Analysis
-
max time kernel
84s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13-08-2024 19:44
General
-
Target
https://gofile.io/d/SumR83
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/SumR831⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82b2d46f8,0x7ff82b2d4708,0x7ff82b2d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5764 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15313558060273581627,8362212525787163374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\HAZE\" -spe -an -ai#7zMap12848:70:7zEvent78731⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\HAZE\map.exe"C:\Users\Admin\Downloads\HAZE\map.exe" C:\Users\Admin\Downloads\HAZE\dragmeonmap.sys1⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\HAZE\HAZE.exe"C:\Users\Admin\Downloads\HAZE\HAZE.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\HAZE\logs\2024-08-13.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\HAZE\logs\2024-08-13.txt1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
288B
MD5c3215ddf07a2c0a553538510648ec4c9
SHA16d6b91014968699505a766324e8ec2968c6a6686
SHA256b472c2ea809b3458e3354ce5f56a70fc6aa464ad9a098e5d4d61016dd003cfaf
SHA512401c02ad8da1a3b9fb1bc1588c4c9e5dbf6358ccf26863179f9685c78b78c66f0f8a414aa7582e7b1e7d84392fddedcd1d01166fafb578660ea02f749564f5f3
-
Filesize
391B
MD55f05b26e0caccbee54089cb0044220cc
SHA1e76ead734684a93a820d05c76824d5445f28f584
SHA256256bcc760870f0a18774ed0999652be257776a2049eba989bda8f359b1507dcc
SHA51229ecfa0586aaf62f2e6a90d2623fb01c7bb156993f2ed00085d8dcc97026b48aad69f27855cf3231d6f3d5c388a81367ec9e27ea47cefd50c530d08862292dd7
-
Filesize
6KB
MD5a3da75cac574177e1b03285f72faac97
SHA1f3e8ec951cc9ce9723b5e7a6d22aa0e151e6acf4
SHA2564bb60593ba688bc2a11b9642d38ce4d885284ba9ae4cc33e05fceb059282d74f
SHA51225a8b7895d776cb0bd2bfbfa6a46802d8ab0262ca040616c33fcd9d8a2856cf1b0177a67d4374579e546d0f95e908428a77b3056158c0dcf6553769f0036a95c
-
Filesize
7KB
MD5ed4d8d0600e3f436e02aa0425bfd4d58
SHA1ed0634123393e6a5fb8f4e5a68966c79a1c3a1a8
SHA256d041a7c60844764f84a1a4a40e97c4743a59deec16c69e2d1a45587d65c747ab
SHA512a42535b96f5ea30a177e490c28901ac5788cb329644696557f0cd56ae729e49ac717b51fca77a0d5ac858263d69f45c85b72cf1498c985115a5957cde691e159
-
Filesize
6KB
MD5c2cbe2e9639a9737d4b63bb863bc8c15
SHA19d28476a48ba324dde30a89d658b16338efb4cef
SHA256366f1a7da7af0624365030ec4ef1931c2923ef09dbf5f9ca7cddf978a0f66731
SHA51220ce67ba29f4ee2323430009bfcf05fb5f3045b36e67dbe44a17c4f129c766046327d594ea7bb2ca8cb125bf7376f1068cfbd6a04e52bada5521b3305e852d10
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57ba02569557fc2618a0056d6106277f4
SHA14d716ba2d2869ae801cc1494516a44e7d003981c
SHA256632c46639fe6001ba671496dea17c9d948da86127b8855d768da2b0661e01476
SHA512f5ea0f85df826820adfad507a5d2aa8765b25d6e9f38a3dc0bcbb1287d0a6980cee76edef3035d0b859673c929bf8066683fb88dbb98d975f5e183c2ec694563
-
Filesize
11KB
MD5ab55a5a37c9f72f77e2297436f2028d0
SHA1274787ac5662549065a7b14e0e9a32f2dc6c32b2
SHA2562a3beeefa793257f0db86700c3dd7d2f73d962c4c4799bc71c78a100294932fc
SHA512d14de9767f7a78dc2cca3df8586e5cda72e7144f42d287bfc7d9266f107b00be20ce6a5aa2c018884ce8b4aa6c1c3066789b02cd7424799b987008415e1da7d1
-
Filesize
941KB
MD5849cbc1102addf6dd5c4d0e636723228
SHA17737fdcf51b5dee308712905846916bd715caecb
SHA256f66d67a1d69fddba1b25f1d7583d6994acdb6f7a495b74c3515ecbf1a7dedee2
SHA512572e535824306db161c8f653eab899f130f72a125d9305934c30dcac85df4ff7d2d65a9aa41c737299e25253ff2d65015772722382fe3923f39d859219285371
-
Filesize
3.9MB
MD5cf5fda1890a753824da748c79eb3866d
SHA1c12f394cb6ae7ca05574eadfd460ea2c73e5e11d
SHA256a8731ebb223fee40d6629fcf09df88829853f916ca48a190fd9069294e263615
SHA5124a18cc36ba6155cb1d0b95cec71ffa69fcdfe51311fee5cfd8a73034bb795b72a9808b4ac130cf13331b37e96150a7c850be3ee580fabdcb117cbcc2f459b89d
-
Filesize
97B
MD5cec39d9873788a7c2b479bec95aa42fa
SHA10840f28f12553afd706dfcb45c0ae2d1d6261fb9
SHA2569dbbd40a1cd31efe24bc2657c69dce97c452cbc2bba9c1428fed7fb3df53f115
SHA51202d9497cea6882c5b6cef7b1dc2e2840dffa8850ba5ad5ff81ef2f61792f46e29a508cf6111deddd8d9d8b07cf4a2efc56268a121bc437885e10f7287615ea79
-
Filesize
143KB
MD57c7a7dfc50c8fc83b4124ff4a624bfe6
SHA1d0b1ab52b2e10fd282ff60fcba015d694b27477e
SHA2566cc854c5e4a8c6d9d0af31db0b6b267b3cbecca9520989e0a7a2eb5d861a18ca
SHA5129eaf8af7dce8103933503a935434eafc20bd288a44c86c3e71fc4489df5bc52dac640c117ead7ea6ae46a13f4ff61cc13e810ad25ecaa5dbbfab00773fbfa414
-
Filesize
6.4MB
MD53a98192661cca70f90c620bc46cc0d63
SHA1f8c1b013a083d81d622b13b2cef99a2d3f7861f2
SHA25607161578e74527f75992bd004a13558cd694c69044b08e287d56dacd0c8837cb
SHA512a883b83a7eebb8d636beda0ad4a57e6cdd074d5dffc09f5c6c0d195ff7d0ec0f61053aa9eaf906e4d63bc2f48ebfe48ef452fd3fbd32062ee03ffe0347c9e5da
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
12KB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB
-
Filesize
9.8MB