Resubmissions
22-10-2024 17:46
241022-wb98ysxapc 316-09-2024 19:10
240916-xvszfsvemn 314-09-2024 15:54
240914-tcjfhsseqg 1014-09-2024 15:53
240914-tbreqssajn 10Analysis
-
max time kernel
43s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
14-09-2024 15:53
General
-
Target
https://ahgaytvv1.z8.web.core.windows.net/werrx01USAHTML/?bcda=1-864-329-4158#
Malware Config
Signatures
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ahgaytvv1.z8.web.core.windows.net/werrx01USAHTML/?bcda=1-864-329-4158#1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafe8546f8,0x7ffafe854708,0x7ffafe8547182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5104 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10091675657655618847,5717336675457421635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x434 0x4b81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
Filesize
19KB
MD58909b9de4c913b3b843f35af7cd36b77
SHA173c7cd4c3ff6b9e56f7d4e0c34214b9ca194545a
SHA256682a7249e433d71eda3c280c9e93b43159dcaa9774ee2b2869500997578dc513
SHA512ac3d4c0c3bb9fd3ae0fd0383b152c1778b9cc7d884da5453ddcc87b4bab509af9b5790d2f2a07afe72a9425b106118e8baf5f1bd9008427115e6246378d4c7ce
-
Filesize
120B
MD5bb89e3a76716412e4819099c4df29809
SHA111697eefe3d5aeaad3804418915291760be4e2de
SHA2567d77461c6d675667025ba4cbbf31f115da348cf11693af349de52f4edcc6432a
SHA51223a6f0a99483c47931b2407cbd043db27d8cd6beb9c4081e2804d9bd97c4a1ea52ea7b554f9a0bd90f28f200cdc9dc11ccebe8be8fef55ba265b323f851017e6
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD54b88ce25ada59ee595cba73688a9d78c
SHA10f7314cc7565200b182ff8ae5001bff90a5b507f
SHA256625c158b845cdd9d121accf87687ce645507720a5db723bf1cf35da6722e7edd
SHA51248df45fe02e5164c4e16237ae13d0557e9e27f2128e63d817404a610ff06923077d778841faefcb3e222ef417e7d5955f10cceb3d38c00d7b3b91fbcf31d4c49
-
Filesize
6KB
MD560c089d083cbb002a1e804b14d0c36eb
SHA125ca13303afad23dc58ce27dabdc2d171d21f371
SHA256a2b2e9a9b08164b1bc6c0b6afeb06046816fbfaef4763582c58f9fba6f4c708e
SHA5129e6992257b4f357004da07dc42460db15627c86fc5e261ddf066326f9ebc7d42da65655b21b37fb04e3a97177f0aee3cddc24c84be1d7059c8ac6039190f1ca1
-
Filesize
6KB
MD564571ec1665c91892107d9c5d013978e
SHA11a403b518a66ab51fe6affd25e285cfa5b8e4511
SHA2562c2cb811111ea29a22dec90bfe20f2e5a7b87ea2182141b144bb052c7c268270
SHA512c0bcb3ec3bee00c56945fc989718961ab7a7bb2ec3b1800c8ed77bafa5fe837f6ec481015f53a2f727ffd8864a9997da6d1fb2fd42fdddde53d555942e7cd064
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD53d2b9addcd53274430e227466a461d38
SHA1204ce361fc3be84aed7de8019ed47fb031cef2fb
SHA25616dd9691a87bd51bcb80a889d29459bdba15dd3cfabb2323432c177cf15f5f9c
SHA51216099c5086fdd5b947c8507284888a7013eca04fe7ab03e3b901af6f1bcded053192fe972b3f88dc6bd18ec11efa13cefd90bac1116f50d048fda9d10dc30d16