hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

10-09-2024 00:42

240910-a2qfkszfpb 10

10-09-2024 00:35

10-09-2024 00:23

10-09-2024 00:18

10-09-2024 00:06

Analysis

max time kernel
99s
max time network
110s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-09-2024 00:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

defense_evasion discovery evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1384	000.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\O:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
16	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper	000.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\000.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1932	taskkill.exe
3952	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{2DC9F077-2A60-4054-9304-C05025BC16E3}	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\000.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 189953.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1596	msedge.exe
1596	msedge.exe
3680	msedge.exe
3680	msedge.exe
1796	identity_helper.exe
1796	identity_helper.exe
3136	msedge.exe
3136	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeShutdownPrivilege	1384	000.exe
Token: SeCreatePagefilePrivilege	1384	000.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeSecurityPrivilege	1324	WMIC.exe
Token: SeTakeOwnershipPrivilege	1324	WMIC.exe
Token: SeLoadDriverPrivilege	1324	WMIC.exe
Token: SeSystemProfilePrivilege	1324	WMIC.exe
Token: SeSystemtimePrivilege	1324	WMIC.exe
Token: SeProfSingleProcessPrivilege	1324	WMIC.exe
Token: SeIncBasePriorityPrivilege	1324	WMIC.exe
Token: SeCreatePagefilePrivilege	1324	WMIC.exe
Token: SeBackupPrivilege	1324	WMIC.exe
Token: SeRestorePrivilege	1324	WMIC.exe
Token: SeShutdownPrivilege	1324	WMIC.exe
Token: SeDebugPrivilege	1324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1324	WMIC.exe
Token: SeRemoteShutdownPrivilege	1324	WMIC.exe
Token: SeUndockPrivilege	1324	WMIC.exe
Token: SeManageVolumePrivilege	1324	WMIC.exe
Token: 33	1324	WMIC.exe
Token: 34	1324	WMIC.exe
Token: 35	1324	WMIC.exe
Token: 36	1324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeSecurityPrivilege	1324	WMIC.exe
Token: SeTakeOwnershipPrivilege	1324	WMIC.exe
Token: SeLoadDriverPrivilege	1324	WMIC.exe
Token: SeSystemProfilePrivilege	1324	WMIC.exe
Token: SeSystemtimePrivilege	1324	WMIC.exe
Token: SeProfSingleProcessPrivilege	1324	WMIC.exe
Token: SeIncBasePriorityPrivilege	1324	WMIC.exe
Token: SeCreatePagefilePrivilege	1324	WMIC.exe
Token: SeBackupPrivilege	1324	WMIC.exe
Token: SeRestorePrivilege	1324	WMIC.exe
Token: SeShutdownPrivilege	1324	WMIC.exe
Token: SeDebugPrivilege	1324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1324	WMIC.exe
Token: SeRemoteShutdownPrivilege	1324	WMIC.exe
Token: SeUndockPrivilege	1324	WMIC.exe
Token: SeManageVolumePrivilege	1324	WMIC.exe
Token: 33	1324	WMIC.exe
Token: 34	1324	WMIC.exe
Token: 35	1324	WMIC.exe
Token: 36	1324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	720	WMIC.exe
Token: SeSecurityPrivilege	720	WMIC.exe
Token: SeTakeOwnershipPrivilege	720	WMIC.exe
Token: SeLoadDriverPrivilege	720	WMIC.exe
Token: SeSystemProfilePrivilege	720	WMIC.exe
Token: SeSystemtimePrivilege	720	WMIC.exe
Token: SeProfSingleProcessPrivilege	720	WMIC.exe
Token: SeIncBasePriorityPrivilege	720	WMIC.exe
Token: SeCreatePagefilePrivilege	720	WMIC.exe
Token: SeBackupPrivilege	720	WMIC.exe
Token: SeRestorePrivilege	720	WMIC.exe
Token: SeShutdownPrivilege	720	WMIC.exe
Token: SeDebugPrivilege	720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	720	WMIC.exe
Token: SeRemoteShutdownPrivilege	720	WMIC.exe
Token: SeUndockPrivilege	720	WMIC.exe
Token: SeManageVolumePrivilege	720	WMIC.exe
Token: 33	720	WMIC.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1384	000.exe
1384	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3576	1596	msedge.exe	80
PID 1596 wrote to memory of 3576	1596	msedge.exe	80
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 4564	1596	msedge.exe	82
PID 1596 wrote to memory of 1968	1596	msedge.exe	83
PID 1596 wrote to memory of 1968	1596	msedge.exe	83
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84
PID 1596 wrote to memory of 3360	1596	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4a6e3cb8,0x7ffd4a6e3cc8,0x7ffd4a6e3cd8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1932
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1324
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:720
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,1095154772690298285,10333568734044600463,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:1440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a33055 /state1:0x41c64e6d
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
79cd6f32fc16f13d740fd8b7391e9187

SHA1
9cc7fcff7b9b67e94fcb2b4a4fe174157a37d232

SHA256
30ad55fcdfca38a0007fbb12da67ff91b18e119b6853dbcd22b10c3b4f289502

SHA512
363512e1c9a1179d5e5c70e239738b342d9d9e68165e03a98a4db6101892628f974b859817adeb86ab8948c171adc1b0049b8885f9518dbb0c33de7ad3e0d0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
12f0ed99d087f93891cd36806b806d7e

SHA1
dcab3ca7acbb61ffc2110246308c7c93e9d01b61

SHA256
124967359275d82b7aa95340e02891b9d9cd191e8e6a8ff649c5a9691134ae21

SHA512
84b9821386846eb51e79f3550bcbe1bc94c0e46b0517201659794f1e2b07b5d18901c6b00f24d52cf213b5689db2c2647c52925c2e8e435c8621b7e46969cff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bdc912cef427a29d34b949d0dc6015d8

SHA1
29934a65f27822bc43f39f784cdecfad25dc61c9

SHA256
ec71f00e7a1925d5fc6071b2bae51dc682ab61cd35465c7c6a4db282a006b6fe

SHA512
47f3fdebfac447dd73e50edeb47fd8b04962195d1e3702dbc5367a292d8f1f9124a04a8387dafbbd81c033c110ee2d96a7de6bc6b39688c2b227bb5b507f9e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e63e36d85722ed52dd1f02329a7c5fd

SHA1
c31333aa07f27455e2f15bc0fae021aa16f225f9

SHA256
034b38a93e859109d1053f2edd4a21cb8fa4c3d6b9dd0aaaedcceccfac72c699

SHA512
c0afff2909fb109ee4be36e4a11f59ea859d6497651c05e354a5f636772b9b65777120d643308211c4a9d743338be4a5c346b0c15b1fd85692315832abc28abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42344ead76c8385f450ffe16ace02eeb

SHA1
7c7cc751ece0e8462f572dcb95ba329cbf333075

SHA256
d8057344088397f5a7504e74c6fd43370e3b33e363079e818993578d15e40614

SHA512
e7404ef0f60624809320cc9496e65b920d118007ba713947eb3ff98aae93357ddd295e207ff36d53d27ba73e0ce8c644aed5b7940adf72731b1829531aea3c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
59c76a475e782392c22ecbf9fc8b2d61

SHA1
4c940eb659cf30d957e186f17dfc1d2218bcec9f

SHA256
cdabdfad5c723e64fd2f4687ccde97e302fe76570e5daa88d36ac40867cf1117

SHA512
92d3038612d68b6f8a238faa09985dffa8ab131514fb3a355737c9bee5d6eef7f70bfab0dbb16042c769df5a287a9c2660033abdcaa67220d1c537a07618e207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ce2a7c1ca5aae83680b3aeb0db63228a

SHA1
72b5ce80aa7470fbe5306d3ae2da877c9a858f32

SHA256
90db45204e4db8506797673c6a6cab661a39b0c80478a93871b1f8debb0c9cbd

SHA512
857c9cea845c13182d916ec1a4169314746a2a91f3392520323cead3b460e0d1ec65accbac9f9d55000acc2e4d8829fcf8d28f1ca36abd0390d7ec7cc4e998e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a8a0ce8f5d76c8b2aa72f60dc146f61c

SHA1
a6abd391545660cca7860e6f6c8f90b6d6cbfe6d

SHA256
000e8aad23e4db7144923984db0c1d474ed4bfa5fc2ab4e74b088be12c86bbfc

SHA512
c7e794c9a988b84a139048c33a9291754114cefbaed6cf4e6f47e8177165c1b4c979ac08a884ab9412f40b1c98859595c910e1b20f016cd557f715016209cdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58997c.TMP

Filesize
874B

MD5
51f69db9e2e012d360d91d17ddf19651

SHA1
d747cd1526895edd77f601a8da8f2d70b8e8c7ac

SHA256
522447adb1ab7426be2c57d8d485c854a3e2ca0997000f501450039b408aaa16

SHA512
4649674bc2921e17f51b83ac1c96d863b413f6edc9e18f94f4f23231ff25c8f8f2d04e5d33515382a78206c70632e2cb45c6098802465d1954be8f95d1ab3bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3be962c6c9ff06861dd79bd3ada75af2

SHA1
5ac0b8f3c216c1a6a589af7e54ddb46c42846cec

SHA256
7439bafaf2d7ddacafc25e4292e6dc2082daea0270c2e9db90484088745fdd4d

SHA512
0babddcfffdfcbfcfc047bda494e81e15ee769766bff1b9b2d6b48a6ab982f50768a850c8c4e96725466fab2c7b04e073bc97a671623efe4cafe3f5cb2148973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5805775d2e3d6946387d2626d7200466

SHA1
3501b66f76598d7accd48bc4945afed00438a226

SHA256
eb9e382efd22630837b268f2a8891e48a416710e97f1aac1d5a8968d6268a952

SHA512
8e904c26d1787c19e046ec4a68f2898ca6bcc01ab929e6b8ad8403b7367a35b9f7ec13e6658a214c4f0d4c2ae0ce5844167538eed984b21cd52e63ec683e3c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
704KB

MD5
eb417ca11e5a55ae343c1dada906505a

SHA1
e4fcb21bf4c9081444a72a875c09f5f1bb22ff13

SHA256
ec53f24be58090690e941e309efcab76414da096d1a67049209ecb892cd58d31

SHA512
7515c8799138039681174f09bb1c337a47ffbe8fafba22dac6d2d82f3475f1d30f849367ef44a2d2948498e1579e4267d7f083ae39437f815a314c91cf8e6113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Downloads\000.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 189953.crdownload

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
memory/1384-400-0x000000000C1C0000-0x000000000C1D0000-memory.dmp

Filesize
64KB

Download
memory/1384-401-0x000000000C1C0000-0x000000000C1D0000-memory.dmp

Filesize
64KB

Download
memory/1384-402-0x000000000C1C0000-0x000000000C1D0000-memory.dmp

Filesize
64KB

Download
memory/1384-403-0x000000000C1C0000-0x000000000C1D0000-memory.dmp

Filesize
64KB

Download
memory/1384-404-0x000000000C190000-0x000000000C1A0000-memory.dmp

Filesize
64KB

Download
memory/1384-405-0x000000000C190000-0x000000000C1A0000-memory.dmp

Filesize
64KB

Download
memory/1384-407-0x000000000C1C0000-0x000000000C1D0000-memory.dmp

Filesize
64KB

Download
memory/1384-406-0x000000000C1C0000-0x000000000C1D0000-memory.dmp

Filesize
64KB

Download
memory/1384-408-0x000000000C190000-0x000000000C1A0000-memory.dmp

Filesize
64KB

Download
memory/1384-396-0x000000000C080000-0x000000000C0B8000-memory.dmp

Filesize
224KB

Download
memory/1384-397-0x000000000BF20000-0x000000000BF2E000-memory.dmp

Filesize
56KB

Download
memory/1384-375-0x0000000006620000-0x0000000006BC6000-memory.dmp

Filesize
5.6MB

Download
memory/1384-365-0x0000000000E80000-0x000000000152E000-memory.dmp

Filesize
6.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads