Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/08/2024, 16:49

General

  • Target

    https://google.com

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 13 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://google.com"
    1⤵
      PID:3400
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4508
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:4800
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      PID:3360
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5088
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4348
    • C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\cum.bat
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:3704
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\cum.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:528
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3168
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2776
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4996
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4008
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2916
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4452
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2868
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3684
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2004
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4336
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4604
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x33c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\cum.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Windows\system32\PING.EXE
        ping 93.159.183.97
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2140

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFF1C7835B68D918AE.TMP

            Filesize

            16KB

            MD5

            6ca1dd445f350d45ef62abbd7bde627e

            SHA1

            0d06341084cd52d223fae30a6dc7a7e628121160

            SHA256

            5cc670aaa6c93cca7ff048dfff3ea41f987561f1a71c1f61a3050726630aa110

            SHA512

            d88157dd2a3a57bd2075f2b47668dcb2500624df7fedd21debceb361869fcea7a859d982ccd793ba52be03b1e435b05c044a72400d65fd767d3d8f7d2d3ed060

          • C:\Users\Admin\Desktop\cum.bat

            Filesize

            48B

            MD5

            d7b63a602398c1020ef535eb5e7ed8c2

            SHA1

            ff6807ffc2a91a23eca58763c3927fb748c2b671

            SHA256

            ea6f1143dfce538a36b368dce6e6388d7025ccf13906bd4bfd914eb3c45d8dc8

            SHA512

            1ec842e54a91a1c33f2c74c11b90519a4b1bfe6fb3b46deb36f80524bd2bd3b6b3169ae202846ce3d1bc1bd2577903f8109f6182e1822a5d2309faccef53bb52

          • memory/4508-0-0x0000027C2A320000-0x0000027C2A330000-memory.dmp

            Filesize

            64KB

          • memory/4508-16-0x0000027C2A420000-0x0000027C2A430000-memory.dmp

            Filesize

            64KB

          • memory/4508-35-0x0000027C27990000-0x0000027C27992000-memory.dmp

            Filesize

            8KB

          • memory/4508-70-0x0000027C2E620000-0x0000027C2E622000-memory.dmp

            Filesize

            8KB

          • memory/4508-73-0x0000027C279C0000-0x0000027C279C1000-memory.dmp

            Filesize

            4KB

          • memory/4508-77-0x0000027C276F0000-0x0000027C276F1000-memory.dmp

            Filesize

            4KB

          • memory/5088-43-0x0000022189C00000-0x0000022189D00000-memory.dmp

            Filesize

            1024KB

          • memory/5088-44-0x0000022189C00000-0x0000022189D00000-memory.dmp

            Filesize

            1024KB

          • memory/5088-45-0x0000022189C00000-0x0000022189D00000-memory.dmp

            Filesize

            1024KB