hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

10-09-2024 07:01

240910-htazxs1ekr 10

10-09-2024 06:58

240910-hrqbtssfmc 5

Analysis

max time kernel
150s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-09-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ac\unlocker.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\1saas	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\1saas\1sass.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\EVER\1saas\LogDelete.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\SearchHost.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\systembackup.bat	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\mssql.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\mssql2.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\1saas\LogDelete.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\Shadow.bat	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac	Dharma.exe
File created	C:\Windows\SysWOW64\ac\__tmp_rar_sfx_access_check_240766953	Dharma.exe
File created	C:\Windows\SysWOW64\ac\nc123.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\EVER\SearchHost.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\mssql2.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\EVER\1saas\1sass.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\nc123.exe	Dharma.exe
File created	C:\Windows\SysWOW64\ac\EVER\Everything.ini	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER\Everything.ini	Dharma.exe
File created	C:\Windows\SysWOW64\ac\mssql.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\EVER	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\systembackup.bat	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\unlocker.exe	Dharma.exe
File opened for modification	C:\Windows\SysWOW64\ac\Shadow.bat	Dharma.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dharma.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
2084	msedge.exe
2084	msedge.exe
3828	identity_helper.exe
3828	identity_helper.exe
2372	msedge.exe
2372	msedge.exe
4416	msedge.exe
4416	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 4500	2084	msedge.exe	81
PID 2084 wrote to memory of 4500	2084	msedge.exe	81
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 2832	2084	msedge.exe	82
PID 2084 wrote to memory of 4776	2084	msedge.exe	83
PID 2084 wrote to memory of 4776	2084	msedge.exe	83
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84
PID 2084 wrote to memory of 1584	2084	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffaa653cb8,0x7fffaa653cc8,0x7fffaa653cd8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,16535928440703135641,2503125116802010278,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5624 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1628

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Dharma.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Dharma.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3800
- C:\Windows\SysWOW64\ac\nc123.exe
  "C:\Windows\system32\ac\nc123.exe"
  2⤵
  PID:4232
- C:\Windows\SysWOW64\ac\mssql.exe
  "C:\Windows\system32\ac\mssql.exe"
  2⤵
  PID:2372
- C:\Windows\SysWOW64\ac\mssql2.exe
  "C:\Windows\system32\ac\mssql2.exe"
  2⤵
  PID:3456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\ac\Shadow.bat" "
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\ac\systembackup.bat" "
  2⤵
  PID:2176
- C:\Windows\SysWOW64\ac\EVER\SearchHost.exe
  "C:\Windows\system32\ac\EVER\SearchHost.exe"
  2⤵
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
115e825a5b00641cf4cff92c6f27edc2

SHA1
753f02e3214c4c796ebb9676cc29f566a7ecb729

SHA256
433b0cacede5775d664aeee2be5491394ddc68775bcca28957ffd85a7fa798bb

SHA512
fa9d27b20a50cc3d035b91c05286a85f58da0a6ae30196f5008119edcc3c359405e9ba9ec85e1c026614c6249b7323bd3cadf9584030d5f5999e7772822e7c6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3109be80defc11b45fd372a1cb3af593

SHA1
4778ad00b25d9a5d71a2c3951d22181612f72839

SHA256
c4ddf0b784a46529d865ecc55c37aab7322fb4c89dd88c94bef87024723334f7

SHA512
866b84b3328357b308d6cf7d7db3ab05d1a0772f61f9ee4a61b9d2d4d9842907408615e3a812a9275cb1fd3cce79984caaa877bd5bbe1cc8571264f2932a9e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
37baf21f6884d62dd3fae3bcac0e3f54

SHA1
86387f81e0e639f4b89ac148a2611dbe17c692e5

SHA256
fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be

SHA512
13d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
cc4d73e34e4e3f8e986a319af7c94bb6

SHA1
b0340d1365533d7e2e943bcc91afd9563af194e8

SHA256
0b4ad4ab83c5cd2828bd8c66c76d18b77b8b6157409a6cbf1704bd793d3b4e29

SHA512
6ee164ae203e27226a00cb5790b8f66726589c191ccdc6c8e7d612fb47b8aecbcb346dfdb40b488f837b46d090b113f88379bb877191258ada8c07c04d285f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
73fce0fe9c04799e52d0da3b6fbb4adc

SHA1
3d5a61e6ab2c8f5731d9b71b3f182b2f3f9faefa

SHA256
97395bfa507b2b8c1d0d2b6bf6bc15d2e5c4da19888950834903896a9efa2f6c

SHA512
4b25f8e22de2a7c9068ae8635390776ca9a8c30fb355343cb4baff81a16e6b1089136ee15174e68cd572f6d9aaabb62efbc7c320c2bc2747f2bf0682c981b136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed511a2958bcaf81ddd53a0ef8bc8a20

SHA1
b0bf6857c903e8081d5d2fc24f90176b6968d4f6

SHA256
cd73386031ed06e1d0fed1a059fd3608bb5a8aa4f47edf861dc2683448daf17a

SHA512
01126481714baf3539bb1f97f5f8b7a2d858cc015af752ddbd0e9d473f6db181d2e299b83783d1ba3096afcf01e7dfa99b96aba06a66df96a153b8789f18b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6544690c4df932aef1c471704dd55ac4

SHA1
f9fa579283844ccee05f6b5fc804d92b78a6cded

SHA256
f5189015e3ecfc505035f5623375f3903114b8648e255aece7711b3e942f1e9e

SHA512
c2cf8bee7f8e280ea89f8cba627c09ad7d62973593d33bcccbb4f1c89ccfdb891de15d088f063e1ddc8977e27f548b04cace02283b0037cc2766a7881618c43b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b92f894cb0f0ecbda5eb37b57be62aa

SHA1
e0b051ead9c468ee85f7992ea57a9afba8a2fe03

SHA256
60c4fb4ef1db658d18a1ae90e3e57f685bfe45d3909767d25705fde3573b5334

SHA512
70c20decb57f9ba4572b88836e8d27a53f2048f68cf4596fdb927be0f51ea38d7806e0d1b188137e1cd1533de8e1d77100c320df24f053248f2b99ec3017be38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dfac8dbef3d83ec23e2aec62c9d18301

SHA1
bdd73520ca735da6ae29f393624b30e03009eca1

SHA256
2928610295f8ef6a576d032fe43c338cce2f695bf07a1ca477c4a5973fc87e34

SHA512
7774c02fe506d7ca3a203a894d0fba9551d0d1e16c7f8528c002a64e57710d52ecd727a1d46c3d33e1ec78bf5e7c4d1ef24a63a6845792df7ae7dbdc1875464a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
66486f760d6f572fc55c951e4b2d1014

SHA1
2917c0bff634e919c3c667f6892974c907c419db

SHA256
3ceee863eaf47c0cfd2319f88cb705962a75cf67659e89752bb4d904da3691c4

SHA512
96a1bb6eb215e3560fa85cc02a32d9fec6834673eebb0940ae93064b320665c3937fb3ec44aa36aaa96bfec9300c5f560c0e54322c69dab20f3063ee996c3cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e501.TMP

Filesize
874B

MD5
b53ef20dadaccf44475b36cd28e596f2

SHA1
27cab1c777d88dbb42eb09acc49e8c9a30f4abb0

SHA256
0c37689ed525a68e334a7a0a3130f7abd95659afc7c8dae82b4d45df26f948f9

SHA512
ab2a0e2985026c9239a6ddb35ca221c09bfd0f112adfe933d094e3bbb446093cf9011d060f9f959b819a381804b119f4840a9229a4dfaec6f9877aa22934d401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a820ce000b65db14b1a36006a00ddeda

SHA1
0fbda85730695fd17da49c28fd1899ffc1b5f837

SHA256
3c4158765eee44fcfbc2d0e139a04832825e8b771812da706bc5697139b00d0c

SHA512
7d86ebb2db8581b6bffa21956f7f557c8cbd5b8ea0b6f223aa9c3905e936472e51f5ecc7021b7e6ccf15151f77fcbe93bc826b9a1515693c46fc7c4dafbab5de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f021ba7413b1a14d561780c8e6a049bc

SHA1
153878b9d88b83cbb7108e98e4b3b1b7a831295c

SHA256
ac0b9de6112f292289e35b6356b6bd725e2b0c50c331e6c6f7432eaa5e0412ec

SHA512
277d4e8e608524fc07a1f4257f3caa86dcb41eb6fffaadf59d461e2f8fb54cb522e755bee59a7f94ea933432136026b38fc6bbac5f0abad5bc11770a99bb4e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8600bae6f317c86e94c4156c295a0c67

SHA1
1d3a2d278598bda807e1c0a9f1ff4c751ba3a3bd

SHA256
637c04ed9ee8cad6ce0f111a84ab34cf59f65143e44a878df7041f000567eb56

SHA512
feae9a4e09d1809c1a64265e4b047f9dfbd631250f854a4fea5625cba1188c1e8e4e3bb8d364ca973759fd01ef991b8dcd6d85ff7ce46b6ef5d15e87d2728d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
efcef6bad9eecd0cd8b669b049d2b242

SHA1
24214998ef18b9ec41f9cf0384217662be0edded

SHA256
4f63eadd270e098ba6085be7220e9492018a985cdcd8a68ee5e23d749e3b85a3

SHA512
920447cefd6f87ff5ab9b4a68fd1fd44bdfeab862bd19ca36d1e2963b3e00d5ae64687add7dc9bf7848ca04e3a5a70f052f094ea29024c90a4c12d10a73bbee3

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SysWOW64\ac\EVER\SearchHost.exe

Filesize
128KB

MD5
0111d35eb62fac0447e6bdfa71f58aa5

SHA1
4f9573252d1f8974e7106305b13af3565add6558

SHA256
44aa0efb7bbd5521aeb0ea8e952ae313153a7d9fc0f9eaf3a8ea6724732f88d4

SHA512
2c532b55a4aab1e57a1564267f0770257dcadced4a1c96d60a38386283e39cb0cd47effe7a815807d489ab0298170cd74da14e616cc8c587d5b7f52d54092207

Download Submit
C:\Windows\SysWOW64\ac\mssql.exe

Filesize
2.3MB

MD5
5aa0ba52aacea2b7005e7569225be73b

SHA1
59e45a4e1994c2d18fa01eeb395f6d8a4b7325ca

SHA256
9b9763f6178959f407e8719adb0fcaa555e892a6bc881ee513c18afa2b582472

SHA512
bb252dd3aa6b4548230caddd47671e386df656e3e3a633d43fcea4381afcbbd813c1995d84830e68d92f1b94d5f90f6d2e5a028fb279f8f32b0eb980583323cf

Download Submit
C:\Windows\SysWOW64\ac\mssql.exe

Filesize
1.2MB

MD5
23a7492b930bfe7f77754673e27449bf

SHA1
2987256bf252824b5fca901ce186eb9f19cf7015

SHA256
35e0ca7203952597a75fa3995ef8fef69065625fffc6afe1f9d295595fdebe81

SHA512
570cc6830b181d3b4a6877d84b1a5d6bfcb4fb63e3d6bb0e613ff04e669ae6ab3281e613aa072b0fda2a9718aa283a72ea2eb227c5c5f4a7242d16227067ee18

Download Submit
C:\Windows\SysWOW64\ac\mssql.exe

Filesize
1.7MB

MD5
3770c81804e6627536f83dfe07bdf6a0

SHA1
d67381c39a872244ceec1f9fdaa8c849ec2835d9

SHA256
9d637f3b1dc38e94fd0e817b56f92aace410fa2f468b600173780382abc55543

SHA512
0d64761caf113e9f7387a0e68bc538aa5f707d85d2dab13c347c094836322f49a764694e6d2b96842e09d3a78f947a6f7dc3f30cfd865c4f3137aa6ce2b8c1a8

Download Submit
C:\Windows\SysWOW64\ac\mssql2.exe

Filesize
960KB

MD5
1fcd00259b33fb129e02728d4f599341

SHA1
c56f7932b44668debce33c95ce1a096580ffd244

SHA256
e19531db8e9c5aa01825c34bebacbfd25641b3c5d544d584609e83494b183ac0

SHA512
16dcdf6a4e06e1456d0ecd879693d9ed12e1f2af432812572ae965f2b3a60126ad7e59c9bd4ad25779684c16164f50657bd707816115a96e4c1486d7dc8124f7

Download Submit
C:\Windows\SysWOW64\ac\mssql2.exe

Filesize
640KB

MD5
50097f3379c237666c39a228f7a06d7a

SHA1
66d231d198ed59e63e42cd19fe323f8be89db03e

SHA256
81d7a1464e4a2a45edd9e3e057f7720db55574e90c6561f252c059f573529649

SHA512
317dc39095ca951edecd9f0f3f875fd1d518699d689b9ff0345c22e9d0b2a71c086541f9d8a9287a63e108eaf30132cb717e9926da45807c44f0fea123aaad1c

Download Submit
C:\Windows\SysWOW64\ac\mssql2.exe

Filesize
576KB

MD5
12e48f0aac1698e199c6c7cab02e075b

SHA1
2be6ab05139137b5bbf44f35f9e325c1fc1a7c90

SHA256
4cc4d2cc23f67d38fc437e61f167641741ffa391d07555985608249216ecaacc

SHA512
185dbf28e9aa1b568a4b06e78cb20e82643edec39377a72880033a084c29a859055e9637aff38a2ee85a2a9b5417cd873e4e4ad30fddae05ee60246773bdf414

Download Submit
C:\Windows\SysWOW64\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Windows\SysWOW64\ac\ulebbdvaprkfnq.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
memory/3456-571-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download