Overview
overview
10Static
static
10Void Exec/...put.js
windows7-x64
3Void Exec/...put.js
windows10-2004-x64
3Void Exec/...Box.js
windows7-x64
3Void Exec/...Box.js
windows10-2004-x64
3Void Exec/...ist.js
windows7-x64
3Void Exec/...ist.js
windows10-2004-x64
3Void Exec/...ils.js
windows7-x64
3Void Exec/...ils.js
windows10-2004-x64
3Void Exec/...put.js
windows7-x64
3Void Exec/...put.js
windows10-2004-x64
4Void Exec/...age.js
windows7-x64
3Void Exec/...age.js
windows10-2004-x64
3Void Exec/...ory.js
windows7-x64
3Void Exec/...ory.js
windows10-2004-x64
3Void Exec/...ion.js
windows7-x64
3Void Exec/...ion.js
windows10-2004-x64
3Void Exec/...ion.js
windows7-x64
3Void Exec/...ion.js
windows10-2004-x64
3Void Exec/...bap.js
windows7-x64
3Void Exec/...bap.js
windows10-2004-x64
3Void Exec/...ion.js
windows7-x64
3Void Exec/...ion.js
windows10-2004-x64
3Void Exec/...pex.js
windows7-x64
3Void Exec/...pex.js
windows10-2004-x64
3Void Exec/...ion.js
windows7-x64
3Void Exec/...ion.js
windows10-2004-x64
3Void Exec/...cli.js
windows7-x64
3Void Exec/...cli.js
windows10-2004-x64
3Void Exec/...ion.js
windows7-x64
3Void Exec/...ion.js
windows10-2004-x64
3Void Exec/...bat.js
windows7-x64
3Void Exec/...bat.js
windows10-2004-x64
3Analysis
-
max time kernel
138s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 04:31
Behavioral task
behavioral1
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/browser/quickInput.js
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/browser/quickInput.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/browser/quickInputBox.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/browser/quickInputBox.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/browser/quickInputList.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/browser/quickInputList.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/browser/quickInputUtils.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral8
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/browser/quickInputUtils.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/common/quickInput.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/common/quickInput.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/storage/common/storage.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/storage/common/storage.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/worker/defaultWorkerFactory.js
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/base/worker/defaultWorkerFactory.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/_.contribution.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/_.contribution.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/abap/abap.contribution.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/abap/abap.contribution.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/abap/abap.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/abap/abap.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/apex/apex.contribution.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/apex/apex.contribution.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/apex/apex.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/apex/apex.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/azcli/azcli.contribution.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/azcli/azcli.contribution.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/azcli/azcli.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/azcli/azcli.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/bat/bat.contribution.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/bat/bat.contribution.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/bat/bat.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral32
Sample
Void Exec/bin/DebugMonaco/package/esm/vs/basic-languages/bat/bat.js
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
Void Exec/bin/DebugMonaco/package/esm/vs/base/parts/quickinput/common/quickInput.js
-
Size
772B
-
MD5
c87dac46c7ebb329d4f7073efc247071
-
SHA1
df2c039b1911fc38b59a4ef6e295c6acbac91eed
-
SHA256
7df88b302637d756dc52621445c9e8041c1c4f3020fe11986ddae51cbcbcea64
-
SHA512
013c7515e2e704bdcce505e7f4fcd51dae8bfb37c4982c7e20b0126e25e783ff72ed53b3e6d51b3c578d4992d8092579bdce1ca48834f6ae1b1922b91a7457b4
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1968 msedge.exe 1968 msedge.exe 4952 mspaint.exe 4952 mspaint.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4952 mspaint.exe 4952 mspaint.exe 4952 mspaint.exe 4952 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4148 wrote to memory of 3396 4148 msedge.exe 112 PID 4148 wrote to memory of 3396 4148 msedge.exe 112 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 2528 4148 msedge.exe 113 PID 4148 wrote to memory of 1968 4148 msedge.exe 114 PID 4148 wrote to memory of 1968 4148 msedge.exe 114 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115 PID 4148 wrote to memory of 4484 4148 msedge.exe 115
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Void Exec\bin\DebugMonaco\package\esm\vs\base\parts\quickinput\common\quickInput.js"1⤵PID:4784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9d4d01cah4fbch44a8haad3h5e86b03c52b51⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffaec5546f8,0x7ffaec554708,0x7ffaec5547182⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3728138947837628012,9016120524303513685,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3728138947837628012,9016120524303513685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,3728138947837628012,9016120524303513685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:4484
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3988
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4452
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UndoTest.wmf"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
5KB
MD58dafd32ba56572eea041fe2e1a363b93
SHA14619165276d90614221ef4389ba8b733d36ff787
SHA256a8ecb6285d632a2bc9144b78273770624b16d853ad3ee70bd60d02363e29fee5
SHA5125856571cff1bd8403d84c307bbac76451c9d644d75c3f02f085cddd4331dc4dd0ab2dcc9956dfa8e7a1a20a772c9489d0dbc5e2823f8b4b955e0929c7a059733
-
Filesize
8KB
MD506ae0818eb14380c2af3b704c5e46d5c
SHA1be568f81d7a1c548eae16fe7657f442626fac9a0
SHA25606c9dc79af2909b9365b6ced40804d757ff8810ee5a778dd7b223915eb6bb182
SHA5129e402ccf3f429182ce5e9101325f8d7374ea73e91c429ab4a62df46244782cc0c86f81934e2d61480cde5ef30c2f7fe3b52a25eb9378dbf42f16f20df4da5424