a3e56d418

SHA256
bd764fe2f9734d5ac56933ce68df0a175bfa98dc0266ae3cd3a5c963267ea77e

SHA512
c6fe33ff3825e9018abea99ea49dc5221f2abd96bd1099def898425b82c05f9b9ca1aacaba0b7ffb7d09a7d097eae9937abdc13bbf3e7643e24e37edc7841c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\荟鲹罆膫圜麼捐趧珟尚蜪癷绀苭讓乀.txt

Filesize
260B

MD5
b959c8eba9a66348c1d917f630cc2f04

SHA1
4ed212068bbf2649971ad06ab17fa7f31b868bea

SHA256
5e7ffca461387b850da9670e4376dc5da09569880b192ad2eac0737d97d91e5c

SHA512
a4665c824c032f6adfeb47d4a9722ffecdd01cb4767ab977b263fcf78bfe5934ac9060e74990636f49d5de903e6db920a4dbc5c22cc509fc7a35806d6a2a0e90

Download Submit
C:\Users\Admin\Downloads\Monoxide.zip

Filesize
200KB

MD5
e77bca3013a7cdd34871d734a294d60b

SHA1
697b1f62007b9b9fbe6f1e98aede0e5800a6a6f7

SHA256
0d1c5ead44e729aa9b25547bad1f128759d144b8ecdec25bb28d67d694a5b3e0

SHA512
d9ff6c0fdc7cc2378b3de99abce734b6248c8c91fe78cd6c68cd5e84c6400beb0c5192eb9aa28fd22f60744e8c26d29fa5b6dad79296a1c84f0d2275a30628e2

Download Submit
memory/5280-244-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download
memory/5280-249-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download
memory/5280-248-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download
memory/5280-250-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download
memory/5280-254-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download
memory/5280-253-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download
memory/5280-252-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download
memory/5280-251-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download
memory/5280-243-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download
memory/5280-242-0x000002121CD00000-0x000002121CD01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads