hxxps://github[.]com/MalwareStudio/FunnyFile

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 11:07

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/MalwareStudio/FunnyFile

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, mandela.exe"	Mandela.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Mandela.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Mandela.exe

Executes dropped EXE 1 IoCs

pid	Process
1588	Mandela.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mandela.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Mandela.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
50	raw.githubusercontent.com
51	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\mandela.exe	Mandela.exe
File opened for modification	C:\Windows\mandela.exe	Mandela.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1052	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1960	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3020	msedge.exe
3020	msedge.exe
3556	identity_helper.exe
3556	identity_helper.exe
972	msedge.exe
972	msedge.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1588	Mandela.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	1364	7zG.exe
Token: 35	1364	7zG.exe
Token: SeSecurityPrivilege	1364	7zG.exe
Token: SeSecurityPrivilege	1364	7zG.exe
Token: SeDebugPrivilege	1588	Mandela.exe
Token: SeTakeOwnershipPrivilege	1588	Mandela.exe
Token: SeTakeOwnershipPrivilege	1588	Mandela.exe
Token: 33	3060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3060	AUDIODG.EXE
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeShutdownPrivilege	1588	Mandela.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
1364	7zG.exe
1588	Mandela.exe
1960	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe
1588	Mandela.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3372	3020	msedge.exe	84
PID 3020 wrote to memory of 3372	3020	msedge.exe	84
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 1796	3020	msedge.exe	85
PID 3020 wrote to memory of 3528	3020	msedge.exe	86
PID 3020 wrote to memory of 3528	3020	msedge.exe	86
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87
PID 3020 wrote to memory of 3664	3020	msedge.exe	87

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1"	Mandela.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Mandela.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/MalwareStudio/FunnyFile
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba9d046f8,0x7ffba9d04708,0x7ffba9d04718
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7550017385521023662,2132144602972250061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:2128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2056

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap19551:82:7zEvent23464
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1364

C:\Users\Admin\Desktop\Mandela.exe
"C:\Users\Admin\Desktop\Mandela.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:1588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k taskkill /f /im explorer.exe
  2⤵
  PID:3648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9ab83d9c419c5338c3bb156620f8a51c

SHA1
160273586c4845f776000d1f019b0420cb526150

SHA256
4b8e9f811fe2d40f2b525b80ec7eab7ae7f389913686d718fc185cf2e9c44497

SHA512
6249332492cde79d3fe2bbc4b29b0a60a121a9dcb183325a6becbd4240fb1d68ce455209c0f4e36209e20f1e41385e71b848d14822f6a82bf424f58f430433fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
76ce25dd0003895d216aec011fd48815

SHA1
82b7e4be21ebef67d9fe1b9b8025961da5a45f9a

SHA256
c0098c46f84c08915e00ce0dba99fc5c119a8b277d1525335207466a7ce2f9bb

SHA512
7926cd52bd8cb212c621ebee307fb85584c8f3b565daca95eaef7c8620b68d567334ab8da6b041ff975183fb984d73a84a5f0ae2b7a51c2a60a58a38cdb45f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e0cb9f501ada05c97b624549ccb73e1

SHA1
f80bc7e64740c769729d46463372a226e5c8972c

SHA256
2b710278c464ac7026425bdea26d13b08943a93cc75b8e2d88527db2592e0d51

SHA512
88130e846257c3b91a562ab8a2d96022873a7fdb66d5a2b7c401e50edf81e95bc2dfeeb8f0fb4e689feffc21f8a352f66c6f8fd7a673105df6c74e1e6a61d791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc09570c9f41f258537bcf1646bd4ccc

SHA1
015751a9fa62996169506e6c5556ff76ff0367e3

SHA256
14bedc881d11a62565fc4297d2e65e6ec8b55163cae19896e22f1b5c11ee60cd

SHA512
919adc6684b46330331959b51db14aa8532b8d8aaecf36bcd7755af328f33ce5f443e72d2a4a7a255faf8ea3f5c8e86daf6b79703115275c30a23a8f77ddec12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e15188b2da6584254a57b6ecd9df4bf

SHA1
c6df51a3a562c49a0319e8530b7030afcfbd30a6

SHA256
e5f12d86364376bf759be395dde141c7a176854ce48b9fb5a5637f30310e7e73

SHA512
499c6d31bdeeb27892c524bf4ac237b682541edaa61870284c235075bea5d875360538c2d8bcd3604fe97114f3f57cceed56afa3fe1b4e8b6f3dd87ec509e7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ada238e60a6c962498309c668779accc

SHA1
d7b8d3dccf01190f5c06b7bb63125dfb7a15e3e1

SHA256
b36bd62ff0f96c54d6622375230e9dbe1796960d4fb3fca5b943c507303c9637

SHA512
1d3bb60d2704de3970d281632ea3fd467828e2a78c9e629ebdc043e47fcd534dc6ec4e77769222627c55641652b6e1aa1db8a326fab12e348bc633408ca7fe4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580a8a.TMP

Filesize
1KB

MD5
faf19550b1b0490d4b83f100905437d3

SHA1
3f591495b317f7c4a0b51093037c9fd8502e769e

SHA256
b613550a5001e642e8c2f45ed717fd86a33c477899423e6f76e6b2c532a3b176

SHA512
4b05feded261531f70f1e6d6cb83c7240822fcdce42adc3397d9bab941556d2dade8b4a84125c7cf5aacbe27d32bc35ea65f371a3d07995dc3e1a162a4b08341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
927ab772ebbaa96a984775df402233a2

SHA1
47d0e2d6a88b49171080e0b56adf0f30ca40b6cd

SHA256
76d84da6b9f55fffb355c303de82b21d78559754bd59bd17ab8203b17cecebf9

SHA512
6750aaf89c0c8a02234bc41a043f6be0bb851d03c77b72b8b949f9fdcfa0c00560b6767f86f5313a9df2a95cda6cd427652c0c29e2bd2e5a70e8bed562e78667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1f1ca1e46b93204d4a17d1bff92c63b4

SHA1
7ee24a54281e1cb6705c51d7fa67c7d64ae6fb23

SHA256
d4e78162bc00917c58529221f2431a54edc09a7fbfd292f98c7bd90f006944b1

SHA512
eb5de177231c552536ca8ea3f2ecf7d7ad0a18367df423ec80f2e0b9beed3cafa2935ead0bcb3056a3c96f02b705f70175ed7cb02baf9259a2982c43bf104bc3

Download Submit
C:\Users\Admin\Desktop\Mandela.exe

Filesize
15.2MB

MD5
68558a4a7df242046a8a7345501adcf7

SHA1
eac84b6bc1be332af4bafc1bdac30b40041a1295

SHA256
c6818da28a36a7ed628e5a86ede3a642b609b34b2f61ae4dba9a4814d6822d2f

SHA512
160f2d35cabd161c1bb4372de42dff907550b929675f8e450130de0a0f60e703bdad0eb6398437d92db4337b5c3d885dcca398c04af61ff8fe20757f6658dc08

Download Submit
C:\Users\Admin\Desktop\README.txt

Filesize
1KB

MD5
667ccb6b194cb77ce3c4a2a31bbed199

SHA1
bf1dde10a670fb2d593bcb56877b0c6127de4a8e

SHA256
1d0e037b9b6424b2a06d47d1180a29aa57cd30c6b804b106ca4143d9e7d4a117

SHA512
4ad063ca737bfe702d21b20b811ed84d7cffd8a4099d8b8ebc522e0eff8ff8dbccde51ae32a758ab47ff75f34da5af05da711cf28ff083993b8dad1aa5b45996

Download Submit
C:\Users\Admin\Downloads\NotScaryFile.rar

Filesize
15.0MB

MD5
b8bf0843ebe241b26bed3860c60efc73

SHA1
1aac5609f43d051c6681f3baebca971a8338085d

SHA256
f9b46e6d9b70e52141aaa716168e8209f093a979d52b388db85d9cc34f604997

SHA512
f697109bffa8f9339cd5ab637276203712996cab94d13de0eb160822bf9ddabdf48c5603b67b0718c7571421ea2c39bc78ce5ef875db5d71cf923ace99ddfa4a

Download Submit
memory/1588-256-0x00000000004C0000-0x00000000013F4000-memory.dmp

Filesize
15.2MB

Download
memory/1588-257-0x0000000025CF0000-0x0000000027DA2000-memory.dmp

Filesize
32.7MB

Download
memory/1588-260-0x000000001B9C0000-0x000000001B9D4000-memory.dmp

Filesize
80KB

Download
memory/1588-259-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

Filesize
32KB

Download
memory/1588-261-0x000000001B9D0000-0x000000001BA28000-memory.dmp

Filesize
352KB

Download
memory/1588-258-0x000000001B990000-0x000000001B99C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads