Analysis
-
max time kernel
85s -
max time network
85s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
09-09-2024 23:54
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcf0bc3cb8,0x7ffcf0bc3cc8,0x7ffcf0bc3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4756 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6552 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,12316518129233330078,7105956917024241237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\YouAreAnIdiot (6).exe"C:\Users\Admin\Downloads\YouAreAnIdiot (6).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 12323⤵
- Program crash
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1908 -ip 19081⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d30a5618854b9da7bcfc03aeb0a594c4
SHA17f37105d7e5b1ecb270726915956c2271116eab7
SHA2563494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8
SHA512efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77
-
Filesize
152B
MD503a56f81ee69dd9727832df26709a1c9
SHA1ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b
SHA25665d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53
SHA512e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781
-
Filesize
2KB
MD5a55ccee074ee53a2e5a28d5c3fc43088
SHA14c863c686683a73f7f5e234b5a9f5fc3c8fd8bee
SHA2569f49aae7193cf446ae0e69292f15d546b46ac31128539e40181fd49644d74dde
SHA512a3034bf550f78b465e1557c7644e3dc6cf01f14868340f9f29ec4375bac818f140d0bf7f68a8ef7b249680f9a5b198e2b229d81a129334997eebdc645969a8cd
-
Filesize
579B
MD50a215e77048a147d5ca6a0f085a6cbfd
SHA18d4abdcbbcd3dced499301ee4398952285ebd9ac
SHA25681bbfe3f5fb2f5d99a723db8d227299126998b0a3f5658011c7b626bafd305ce
SHA5126dd9741242244cb55cf2f9c59f7f9fc73ed8df53810beff13407cc7a27992b30591df5f5c4eb9dc6327369a9483f82e069578c2c18790caeb4e54768665f9b49
-
Filesize
579B
MD5be85a012866f82533b134a3e7c03581c
SHA18f361377763dc0f643a3c2746149ca5850c5d8c0
SHA2567c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0
SHA51238aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621
-
Filesize
5KB
MD58095ace13630f6d5003c00079f47a66c
SHA1f4b134021c4c937e5a7227e8161e60dbb9ee00d9
SHA256535899df930a642adb14d3575988c56d1822faac6694146cab5ce973b1c23b8a
SHA5120fedee3b8120814d87c7aaecaf3e392aedc5e747dc6eff0fbbf7b92eb7ae05d0b15230de783f3790e15146c2a5ab971427d1ddb557f1aad0e1ed38e509238d50
-
Filesize
6KB
MD52a97fc378456080ada070ea88e558f39
SHA1d4000d579ff83aabe8e8a51bd751db590275e08c
SHA2566f617012812d89cf0c8e0aece57f92da8e20f27bd15892b3f68fa9558589d3e8
SHA5122456a021ea1d69a26cefb7d4f894df7a721da26d042c80914c2eade69aab081913c5700316f7c399592850f57c20440b7e5d32286b6ec02f0297c1d01896c909
-
Filesize
6KB
MD515cab87298de318c4b272514d2271e8e
SHA170b7c54f5b62d78e63108300a7b2924c9df59056
SHA25634265820d2cd7ea97f3e08db2d310888905e027762e3098b65f703d983b9110d
SHA512ca3e65fe01d85d0a7507a023ee10d204cba845c1490f122ee33271847d4eb2135fa1033e5b7914fbc0f12203a4f46df54816ae13b373186a9a165f7a837f60e2
-
Filesize
6KB
MD5584d35407046593578d8eb7c70d4cacb
SHA1ee78c4e156fef84835a554925e974babdfb68703
SHA2567a17a562e4042c6cb952dd3703c0df74538fb6ca95a725daf72ac3038844b0e4
SHA512dc8c4ec58f606bba01a56f234652c8b7297e47e1f0a6edf2bd9e20946c292fde063b042c9b75331d171f9f9bd4fc0e529dcb8968c618ce462419655075b15116
-
Filesize
1KB
MD5fb3c1f231b249db1655b9f72882dce6e
SHA192276abc50c2fd23ccdaae7a2583cd89b7b9bab9
SHA2560136010488a8da88d7bf21c204b2e6aaf7d470832f83003f784684af605f6c11
SHA5120361a3c9224030a199f89888532f1e577c756196ae9430e7528ada46e9b008e6e8e5cc14536348ea6c60637f764fcce478276b3b356e5378425b20af1edac12b
-
Filesize
1KB
MD5cb44cbdd2ba7e8ae3d5e11182f4cc1ad
SHA13c0a4bf173223d07a204361a5f1bbed6b7bee588
SHA2567f127d42aa592585d8bca72f52b2fe3f6ad5834217f9043a611d59d18610762d
SHA51253e75a0d882711d8b6fe3c73249885d8cd26077fe6bf89e5cd714bf939d2edc82d35c4a3d95a7fada171070f73424c747cccad076812dea6b3d3d9e36e587136
-
Filesize
1KB
MD5528bf47868e2dc2693adddbdaecafc8b
SHA160f7145e11ea1add56255248a692d16c96d3544c
SHA25697f55e45d2ac68bc87fdc3cea4df3befd2e93990c912f92527e9a84902641696
SHA512160f4cb0af2b518930c03994d5e9457f5ab5e09b94ed7b3c2ca152d95c27a9a8b852e6d5dc793cbc3ffd1eb6558155f662f216da8f25ce3dc3119591ced98cf9
-
Filesize
864B
MD5dc6cefce0831bebe87e43e3036a68d4f
SHA104d38fcd1d4fdbc0f334083806ac3c9fad50cca3
SHA256f4d0004068ce01fcebdef3249aa18452bbbfa91f091afe11f78d68a8b2442041
SHA512e10ae2bda1ccc1f91512b83715158463544bc5776b16f0151de7be7f7b6146f8d6e51c27ad0e131864714e290b265f1c0cba50f8d50c0e68621af9d53a4baaa9
-
Filesize
864B
MD552439d0e702abeadfb35330ebf5e2075
SHA1a9424101001f6ca684c049adc193ef15e174702f
SHA256eeff63f25f7b166c58a3e4283d475ae7c53a268b4d543da9b369f7f989036240
SHA512801d37f672fd840ea26302f2c83b5f7b30f8636d6b6f9c74f73a11ebaf71c47a1aba6e25d41d0a29f0a398799d1ed821d687671dbc7f5c1c54eea8f5ab4911aa
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d51d2619e107710843e380bf7617d854
SHA1cbee9b55967e90e96e65dfc7b2732806d3df6bd0
SHA2562ec9d0806c118e53e4a2f0ce0d53d86c256f3028428c713f3b4a2bde68213cdd
SHA512e508136ce664f0c84d7b4a9a3d7ac3b8ca30daa47d4ad6948db675798782d1e77ca5cfdda96e3df0ad9114c55c8f779e1be63762330eead31011f96a7d69a4ed
-
Filesize
11KB
MD50d0739c290bd1c7f40d60c27503c5d38
SHA105da965b53c6bd80b8046162e0611a6ac5858db7
SHA256919792faab21ccf5587400b3cbebdd7ade59bcc605aa475a805dd3e2c6193df3
SHA51257d92e4b57becce5d323d63c2c4168b11483eea2b92f7f2a76a85409bd00940573ddcf508cd62dd9903f7145d64175fc4a1eb52e9815aed4cd8fda50ba8f7300
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
424KB
MD5e263c5b306480143855655233f76dc5a
SHA1e7dcd6c23c72209ee5aa0890372de1ce52045815
SHA2561f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69
SHA512e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
456KB