hxxps://github[.]com/Endermanch/MalwareDatabase

max time kernel
41s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 00:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

8^/10

bootkit defense_evasion discovery evasion persistence trojan upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DB.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Aytofp = "C:\\Windows\\SysWOW64\\KBDSMSFIR.exe"	DB.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	DB.EXE

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

DB.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DB.EXE
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

EN.EXE

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation EN.EXE
Executes dropped EXE 6 IoCs

Processes:

AV.EXEAV2.EXEDB.EXEEN.EXESB.EXEKBDSMSFIR.exe

pid process

4796 AV.EXE
4904 AV2.EXE
444 DB.EXE
2880 EN.EXE
2404 SB.EXE
4776 KBDSMSFIR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	EN.EXE

pid	process
4796	AV.EXE
4904	AV2.EXE
444	DB.EXE
2880	EN.EXE
2404	SB.EXE
4776	KBDSMSFIR.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DB.EXE	upx
behavioral1/memory/444-409-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/444-418-0x0000000000750000-0x00000000007E3000-memory.dmp	upx
behavioral1/memory/2880-420-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\EN.EXE	upx
behavioral1/memory/444-411-0x0000000000750000-0x00000000007E3000-memory.dmp	upx
behavioral1/memory/444-417-0x0000000000750000-0x00000000007E3000-memory.dmp	upx
behavioral1/memory/2880-463-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

DB.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DB.EXE
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

74 raw.githubusercontent.com
72 raw.githubusercontent.com
73 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

SB.EXE

description ioc process

File opened for modification \??\physicaldrive0 SB.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

flow	ioc
74	raw.githubusercontent.com
72	raw.githubusercontent.com
73	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\physicaldrive0	SB.EXE

Drops file in System32 directory 3 IoCs

Processes:

AV.EXEDB.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\tsa.crt	AV.EXE
File created	C:\Windows\SysWOW64\KBDSMSFIR.exe	DB.EXE
File opened for modification	C:\Windows\SysWOW64\KBDSMSFIR.exe	DB.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

[email protected]AV.EXEAV2.EXEDB.EXEEN.EXESB.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SB.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690208421738214"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

AV.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D	AV.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740	AV.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exeDB.EXE

pid process

1884 chrome.exe
1884 chrome.exe
444 DB.EXE
444 DB.EXE
444 DB.EXE
444 DB.EXE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1884 chrome.exe
1884 chrome.exe
1884 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1884 wrote to memory of 964	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 964	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 380	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 1008	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 1008	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe
PID 1884 wrote to memory of 3252	1884	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb6cbecc40,0x7ffb6cbecc4c,0x7ffb6cbecc58
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,6819195358900424138,13445292900176884015,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,6819195358900424138,13445292900176884015,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,6819195358900424138,13445292900176884015,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,6819195358900424138,13445292900176884015,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,6819195358900424138,13445292900176884015,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4540,i,6819195358900424138,13445292900176884015,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4932,i,6819195358900424138,13445292900176884015,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,6819195358900424138,13445292900176884015,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:2292

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:1736
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4904
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Adds policy Run key to start application
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:444
- - C:\Windows\SysWOW64\KBDSMSFIR.exe
    C:\Windows\SysWOW64\KBDSMSFIR.exe
    3⤵
    - Executes dropped EXE
    PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins8859.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:744
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul
    3⤵
    PID:3008
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b7b770a20220957cd4fade0b47d388d6

SHA1
c36ca8d9dd911e80623e700e19f16299236a5733

SHA256
1363f859f261958e52b26bdcb1c64a7695f5e993df24292377fe5feb0c70fe97

SHA512
76b3d605ebf74555bbed10e2a4566028b23812322d2bf13024ea4c9991a42353693be01351dc403a57dc22ddd1c6a95cfed989af65a52435e6d62a9b571a86ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
a84713a868cf828353f8da0161c9194a

SHA1
0941c0f68f883f4eb53df55edebc00c43a7cf25b

SHA256
b66053c1fa90a8867ea9f5d3fa056e9f5a7da286b876b77e967641cc646dfed1

SHA512
ebad42da06ec69fbb80329278a1fb4a9d3010a29903562de2ca66b92fa09d44692ce0be6ecf568d172170bb5ccf89d1514e8e0cbcae29bf733d2411a788a398a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a061f9a2e7c4329f579dcfd930b048b9

SHA1
9aa53032a014ce4f3aa6a05fd2771cb7f61d253a

SHA256
ed273db15fa0b70fcae5924b4c64ed333dae9a32b92f741f5ad738da55316c3c

SHA512
27ca6295ddf4c7b75610c1ef371224082516f2572624d1280ded2b9320c4483610375893a69bc590c171708220564412501250ef7a12f9411a855cbdfcee1a25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5fe871827b438b3c69b76d7f5c1d8f42

SHA1
b3ffba9730fd31edf525974d6c82eec621d987b6

SHA256
3cc2219d3fb0714f0623fe6029ce3f5deed118a5ed1d5b3f466ea0fbf88d1001

SHA512
3b466c80b64aafb4cf7f2e5a9fa954714f06c57204ad492228ce7deac9510f5140a91eaf6fb0450f407b8f29f1fea62102536d931798554590f684453c1a0f36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
857a20b6d59aa44a0c5e8fe759051932

SHA1
36858c7b804861b4ea53f974251b04872494bc17

SHA256
fac6ac19300c45f43cbabb8fb4b6c0fcd4a7dad7ce37e3c57d9e05efa5e12cd2

SHA512
58cb55031c3f7e258c4b63ac57f616f927567768b4390d6e3cffeecb82fb862b87dca89d79bef479576620bdab738e4b85c7582d9addf0357df99f19d0024a8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
717479a5dd7c17452fe5732457ddb9c8

SHA1
39428dd53a82fa5a333c40b9d4c0259c43ca38b1

SHA256
4051fee14a279046926d393bad2675db5882a3ebd8625f46015bd98fce702516

SHA512
54df09f1477618a5060c0f2e48f27a00ddc5cb29ca81fe6e78b821d9d3bde2c2e43353dbb621ab24280bea428f4c5a6369b49cb135b88ae01fe68f16ef163bd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4b40b1deafed9ccdb95b7ec0aaaee83c

SHA1
487afa57b9fcd39484c8dc31e5cd522766df14d5

SHA256
3e5d40d806b22cf8169bbf1daa1fa429eef7faf1cf9eb4bb076ebe9b1d47f46f

SHA512
5092aee981c0e8ea3aa7338b899a94ce757e593c14d925ac3cc0d263a0c80688bc18ef0c1521d8b5107daa2563b5ec7eec921e3c33406f45d5b574b72e689058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
3820883bd97ba684c8ff7877f3c43180

SHA1
413792895ff338526f56a4638ce1b46d57fbd2ae

SHA256
5f9e0dafa3d7520e505f7147a4c39fd870e7cade0c0645ec2d54f29689d749e1

SHA512
5960731f81c606b9b484e6a18540c406c8301bbdaf03e4f02585880164b47a28eae06d346e125a8bd38303a79e5383835c28dc20b279c91f363baf26d5c1ef20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d1f2467f0a995ed97dfdbceae8a32059

SHA1
a55ff11e216e026ab4b0f0d323f52c1f8bd3aa95

SHA256
83b7ef193e37fbef6c0bafe8abd1d4309e0ad1ccd3f2d5d9a4b4904dba9cbdcb

SHA512
8acf7eb3bff5d1273a767e563eb0bca7b395fe7571f732331760b55c65d0aa367fb142181c3d9fe403046d315583497b10e9999f2269b1eee79a59b501af1d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\Downloads\Ana.zip.crdownload

Filesize
1.8MB

MD5
cb6e4f6660706c29035189f8aacfe3f8

SHA1
7dd1e37a50d4bd7488a3966b8c7c2b99bba2c037

SHA256
3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4

SHA512
66c3351ce069a85c9a1b648d64883176983acd34c0d5ca78b5138b7edc2890b34408e8e6fa235258d98c105113d1978a68a15262d6523a82abb004f78b06de38

Download Submit
C:\Windows\SysWOW64\KBDSMSFIR.exe

Filesize
101KB

MD5
1b2b52ea19a914306e4c6799e99b365b

SHA1
b09da3c93f9fba2edc8e28aa3c557137a9d085a6

SHA256
08aad287c0c8cef621d6dcc7f94c91f019315cf47454d9623fe7120989cbe872

SHA512
02e0db4c7e47d15cb7a7cd74d108e4d6633f91c78f036854dd1e65fb7c2627dfde4b4e8d43cfc5a58186046bc118803444d0b5f3e887c5ea28e69972b9d3eb14

Download Submit
C:\Windows\SysWOW64\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
\??\pipe\crashpad_1884_XHAOKNEQMNYXSQJX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/444-418-0x0000000000750000-0x00000000007E3000-memory.dmp

Filesize
588KB

Download
memory/444-409-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/444-411-0x0000000000750000-0x00000000007E3000-memory.dmp

Filesize
588KB

Download
memory/444-417-0x0000000000750000-0x00000000007E3000-memory.dmp

Filesize
588KB

Download
memory/2880-420-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2880-463-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4796-412-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads