hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Resubmissions

14/10/2024, 23:38

241014-3mvqzawcrn 10

14/10/2024, 23:35

241014-3ld2tswcmn 8

Analysis

max time kernel
122s
max time network
127s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14/10/2024, 23:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
244	GoldenEye.exe
1732	rasdial.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
19	raw.githubusercontent.com
38	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rasdial.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rasdial.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 518191.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{9e306d1e-da3a-4c56-9ebe-8b0dcbf1f62f}\rasdial.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{9e306d1e-da3a-4c56-9ebe-8b0dcbf1f62f}\rasdial.exe\:Zone.Identifier:$DATA	GoldenEye.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3980	msedge.exe
3980	msedge.exe
2808	msedge.exe
2808	msedge.exe
3752	msedge.exe
3752	msedge.exe
2424	identity_helper.exe
2424	identity_helper.exe
2536	msedge.exe
2536	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1732	rasdial.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2840	2808	msedge.exe	77
PID 2808 wrote to memory of 2840	2808	msedge.exe	77
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3124	2808	msedge.exe	78
PID 2808 wrote to memory of 3980	2808	msedge.exe	79
PID 2808 wrote to memory of 3980	2808	msedge.exe	79
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80
PID 2808 wrote to memory of 1280	2808	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac1093cb8,0x7ffac1093cc8,0x7ffac1093cd8
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:244
- - C:\Users\Admin\AppData\Roaming\{9e306d1e-da3a-4c56-9ebe-8b0dcbf1f62f}\rasdial.exe
    "C:\Users\Admin\AppData\Roaming\{9e306d1e-da3a-4c56-9ebe-8b0dcbf1f62f}\rasdial.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8655513715276760953,16477371964113908473,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5212 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a4f168bec361d9f7df7cf6ce9b229293

SHA1
ee1f87a6390527851f3733226b3fea412398ab9f

SHA256
4d3f97d08a511816591aaa44c15d1e1af129f7fe8b6c3d790940d42408fa4948

SHA512
a50e8aac9b55851f7389add9aef50500c31d0114f267556c934b0d5cb7950d7356e45e4b95e24d008c1d9ef15c371c4e578b07f911a0299c61737e63e74ea60a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
857B

MD5
e61b1ead9209ac15f5703ea0255c67c1

SHA1
a6cf2a7c55efcbfb00ffca1030175c6a836a2ecf

SHA256
8b5ff2b4b6ca2b9ff9e92c23bfa4360c2912275d000b56991ea02623b4df6f62

SHA512
c327614ea5dd50d02dca4d4876b9f4395ea1143ca0d8cdb64c7ebf3c7551b10aec1a9ec9bf22e7d60e0893f80b0c1d54e7c7d02338c5c66c787428c18160dfbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fba788dae1e6db65762dfd6ebd124490

SHA1
3befe0ae9159dfd23e1909456ed1e0c73c3cb34b

SHA256
338f56a3b31a72b947e01e109c21f2231aca31b63fa00ea851b78495ec90ba23

SHA512
7e94da13a0a9ece8d478702b8cd9c3d6622a24eb553084937b68a9cd2d52ef00649bf6af01e76bd853abd698f4c63bbd32b8d7c37edfa6dee4e0e98bb982191e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f8bd404291c48cc6f23ad57b672af99

SHA1
ef4066d17fac69aa17b27036aeac913eed5668de

SHA256
03e87766d6c130d6cc5ba6435812f514cfff9572abbf576808526d6823c4cadc

SHA512
b3db27238aa257708c2719eb2ea8c0bd64cbd1ec92ebe98b6c13e386fa31cf098ef57e5a64a0bdb8550b84661682f2c074d76a34e8ff86f555b8d87c577ee632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
009972af4dd0b78ea088a6eeebb78061

SHA1
16c372131405b0ef2c4308afb8ea1bffd4367270

SHA256
2e6599572dcb35524ecd67fa021922e4c868570e9fbb530b3bd82ba51013f4ca

SHA512
234f3330e954ed60fc86abf6fc332d2d5908008b4434cb222ae19149300a0d68f41c71d7d92d4a740c5253cf6c060e4946e8dcb072a9c59e96725f6659ca686d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
755fb172270ad45ceb6b566979500a36

SHA1
5d37ea96d3db21044c4649525ad2100ce73f6f93

SHA256
780e47064fe4aa1435016f05d9d87f9ac100407dffbc31e3a188954c4ccfefcd

SHA512
54a27dd7c28bb8480f6e3990268ebb9f17d15b91aa6bfb7b0f26c87b6e484df24c475f32933d90b123f7bd1195d3700f7c62a2185ef472a9c3f87b5da139c782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c01d969045c8c460fa74d7b87c81cc2c

SHA1
c9c50de31127f9e406b255eb24227d331e367d8f

SHA256
82e21d002318667f26bec601050a732b9c6fae37013769613a89b86825944153

SHA512
24e820bccd6b6d1bb6281146c3274d01b9b3cf238cccb42a6a824e96fff029d87221b8f7b888de7276011e5cfa38402604b0c444ba1a1b89d1a830c12c36ed5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f6f5c99592b4c632b1b290d07206a60

SHA1
8ee5d6d36b593c42b6b2d530cbba4c140907f472

SHA256
88781b8eae661961bfbe8a63665a3d342adfe09ef2d86c256044958d79325884

SHA512
040cd24841da2a06d3100dac73891c2c9e91be6a90c4bdb509f58808a964fb8f0a186bddf70aaadff40fbee13a9c9f87f041650325b980d08284fcc4998b1de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
690b5dae3ab03f4603d113cc3e139a0f

SHA1
53142e8871be1e4de93170bc69edcba61c6a6a32

SHA256
4e923978e30d46630d6bd764aa075ad839ea1cf4d49e84ce9c258c63749e916c

SHA512
6eeb3973a7a72121d9cfb401d4161b232865725775b6b4bf3cba532f307c36cc5b0f79353bb3a06ac88b88f4e93b5ca682f6285286b5921a16863b9e9356bd18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5816bf.TMP

Filesize
1KB

MD5
0a50707ec2b99bb25ab5c93a5115ff29

SHA1
beb793e718e1db2e94757356d3565ad35c70c65e

SHA256
5c2a1282535dec37c47f0878c264e774454544f9554648345bdf43334e4d6b91

SHA512
8cd2a1b7224f88a85c25af541f44b2e6444609a73a2ce532dc2593f060716a10c51e0129a50cf32b3b5de27c2ea6622b59431436a95493173ef68f9559de7e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
be6a0b5cbf95243b374fed2d76d00b6f

SHA1
ed37d44156ad3d83291a359df5a594827a7f00c0

SHA256
a9bfd1d51bb64e94e45592fdd508ec364bb0f7d0886a834a1428913514be8e78

SHA512
7a5c082f49223539b2ecfc8ba74446b0e44fea187c2d81ed76076b6c185670b2fcb684abe7034c1e861ee6a0c6cd556f236fdca2ffe8277e2f8b4c6ce293db7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1ad40e41ab2bdbaacf9f4602f55ee080

SHA1
5b69b7dd1d36020c0a6655cfbbe6c9b770af65f5

SHA256
042a47ef92b3f12d1b904bd8ea49d1118d1c11bd5775b3d0f1f5bfd60e1ce22d

SHA512
5319125ab99b3e8cf2bf144807c7e507dd8284fce1bd8ad84c7cf496a1519a51a848a4278b4d3de0c8e7affd3f9611b1d4da580cf0823e1fe5c2cea26b5a6a70

Download Submit
C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 518191.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads