Resubmissions

04-11-2024 06:33

241104-hbf38awgpk 7

04-11-2024 06:31

241104-g94rhawcqb 7

Analysis

  • max time kernel
    15s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 06:31

General

  • Target

    Chara/Run.bat

  • Size

    55B

  • MD5

    953afedf73e9fd5cbd5dbcd0920aba23

  • SHA1

    b5b55fc17f8f6ab01a13e07fd9a5d9565660ac86

  • SHA256

    ec96730cd5760f76624c76d0c318095c8baebf131a457ce0e7f06169e01bc8d8

  • SHA512

    56f17fe591313dbd4d97a360b6f0c824e841270c6c456475ebe45f5a307dfc4b5bc6b3c4f1e9696ed2dff525586debc6cf0e95a86d755ab25fd83cdd6f32c421

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Chara\Run.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\system32\wscript.exe
      wscript.exe InjectStart.vbs
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File ".\HackTool\Y0k9j8h76g5f4d3sdf56g7h8j9k.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/raw/YRdAwctA
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb4bfb46f8,0x7ffb4bfb4708,0x7ffb4bfb4718
            5⤵
              PID:1556
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
              5⤵
                PID:4852
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2376
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
                5⤵
                  PID:3484
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
                  5⤵
                    PID:3108
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8366836132231189263,14014975942634029029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
                    5⤵
                      PID:2940
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:2160
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:5028

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                  Filesize

                  152B

                  MD5

                  34d2c4f40f47672ecdf6f66fea242f4a

                  SHA1

                  4bcad62542aeb44cae38a907d8b5a8604115ada2

                  SHA256

                  b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                  SHA512

                  50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                  Filesize

                  152B

                  MD5

                  8749e21d9d0a17dac32d5aa2027f7a75

                  SHA1

                  a5d555f8b035c7938a4a864e89218c0402ab7cde

                  SHA256

                  915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

                  SHA512

                  c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                  Filesize

                  5KB

                  MD5

                  52427a90cd5cc60f8a420c051a55a558

                  SHA1

                  a594d61813f4738f5b35710d0bc33e5428c70774

                  SHA256

                  cf98e526dae4392ed11fcba1d5c4fcf2cf28b6bb440320bd20c6368a1a75a8a4

                  SHA512

                  7a520f26a2767c88d63c5fbd2761300f148a3be9aaa5becbe9da1b581f2451b39a2cbee618b0f98d9e26e63df32d1c72340508658c9030bf6f9410f90f5f970c

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nckzpr3.tpg.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • memory/3676-11-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3676-14-0x00007FFB52733000-0x00007FFB52735000-memory.dmp

                  Filesize

                  8KB

                • memory/3676-15-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3676-16-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3676-13-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3676-12-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3676-0-0x00007FFB52733000-0x00007FFB52735000-memory.dmp

                  Filesize

                  8KB

                • memory/3676-1-0x000002BB7A1F0000-0x000002BB7A212000-memory.dmp

                  Filesize

                  136KB

                • memory/3676-39-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

                  Filesize

                  10.8MB