hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master[.]zip

Resubmissions

19-08-2024 12:07

240819-pap33awgjj 4

19-08-2024 11:59

240819-n5r1gasfne 10

19-08-2024 11:54

240819-n292wasend 8

Analysis

max time kernel
206s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 11:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master.zip

Score

8^/10

discovery evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	Process
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\E:	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

000.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper	000.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exeWinNuke.98.exe000.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
3220	taskkill.exe
2552	taskkill.exe

Modifies registry class 4 IoCs

Processes:

msedge.exeOpenWith.exe000.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{B774F202-1598-4DBC-A0F7-E3AC40BBC002}	000.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	Process
4412	msedge.exe
4412	msedge.exe
836	msedge.exe
836	msedge.exe
4044	identity_helper.exe
4044	identity_helper.exe
2316	msedge.exe
2316	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exe000.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeShutdownPrivilege	3796	000.exe
Token: SeCreatePagefilePrivilege	3796	000.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2316	WMIC.exe
Token: SeSecurityPrivilege	2316	WMIC.exe
Token: SeTakeOwnershipPrivilege	2316	WMIC.exe
Token: SeLoadDriverPrivilege	2316	WMIC.exe
Token: SeSystemProfilePrivilege	2316	WMIC.exe
Token: SeSystemtimePrivilege	2316	WMIC.exe
Token: SeProfSingleProcessPrivilege	2316	WMIC.exe
Token: SeIncBasePriorityPrivilege	2316	WMIC.exe
Token: SeCreatePagefilePrivilege	2316	WMIC.exe
Token: SeBackupPrivilege	2316	WMIC.exe
Token: SeRestorePrivilege	2316	WMIC.exe
Token: SeShutdownPrivilege	2316	WMIC.exe
Token: SeDebugPrivilege	2316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2316	WMIC.exe
Token: SeRemoteShutdownPrivilege	2316	WMIC.exe
Token: SeUndockPrivilege	2316	WMIC.exe
Token: SeManageVolumePrivilege	2316	WMIC.exe
Token: 33	2316	WMIC.exe
Token: 34	2316	WMIC.exe
Token: 35	2316	WMIC.exe
Token: 36	2316	WMIC.exe
Token: SeShutdownPrivilege	3796	000.exe
Token: SeCreatePagefilePrivilege	3796	000.exe
Token: SeIncreaseQuotaPrivilege	2316	WMIC.exe
Token: SeSecurityPrivilege	2316	WMIC.exe
Token: SeTakeOwnershipPrivilege	2316	WMIC.exe
Token: SeLoadDriverPrivilege	2316	WMIC.exe
Token: SeSystemProfilePrivilege	2316	WMIC.exe
Token: SeSystemtimePrivilege	2316	WMIC.exe
Token: SeProfSingleProcessPrivilege	2316	WMIC.exe
Token: SeIncBasePriorityPrivilege	2316	WMIC.exe
Token: SeCreatePagefilePrivilege	2316	WMIC.exe
Token: SeBackupPrivilege	2316	WMIC.exe
Token: SeRestorePrivilege	2316	WMIC.exe
Token: SeShutdownPrivilege	2316	WMIC.exe
Token: SeDebugPrivilege	2316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2316	WMIC.exe
Token: SeRemoteShutdownPrivilege	2316	WMIC.exe
Token: SeUndockPrivilege	2316	WMIC.exe
Token: SeManageVolumePrivilege	2316	WMIC.exe
Token: 33	2316	WMIC.exe
Token: 34	2316	WMIC.exe
Token: 35	2316	WMIC.exe
Token: 36	2316	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1376	WMIC.exe
Token: SeSecurityPrivilege	1376	WMIC.exe
Token: SeTakeOwnershipPrivilege	1376	WMIC.exe
Token: SeLoadDriverPrivilege	1376	WMIC.exe
Token: SeSystemProfilePrivilege	1376	WMIC.exe
Token: SeSystemtimePrivilege	1376	WMIC.exe
Token: SeProfSingleProcessPrivilege	1376	WMIC.exe
Token: SeIncBasePriorityPrivilege	1376	WMIC.exe
Token: SeCreatePagefilePrivilege	1376	WMIC.exe
Token: SeBackupPrivilege	1376	WMIC.exe
Token: SeRestorePrivilege	1376	WMIC.exe
Token: SeShutdownPrivilege	1376	WMIC.exe
Token: SeDebugPrivilege	1376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1376	WMIC.exe
Token: SeRemoteShutdownPrivilege	1376	WMIC.exe
Token: SeUndockPrivilege	1376	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe000.exe

pid	Process
1696	OpenWith.exe
3796	000.exe
3796	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 836 wrote to memory of 2912	836	msedge.exe	84
PID 836 wrote to memory of 2912	836	msedge.exe	84
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 440	836	msedge.exe	85
PID 836 wrote to memory of 4412	836	msedge.exe	86
PID 836 wrote to memory of 4412	836	msedge.exe	86
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87
PID 836 wrote to memory of 2996	836	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a19c46f8,0x7ff8a19c4708,0x7ff8a19c4718
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2723474103295982407,5731469044441564586,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4856 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1456

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
PID:3060

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:4080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c6055 /state1:0x41c64e6d
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
d11edf9e08a127c768843acea41d0bc5

SHA1
ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

SHA256
217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

SHA512
92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c53ec5dc22378cab960d0a717a71aed6

SHA1
121ba4a3c30a6263236404fbb663c0d08cef4c91

SHA256
8c1226c20cf6eeca76b54254dbf776fa7b580a912dd1bcca17b0cbc567144973

SHA512
abbb8e19ada9d0f6e9a93dfcd16f7fba4b0488b0a05ed350c35da33487f656ee3f696e4c028296141974fb6e19c5bde5397d7ed08fe8fa68788a90b9aa802b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4c938a8bcb3e2dc9cf760509af82485

SHA1
7f0bc0d167ae5f8c1ee41f8f897d6aa7693fe54f

SHA256
068719dac77136aa5b4d6a198d49b6fd6ec7bfe26f4e0a6088f58b1eea61052e

SHA512
c05faef9ff6c2381ae1763bfc35eb521ec94da12fc1499357ed7cfaca8a8ffa6cdd5f448e5ef2d21d324a546b7174df984999bada1fe7140403daa1798c07c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0463da4ee9f53c3881988bd4e923347

SHA1
11353155f42852bebad9b0fc553668c74fa45e4a

SHA256
354856c8b5c37fd47748a1d51e11ad093cfccbf5ab5093e43a30b58e855c120b

SHA512
cc2c2193ff4de95d2c63283788f18e4c2ceeff45f1bfc26e5ec5d1255f2b832dc14967ef3d9768ffb6ddd823fa818dfe7cd052fb0496c20def09dd13aefb02d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
95026b1f09be48432dfe2d01d669a641

SHA1
edcba6cc59aac4cda92ff0a9dc84926af4048cc4

SHA256
f7341cca7424f13f3e222734f829a3f5df66577cc5a75be31ff0eed264d218ec

SHA512
8a60917e196e83038c6cb4b652fbc4b82333eebf4d581175cf574099daad7a26974b744ab7f3413c2b38d329af0238ffdaef12ee5045cf1b697c8184dc91da28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
81c1f6388de27178b926019281c2c47a

SHA1
8f5ee1f2510119cc2e0e6795f6c98ddaf59466e7

SHA256
2e2cd2977c667ea2a7a69e500c097e7dd9d531aa1035ec39ee7f7575d910c6aa

SHA512
eb5ac00fa62bbe776e72404307d1942fcf7f0ebfbae511b7c3ca0c682bba66f599997c3901f7608e70c636d3ac23f48318afa8f04d013763b5df9c2f98165a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a9f9dcca20c085dd925a4c7899fca369

SHA1
cbd996990e8a591822b07c0c9868615be2ef38b9

SHA256
bd76027d2a352949668a15ccbad2ba504efdbe6aaf4cf23c07c93078c9f08843

SHA512
441ea0605f285fb5ce4a62b70ac23827264d2c30e0dda93668b567ff1e1ca7cccbd4109c17d1bf974d250ab0acaa6eebba1daf746af0510a7bf21fbad8270bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
536dbe76ef96995f25678c3b7176f907

SHA1
2d42c3a01f8c92b2bb970838d5e0544200c9333d

SHA256
c6f7330d814c0757d45f48dbc2d1c0ca855068ae224522d4926bd65c573171d4

SHA512
0424702b3f13c8b05ecae67e3d9d619f9360ac24f5f50a60e3b87eed2685897c2931b2bb75668c46482e0967e26cf90776a254e14cdac42092770b623f82c6d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
\??\pipe\LOCAL\crashpad_836_YIXZRIYNTYNDUCYH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3796-249-0x000000000BD20000-0x000000000BD30000-memory.dmp

Filesize
64KB

Download
memory/3796-246-0x000000000BD20000-0x000000000BD30000-memory.dmp

Filesize
64KB

Download
memory/3796-248-0x000000000BD20000-0x000000000BD30000-memory.dmp

Filesize
64KB

Download
memory/3796-224-0x0000000006500000-0x0000000006AA4000-memory.dmp

Filesize
5.6MB

Download
memory/3796-247-0x000000000BD20000-0x000000000BD30000-memory.dmp

Filesize
64KB

Download
memory/3796-253-0x000000000CCD0000-0x000000000CCE0000-memory.dmp

Filesize
64KB

Download
memory/3796-256-0x000000000BD20000-0x000000000BD30000-memory.dmp

Filesize
64KB

Download
memory/3796-255-0x000000000BD20000-0x000000000BD30000-memory.dmp

Filesize
64KB

Download
memory/3796-254-0x000000000CCD0000-0x000000000CCE0000-memory.dmp

Filesize
64KB

Download
memory/3796-257-0x000000000CCD0000-0x000000000CCE0000-memory.dmp

Filesize
64KB

Download
memory/3796-243-0x000000000BC80000-0x000000000BC8E000-memory.dmp

Filesize
56KB

Download
memory/3796-242-0x000000000BCC0000-0x000000000BCF8000-memory.dmp

Filesize
224KB

Download
memory/3796-223-0x0000000000CF0000-0x000000000139E000-memory.dmp

Filesize
6.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads