4dfdf750ed430ae78a04620a8462275256f3c44f18e8a5f16fbc05cf750e203a

Analysis

max time kernel
569s
max time network
588s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
27/09/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CordKiller.bat
Size

3KB
MD5

91732affacbe7d31a8e7a4d99dadd8ac
SHA1

f1b10a2ab786530948b6d9d90de862861505e8cc
SHA256

4dfdf750ed430ae78a04620a8462275256f3c44f18e8a5f16fbc05cf750e203a
SHA512

ac9aef46f266cc23e9f9782fe59399eadd025b4fe359804386629ae5c196641ca28c7cc9165218f218d6decee1f4b5804ff27c8cfa00ed5567262ab110a0acc9

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
1	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
580	msedge.exe
580	msedge.exe
2188	identity_helper.exe
2188	identity_helper.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4880	3332	cmd.exe	79
PID 3332 wrote to memory of 4880	3332	cmd.exe	79
PID 4880 wrote to memory of 1440	4880	cmd.exe	80
PID 4880 wrote to memory of 1440	4880	cmd.exe	80
PID 3332 wrote to memory of 3612	3332	cmd.exe	81
PID 3332 wrote to memory of 3612	3332	cmd.exe	81
PID 3612 wrote to memory of 1932	3612	msedge.exe	84
PID 3612 wrote to memory of 1932	3612	msedge.exe	84
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 764	3612	msedge.exe	85
PID 3612 wrote to memory of 1688	3612	msedge.exe	86
PID 3612 wrote to memory of 1688	3612	msedge.exe	86
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87
PID 3612 wrote to memory of 2872	3612	msedge.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CordKiller.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent -H "Content-Type: application/json" -H "Authorization: adasdadfdsd23415654dsf" https://discord.com/api/v9/users/@me/library
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\system32\curl.exe
    curl --silent -H "Content-Type: application/json" -H "Authorization: adasdadfdsd23415654dsf" https://discord.com/api/v9/users/@me/library
    3⤵
    PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/sipinslowly
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff08b33cb8,0x7fff08b33cc8,0x7fff08b33cd8
    3⤵
    PID:1932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
    3⤵
    PID:764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:1904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:2748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
    3⤵
    PID:1248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
    3⤵
    PID:3792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
    3⤵
    PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
    3⤵
    PID:1516
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,12639150588907101231,3546244132578272905,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3404 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0d224475379b47ccf5ef9a23991f496f

SHA1
7170bcfd0d7bb2cef00798086f63df08effd173e

SHA256
a2af1630e44f44af1845dba46e992b8a94278f208285f56390516b46bdb70f39

SHA512
7a1cbe43f9c192030e2ed86ec1609e2887531a1b271ea8b3128b5d246ac0409aff907353d6cb182ec392ac919c7f293387f8389e80e3a79fcd155dc652c7c97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
aadae93b8d636d034aee972c3635d7b5

SHA1
d8c1119ed585b5403056f37515b98d32d3275ab9

SHA256
baf498aa585a836559bfdfeba511aa8392d8fac7d57e594062dbad9bbd5c8327

SHA512
0a27888dc32f54cf0f1dff75e1f38813c60a0e0d04c16eb2f0a6bd898455f31f0008aa550b1e36f342527d777e71d9ef3e7e88788366f6b64cfdf8ece6e7bd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b36b2a363dd4f682e266019e1c9dc1a

SHA1
7e6e7471550a7ddcb42fb4134845949b876d4900

SHA256
980b6e6b349c9eb9ce9794f5e15cc8183d64e95df31e63df2ce99b98146128d9

SHA512
5dbc587bbe93f1ff79e733153b7a96028dd55561c740ba9f27c0dcbaa291dec8f0601d961246d50a05ffd8c88350ca65e09ac426132f9473d743b79482566947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3b3db58aaa843ca4c55ba97d9e83da88

SHA1
471f912835b3cee7c68dc46e5c2041a6a46416d4

SHA256
916a9132a0a7a0f0d87b8b3e6c9ad1dd2cb2e4533208edbc65a6436bf8f341a6

SHA512
c75cf473d41f25e1b0180e5ce570d1e73ff29680a4477f5d64dd6cade3e2f48e6ce8714549052cedc3a37f4712b4ca85aea173f87833dcbb247ca1dce49c8b82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
05791f86ea3a59869291526a9186e0b7

SHA1
61d88f929c93b3ddad6ee03d16d74e4bdd80c70b

SHA256
3d87ff5035769bddecb3ec4e88a63b2d20003bd54d5d32cfb4b9f9085018aed1

SHA512
20273762a13fc6c9c7171a75f20b5ef402cfb20ec95f8f894f5a852ccfcb5c8edb03b8a66528d8c93661c63b76d3e6216f5af370a7d03f89cc0a6aaac4334ac1

Download Submit