hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

11/10/2024, 12:15

241011-peyk1a1glb 6

10/10/2024, 21:52

241010-1q8qwsyclg 10

Analysis

max time kernel
718s
max time network
2655s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Antivirus Pro 2017.zip\\[email protected]"	[email protected]

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\X:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\S:	[email protected]
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\V:	[email protected]
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\P:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\O:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
81	raw.githubusercontent.com
100	raw.githubusercontent.com
70	raw.githubusercontent.com
73	raw.githubusercontent.com
74	raw.githubusercontent.com
79	raw.githubusercontent.com
80	raw.githubusercontent.com
69	raw.githubusercontent.com
99	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1432	[email protected]

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]
2116	[email protected]

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2116	[email protected]
2116	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2296	2904	chrome.exe	29
PID 2904 wrote to memory of 2296	2904	chrome.exe	29
PID 2904 wrote to memory of 2296	2904	chrome.exe	29
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 3044	2904	chrome.exe	31
PID 2904 wrote to memory of 2756	2904	chrome.exe	32
PID 2904 wrote to memory of 2756	2904	chrome.exe	32
PID 2904 wrote to memory of 2756	2904	chrome.exe	32
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33
PID 2904 wrote to memory of 2764	2904	chrome.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb0b9758,0x7fefb0b9768,0x7fefb0b9778
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:2
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1724 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:2
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3320 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3620 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3876 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1316,i,12603774169401342635,18337439584123831508,131072 /prefetch:8
  2⤵
  PID:2124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Pro 2017.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus Pro 2017.zip\[email protected]"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x458
1⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopBoom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopBoom.zip\[email protected]"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x484
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8579ff3f30b08934edaa75da5b0b53a

SHA1
518fa802dfaffac791bc3c209b8300b4c0335389

SHA256
3df4f55636897d829d0582aac93093109ce10928f65a52ea05de01c3b4c95f32

SHA512
95451bcfce64c45e91a8e6b7cd097fcd2fd99c99cf21247226a1a2ecb3e40d76c3cc963874c90ea67eac2547a43950dc11f96c591bf405c627351d1ca77a96f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e75307f652101f0240358d8bbc692b2

SHA1
bbdc791712fd892f59c7d83f721fca5def6a602c

SHA256
aef840fab3e4d7d273063a9b49162b62b9d2a27d71fb72975c8f6ba09db515af

SHA512
6d771c1a4b9aac4a0937635c41d05db7bb6ca2ac465ecfa1b3af8143e879806aea54bbb084f037413523a79e792f90e0ec99c50cf411566d1bedee811f383827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f538dc3c5c6395b9a001877afd9870c9

SHA1
be9b5e9ad6a0b643256eff0e62b54e805da7712f

SHA256
9143daa3dd44bf49abfc9785a8180c0271b8eb10a7ae768fde288f58fcca4e86

SHA512
697fd0f8af06a6fbaf37e2127ce5ba0484f05a6a6e0e2db5c600592836c8451ea97fffb3f65fedbb9731cf77e15624abcec18a59686a9fae87829e9efcc5cbae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
76cfb7e52c5f4c728786dcb1ffb06d22

SHA1
2369a5b8298916050f31147a49d152122fe11130

SHA256
1663b67fc3043fe400ba049f6ca4d0f887de4ceb964e89e9d28d2046d1ab1a19

SHA512
3069a5abc0be149488c54481b837897152af4f2f020976ea5d1260a7ec644fef97c442d5eff96f68e85d8eb62ea98f0d6420ac241e17db84593f9b0b7265e39d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
63a24117fd82984538a865a342a6850a

SHA1
0d1f08210b17c137a6efcbc20a9fd2d46ed50ac2

SHA256
b046bcc7dce52e906c73e94b6dd78dd3218da470102d805dd8168ebeec378ff8

SHA512
71d8754b4b8126411371ca6e52296da8319f5df4e3b5bf61c527bd9720ea671fe07a1fe49a35389f3bd4ddfa7d9fc2d19f95a874e614403b049b641a33467ed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
aec28388cf9340577f9094234a809386

SHA1
12e601bffacfa86402f1952e781b7c9af61bb81d

SHA256
366f2ab2bfd64468ba9a843ca5035172e8b059722397820bb6f7938319b9643b

SHA512
c68c7b37831df48343b271503f4eabb1b485a318a691d37609e60f806847d836c206dd42bf2dd8c250a775719fdb8efc0a463063aa87e4e7fb2a75efb2959bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6b6a822937196ba38273d13324c68869

SHA1
b834d5def3408f1740c5d129dc53d87f6651445c

SHA256
3ec4e90c571921dd3120cbb5c7e4d71957dd64e9f08a8e1d2abc53e4fb5d633e

SHA512
1b80acdf9af93043282d5d1c7060364b47dd7abbfdf7a25e225052039439ebece36f53dc4310eea0c335ff0c688ec554e28fa23d9409c92ee63b47784f95e517

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
706251525fcdb65cc1794bde3004a2c2

SHA1
7571783eeb9fc95448aee150dc8685bc44616462

SHA256
adcef5f203871f41fbbc4fb256ee1d49b01e453855bad4259e51c1b4caaea04d

SHA512
65cc2eac6adbf878711d8b9a9de8ad34457371489e147fdfb2a442543c50074b0468a68121b18192695bc257f5f2ac104c1a3a77dbb34c58c5af0e109023736e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
b3094ff2ab773ec2fa8dab1c57d91136

SHA1
f809e80658ab0e70639487ae6361a846429d3ba9

SHA256
4345846bf322327e66a4f00f082b66bb28db9dcee80d552395a5b9ffb978675c

SHA512
b3cc3bb06a60dab1e30bcc47cac32393042cab8dedf4c4ad16045db81db317ff44771e6024ef011ef07bec0bfb02b0d18f2b435d443dd02abac94f8713bc8fa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
851B

MD5
11427bc19cab338cbffec23d9bcc5106

SHA1
4b1663b2b2f8f14a44b4364eb89c80d4a20d0ee4

SHA256
6ddba58fe1f33a12ffb6c4d8bc409c6a94bc49ae6f6464fa580efc08b10565d3

SHA512
af37de678c4f2e904b6472e51c29499c6b0e07be53e13f11c2f591278dba7c044c4a50d0ea5ff3d1f59e1556d4efe22c125cf4d485c68b743a20c3c6b53dcaed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
851B

MD5
098019a3609dad4827c89eb69a48d92f

SHA1
10f41d6ecf05d8e4a73b70a98ae0076eeb520d50

SHA256
49a9a043d811e9c071b0d37eedfc19a93a56299264fe1a33ed336416c5d5df37

SHA512
18def064624c934263c0273bfa4c264662482ac27b29d3ba68e8fed279ff45fb3667bd810f8da4acb316f292c712d36b6d9ecd4670b559b5fb973a49d159d003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
20b668ee4e93c371d5b94004a2211ab1

SHA1
f97659881e44a7cce597f8d39d6ac879ae4835da

SHA256
adeae543d1d1f755a9ae85267751637b20a6b521e913d51b1072da205ca069b7

SHA512
55d431921159c4ffb97fde32b83bf4105e24d0c6506cebcb0d82aa6512edde30e8428849f1d5820c6ebb13eea87422aa4ffa50e4a22b28d4b5b8e99a53531fdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
843B

MD5
3c1c9739be6438011b933fa22353dd23

SHA1
ccf493d66d822c23beda20166c4b8deabc5ad6aa

SHA256
a3b928817576def997b60e2c568cd3c955bee8baf88ed19890aabb6b2c44515e

SHA512
7ab8c7e21c53da196417594df13ff91411075a9c60ae345182488fb2802f3f048f2cffea08812e31384991c2ef777664899ce00c20baea4e190f75d996316126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
851B

MD5
3a4afa1174f0ccfa2dab9553e617b818

SHA1
83d7c53eb4c0dbb0e06f55af0c182723bce3f8e1

SHA256
35f41b4d0eb45a4709d9bd922379e6202cd0eccbaf9f2923a23db1a64a00e762

SHA512
d374dc3d2e5cbaf3d115bb014249964cb3c24b95022f6fd545dd695478238b77072920c10804faa10cd505f4579012d473203eb41eee272a6c2309d92b2f22a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
845B

MD5
92f67126da85784727abb67b8743a85d

SHA1
24c16a51faceac8fd51c90efdbf8edb5a67b2b7b

SHA256
d2da1c49fe500d53109846ea3591e054fe91e16db575df6eaab5db6ed1e47161

SHA512
922c988ea280dc792cec6728bba180aadb8fc73c1b8599e8479403813ff9f4eef818ece8d444f675162d9bac0b9399d8a0bbd7d0916daf85d366bb83707a9416

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
aa94188b7b7d1662d08fa3cc1e87d87d

SHA1
4a234da46c58a941d3e4e0f36b18d8da16ce6ccb

SHA256
e9e8a580ecad39de090baa49b30be1b432c879baaeaf5825276eee932980f392

SHA512
a24e075df7afe52983ec91564da816523c71b044ddb8e94dac116e8fd7b5280983fb41c900bebaab9ce5521ae7dd845ba64211b8b5dd6730d5d38d2835260817

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0f131508963047a667930e77f70cbd72

SHA1
9d97e033ce3baa44bea2e46837465a83bfa25b07

SHA256
d0346794813eb2a8bcbddf5085377287c515e7079afed94576aedc3532fef754

SHA512
07ba99b387c1522939fbd68673c3867248442dacd166601bb0a07d6ab19c94a7c08eda9ed3a565e3050e21f6aa4481dc375675fd556f7e78d4257cbb69cbb681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ee14197dae497d15c3f6c9c0219d2391

SHA1
f5bbe5908fce16ad55e4fc0fd98306a8a81d7be9

SHA256
8a3a2f905d34e5cb6628a33cc3d6a7a0bc143604374e95cdeecfea6b863dc4da

SHA512
1b72ac3b6a834e09e04c6bebbe903552ddfc777975ed5690b410d72f42bdf656862e385a6b8089c9eb926e1b832e2064f23756e9a1a7218cc54859bfe71b0bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
719e2f8abd09ecea42a7f6e5b647153b

SHA1
6669aebbefd7379b0155dfa3eba078f6fd72755c

SHA256
cadcb84d62714bfd725d6343cca3565a6e3fd448bcc96a2bc90afee881d18ba0

SHA512
3ff54a1bf290a197aad9dc6ca27e107e685d5998bcad0960a13a4563ff39762d82a16283b54660b923fc095701d76a9bda9c0625975658d69350014b9a261c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
81KB

MD5
0d1fea3e56ebd17856528e57e39c5c55

SHA1
3c2d7ff785674c7fe89819f494451c454e6a5251

SHA256
82169e8478b098c21aab734a659e315245454ea06a3811d27ffe917a8386dd83

SHA512
cdc3086a660a1e4b4f946e9b8a32cbf132fb9ead45e0c6bb6c4cac602dd58820381545edeb30f4d1c438d5c9d5fb7ecfdc8eb46cd9832b8f7152ad8498e6fe7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3BD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2116-720-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-753-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-721-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-719-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-716-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-736-0x000000000043C000-0x000000000043E000-memory.dmp

Filesize
8KB

Download
memory/2116-737-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-738-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-739-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-740-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-741-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-743-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-744-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-715-0x000000000043C000-0x000000000043E000-memory.dmp

Filesize
8KB

Download
memory/2116-752-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-717-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-754-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-756-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-757-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-758-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-759-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-760-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-761-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-765-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-774-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-775-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-786-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-806-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-810-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download