Overview

overview

4

Static

static

1

URLScan

urlscan

1

https://www.mediafir...

windows10-1703-x64

4

https://www.mediafir...

windows11-21h2-x64

3

Analysis

  • max time kernel
    58s
  • max time network
    51s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-09-2024 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.mediafire.com/file/22evfi1yvyaormy/Dope.zip/file

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://www.mediafire.com/file/22evfi1yvyaormy/Dope.zip/file"
    1⤵
      PID:1424
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4332
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      PID:2304
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2692
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1408
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4356
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5024
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Dope.zip\Dope.rar
          2⤵
          • Opens file in notepad (likely ransom note)
          • Suspicious use of FindShellTrayWindow
          PID:4572
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Dope.zip\Dope.rar
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4232
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:216

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
        Filesize

        4KB

        MD5

        1bfe591a4fe3d91b03cdf26eaacd8f89

        SHA1

        719c37c320f518ac168c86723724891950911cea

        SHA256

        9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

        SHA512

        02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L5P12AEX\edgecompatviewlist[1].xml
        Filesize

        74KB

        MD5

        d4fc49dc14f63895d997fa4940f24378

        SHA1

        3efb1437a7c5e46034147cbbc8db017c69d02c31

        SHA256

        853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

        SHA512

        cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UUYAJKKZ\Dope[1].zip
        Filesize

        1.8MB

        MD5

        22c670c738b07bd539e66676d43b022a

        SHA1

        ee844c69c02c984fa1dd9d24cf7a18efbaaf76dc

        SHA256

        e551e380845d58e1c9fcc7323a91020a8f2ba5c94515493fc720646a9501089b

        SHA512

        deaed77ea519a7f890caa85af0ebb3a9674e285335e4ce0ad6a811e2bb160fc881926b11fffaaede182f3ee9ab4a9b60a42147585c5e0180d75415f2ed19d3a7

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\0XSN8703\www.mediafire[1].xml
        Filesize

        1KB

        MD5

        3e83bb043227531691e54dcfa28aa09c

        SHA1

        dd276475260b807483cd47bc5952e226a8564fae

        SHA256

        2db03520842479d31ead93e4770a51bb328513c4780a1c97de4e7f21ef2529a3

        SHA512

        c3d313f8d965be45ce88333da9dbd177b70ef986b7349e289ccb801cfca20e20d95e3218c02f7449e16da5b2aadc0891a7c87156ede1369ab874fdd10170d3ae

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\0X3U2TE6\favicon[1].ico
        Filesize

        10KB

        MD5

        a301c91c118c9e041739ad0c85dfe8c5

        SHA1

        039962373b35960ef2bb5fbbe3856c0859306bf7

        SHA256

        cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f

        SHA512

        3a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UUYAJKKZ\Dope[1].zip
        Filesize

        32KB

        MD5

        0e93b9cd83bac2d546d58f32930f1bb4

        SHA1

        457afc75d165f76b00b1a2c78cc612ad9b59594b

        SHA256

        e8bff2a4453591077c07d69dadd9348889d87db9b9e36b0eea553d4bb7478bc4

        SHA512

        7963978a36e34b1e970045029d95fd68c22c9541d379fc1b3dc100f12d8134ed465feec9b18504f48738b5dcfe98d1334cede452067f997ed5881cf019f07ee3

        Download Submit

      • memory/1408-44-0x0000022E93EC0000-0x0000022E93FC0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4332-147-0x0000011DB6890000-0x0000011DB6891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4332-0-0x0000011DB0120000-0x0000011DB0130000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4332-35-0x0000011DAD7B0000-0x0000011DAD7B2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4332-16-0x0000011DB0220000-0x0000011DB0230000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4332-148-0x0000011DB68A0000-0x0000011DB68A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4356-178-0x000001E564A80000-0x000001E564A82000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-242-0x000001E567840000-0x000001E567860000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4356-168-0x000001E563980000-0x000001E5639A0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4356-173-0x000001E552300000-0x000001E552400000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4356-174-0x000001E563FD0000-0x000001E563FD2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-176-0x000001E563FF0000-0x000001E563FF2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-86-0x000001E562CA0000-0x000001E562DA0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4356-180-0x000001E564AA0000-0x000001E564AA2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-182-0x000001E564AC0000-0x000001E564AC2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-186-0x000001E564AE0000-0x000001E564AE2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-184-0x000001E563F40000-0x000001E563F42000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-188-0x000001E564AF0000-0x000001E564AF2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-190-0x000001E564D10000-0x000001E564D12000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-97-0x000001E563960000-0x000001E563980000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4356-85-0x000001E562CA0000-0x000001E562DA0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4356-416-0x000001E568140000-0x000001E568142000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-425-0x000001E562850000-0x000001E562860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-431-0x000001E562850000-0x000001E562860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-430-0x000001E562850000-0x000001E562860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-429-0x000001E562850000-0x000001E562860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-427-0x000001E562850000-0x000001E562860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-426-0x000001E562850000-0x000001E562860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-421-0x000001E562850000-0x000001E562860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4356-58-0x000001E562840000-0x000001E562842000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-61-0x000001E562870000-0x000001E562872000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-63-0x000001E562890000-0x000001E562892000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4356-57-0x000001E552300000-0x000001E552400000-memory.dmp

        Filesize

        1024KB

        Download