Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02-09-2024 16:44
General
-
Target
cleo_redux_setup.exe
-
Size
6.5MB
-
MD5
87682f3ff5d240492ffd4d6a8fa9d700
-
SHA1
5c00d0eb392601b63f693b9e35d92f161b7c22f8
-
SHA256
5554a6526917a29f86250fcb791bc937951f80ccc18d9fc974c4fb7ecbe1d42b
-
SHA512
2267d6097446e9eb4317e38de4f24058b5d225c9731644d27f307f74d7ae102b2378ef4d4c42f779fe48c360f71d1cbbf076e606216c9c466efdffebba353110
-
SSDEEP
196608:QUGUbH3DLzhR8qKHaxB3AdGmb51l81Tu1HwTT:VPLz/8qKH8BYGejk8Hwn
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cleo_redux_setup.exe"C:\Users\Admin\AppData\Local\Temp\cleo_redux_setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-GKFTU.tmp\cleo_redux_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-GKFTU.tmp\cleo_redux_setup.tmp" /SL5="$6027E,5939128,1157632,C:\Users\Admin\AppData\Local\Temp\cleo_redux_setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcf93046f8,0x7ffcf9304708,0x7ffcf93047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5024 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5004 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,7223651778928119828,13790001512275454240,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x15c 0x2e81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
6KB
MD5480fb7c51f519305563679dd683db49b
SHA1c34eb05369136de0b7b3d366edd7219deb55169f
SHA25649674b83bf6c1b006104b9fa216ac775a89263e59c2db3457c7825c040c4729c
SHA5121e28639bf87ea02781fcd43b34b5fcc04c03a93cbc13a474ea1b3b029980dc823d14051468661944ce1309b4be76dccbde1e3c6e7d9c10e41bc1336b3007fa7c
-
Filesize
5KB
MD5697cf493bbee7fa610079184e3de24e3
SHA1a8ab25de898a60af62c8bba69a750b2afa779a7f
SHA25672c3212064964536738706bb0fca1bb70b3e704c8ead5b45306a7e9b18665add
SHA51254118703e6c2239a11eaae89b881c76090e5d113ebe1289a36a81836d87f56760cf4a1d6bd14f0ad288c97fd87c900bc591cdf20550bd329fae0b3627ea6344b
-
Filesize
6KB
MD5d59898f8e90a577a3160b90d1aa98081
SHA1b0a1654c2a8e382c62cce7fca251872a33ab5395
SHA2566383d0b2316524b1a067b8dd2f9c85f9e3267821c4c176f07e5c97dbdb14111c
SHA512024defe3b225bf0a27c3334d8980a0671d252e2631fc8e46d3d7f138c2a23e99bf25d3ea85e3549b91e7e7b7e47f3d16b2d26a0851e9037741dff6a8c156f32a
-
Filesize
6KB
MD5c6954b9937343d219bd318d4e67ebe06
SHA1d5ebecf390dd0da6a16e85c578f982083275b0b0
SHA256dc310d01fe1933ab604ffef79af8f6ae2579e3b3dab5eff36b13b11fbeed09c8
SHA512623a655fa80fff267311efd4380c976be794a8e46ae092829791ab95922fd3db3fb80fdcaeb02a7d26f1bb7df4df70d5357333f5bb0fbc0b9f264690ac03e2cb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5c631285af494f544cf67f20a295edd8d
SHA18bc75e5863539d76c1a096ed25a719581e6099a5
SHA256ed77105843d2e4c1893dc01b31c6b11206071123d45740c1ecc3b1dc16016780
SHA51234f5306d38acd0d8a99665cf6d180ee7a4529cd5cf6ad42af4c1d45efe42deba4dc111a8fb4085497820cc4fd662b9a6ef17082c0ab63998af0b155179335124
-
Filesize
164B
MD514c5e7bc3423d8bdd0a1c94c96ec5598
SHA1f0152266f96a13dcb706edac69f26d3a484158bb
SHA256b67eae4d6c6b5fc355ed0e553d2c9b57fc050c7f0432eaacffd7862045970042
SHA5124772df6a2da3065dc71b93203d4f90b95e871b9d902192e573b87550ad87c84be3ea37959d3e0cc3f7a31aa5bcf184e0e61d0d349dff6f1fc94915ca09c95158
-
Filesize
421KB
MD57994af00f1e1909bab5fe365467e70d1
SHA1496210e6606d68942a5dec9e9898fa7718916476
SHA25659f8df157ec311d2333591ff2143dc0a891fc70d09f9961cf578fbde7b661ab7
SHA51296497c3255dffe402a08c0c8d01dbac754d9a5fc847f513277f64f67e12ff57db80ce98ac67abcabfcaa939df407eee3ba426eb1aef60a5f8e14b465b74be1e1
-
Filesize
45KB
MD55c863a01db6a801bf670277d68fd7873
SHA120f044ebaf395233cc93e172d3b4c3f4aad01b4d
SHA25662198a326897167b971cc3a564b92db41001960f7e753c8fa395e81f28e50317
SHA512fd1e871be994842aa79cdabbf0a8526a8e96463358d07a66fadc6f5da60983e31f79ad6a90ef32a56e6e9a82a47c0d705f045b5b7bdbf5750c0579c3d69ba86e
-
Filesize
1.6MB
MD5474c9f3660d5dfd049b6125e8793fcef
SHA1bff5a946d0b012e34ef489673f4c009a356d9c02
SHA256c002e02117bb633e237b823548d9a32f8c5445bea1fe99260a81df656e0d0ed7
SHA5121a548b71ead6907aba59b0b76ca96575a34a68e662b13fbca40cd5faa8c697618ccaf14b881bae6878d114470672088ab485f70e9d2083f39d33ea6d9fac6654
-
Filesize
3.3MB
MD5ed3657d38e2ad38968fb4d785b90479c
SHA19aa054d2e754fab046177911aaba8947ff3b93c2
SHA256cea94eaae597a41dd52c83c970b06d9fdacef4857299ff6ba72ab0259e913ab1
SHA512a7dd05adba90f0066ecb976d6e2d5f345196f3b20684e172eb74cfe941fd85febdad00167df16168ae1b48781cb6a285f56d9e996945fb6749a0e8f783d86eab
-
Filesize
147KB
MD534a9a7f6b1d9b2e4ecc2526d9f5fb723
SHA115d908ffe8d28c44860100159f186484e4423c1a
SHA2567fa583af3a44af1fd9e340da556f258ad1c4b79e9083c2d6d98bcfbcb6e57ddf
SHA512195dfa29b7598415c0d12ec158cd05149d1543f980372fefe9c4ec0097f0df9db754b85af5525cc7260027e5ca06c694dc4014e02a4484fd5c12023780bd8fb8
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
728KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB