Overview

overview

10

Static

static

3

Modrinth A...up.exe

windows11-21h2-x64

10

$PLUGINSDI...dl.dll

windows11-21h2-x64

3

$PLUGINSDI...nu.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...gs.dll

windows11-21h2-x64

3

$PLUGINSDI...ls.dll

windows11-21h2-x64

3

theseus_gui.exe

windows11-21h2-x64

6

Analysis

  • max time kernel
    16s
  • max time network
    19s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/09/2024, 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Modrinth App_0.8.5_x64-setup.exe

  • Size

    5.5MB

  • MD5

    cea3020b04d892756fbb80603e70d9c3

  • SHA1

    e331108ecaa49d85ecdb476b5c33bfd8f45ba125

  • SHA256

    c1fb3c111d1e918409e8bea3adeb283b19c66fdff08e84c32f64a86e1ddb4713

  • SHA512

    865d177a35bd1f34cf3dabf9833f1e86622e950b9e61855eed98cbeea967204e30a656c90a57bdba932fedd4b78a457fdc286446e487d886afcbef2a35dc0f96

  • SSDEEP

    98304:0nNYBmqrjVRDl83H4I7hwNU5+jblOFgQugCaOyBoUdR9HfmJUWEvu:0nSUgZl83H48uYIJOFgopO0b/FWr

Score
10/10
discovery

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3224
      • C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.8.5_x64-setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.8.5_x64-setup.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3560
      • C:\Users\Admin\AppData\Local\Modrinth App\theseus_gui.exe
        "C:\Users\Admin\AppData\Local\Modrinth App\theseus_gui.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
          "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=theseus_gui.exe --webview-exe-version=0.8.5 --user-data-dir="C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=3172.4636.12997339045615551604
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4628
          • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
            "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ff93c7a3cb8,0x7ff93c7a3cc8,0x7ff93c7a3cd8
            4⤵
              PID:1892
            • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
              "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1816,10307439102733601387,12879370570660633767,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView" --webview-exe-name=theseus_gui.exe --webview-exe-version=0.8.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:2792
            • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
              "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,10307439102733601387,12879370570660633767,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView" --webview-exe-name=theseus_gui.exe --webview-exe-version=0.8.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2068 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3376
            • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
              "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,10307439102733601387,12879370570660633767,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView" --webview-exe-name=theseus_gui.exe --webview-exe-version=0.8.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2352 /prefetch:8
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:1460
            • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
              "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --autoplay-policy=no-user-gesture-required --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1816,10307439102733601387,12879370570660633767,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView" --webview-exe-name=theseus_gui.exe --webview-exe-version=0.8.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:408
      • C:\Windows\System32\CompPkgSrv.exe
        C:\Windows\System32\CompPkgSrv.exe -Embedding
        1⤵
          PID:1668
        • C:\Windows\System32\CompPkgSrv.exe
          C:\Windows\System32\CompPkgSrv.exe -Embedding
          1⤵
            PID:3736

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Modrinth App\theseus_gui.exe
            Filesize

            13.4MB

            MD5

            1906c5a6223efcda09f6f23f9aaa2bef

            SHA1

            72ca57b73ac3da9e4b126fe4b38abbb73044ce56

            SHA256

            11d4ba5aaf841caee559fa8293b44bc7d83404777ef4e84b5a7a0da7be5af22d

            SHA512

            b5d2a840f1e8c830cbdd0007bda99c5444e2d84ce962ff5fa23f6323c95ec2ed15f502ca57469b573a728cd62f3e40f3b955e25cc518a321c8cd2dfeb1739a10

            Download Submit

          • C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView\Crashpad\settings.dat
            Filesize

            152B

            MD5

            b4f72583fc072ec367cba4e546b08b01

            SHA1

            44014485e46f1ccd7068597397c04ae5fa83ac11

            SHA256

            9c8f682cc8eb8db1af24a21ade228a5b56618ca94efa519468f2982cbde96d33

            SHA512

            233f2ab756b8a844b0e9e581a408961539ff60fddf49979ac2214025476e7bed2f1c98272a5c2e0053aac8e6668781b99525ee28d93f0f140c61fdc5719275d5

            Download Submit

          • C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView\Crashpad\settings.dat
            Filesize

            152B

            MD5

            d5983b3ee55d4a9c9e559ecbb5dffd02

            SHA1

            3c9f4f6838ea9121275c1acb96460be671a36091

            SHA256

            b7b9524706afa281562e1c56023cfbe75c2b267ba1bbe7e1bab96e1e2f7670ce

            SHA512

            6db7c7cb8188b407497ee40bee6813c16ca5e9e68205c891b4d5e9f5caa9b2069f78e7a687026e5c20c9d683da7c8b146aeeaada8023d18c123daf81721b5bcb

            Download Submit

          • C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView\Crashpad\throttle_store.dat
            Filesize

            20B

            MD5

            9e4e94633b73f4a7680240a0ffd6cd2c

            SHA1

            e68e02453ce22736169a56fdb59043d33668368f

            SHA256

            41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

            SHA512

            193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

            Download Submit

          • C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView\Default\Sync Data\LevelDB\CURRENT
            Filesize

            16B

            MD5

            46295cac801e5d4857d09837238a6394

            SHA1

            44e0fa1b517dbf802b18faf0785eeea6ac51594b

            SHA256

            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

            SHA512

            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

            Download Submit

          • C:\Users\Admin\AppData\Local\ModrinthApp\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001
            Filesize

            41B

            MD5

            5af87dfd673ba2115e2fcf5cfdb727ab

            SHA1

            d5b5bbf396dc291274584ef71f444f420b6056f1

            SHA256

            f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

            SHA512

            de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsb95E9.tmp\System.dll
            Filesize

            12KB

            MD5

            cff85c549d536f651d4fb8387f1976f2

            SHA1

            d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

            SHA256

            8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

            SHA512

            531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsb95E9.tmp\modern-wizard.bmp
            Filesize

            25KB

            MD5

            cbe40fd2b1ec96daedc65da172d90022

            SHA1

            366c216220aa4329dff6c485fd0e9b0f4f0a7944

            SHA256

            3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

            SHA512

            62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsb95E9.tmp\nsDialogs.dll
            Filesize

            9KB

            MD5

            6c3f8c94d0727894d706940a8a980543

            SHA1

            0d1bcad901be377f38d579aafc0c41c0ef8dcefd

            SHA256

            56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

            SHA512

            2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsb95E9.tmp\nsis_tauri_utils.dll
            Filesize

            29KB

            MD5

            c5bd51b72a0de24a183585da36a160c7

            SHA1

            f99a50209a345185a84d34d0e5f66d04c75ff52f

            SHA256

            5ef1f010f9a8be4ffe0913616f6c54acf403ee0b83d994821ae4b6716ec1d266

            SHA512

            1349027b08c7f82e17f572e035f224a46f33f0a410526cf471b22a74b7904b54d1befb5ea7f23c90079605d4663f1207b8c81a45e218801533d48b6602a93dbc

            Download Submit

          • memory/2792-58-0x00007FF94AEB0000-0x00007FF94AEB1000-memory.dmp

            Filesize

            4KB

            Download