hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

09-11-2024 23:01

241109-2zwncsxjaj 10

09-11-2024 22:59

241109-2yptestjfs 8

Analysis

max time kernel
105s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 22:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

discovery evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\Z:	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper	000.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alerta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5384	taskkill.exe
3752	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{E69BDEB1-0876-4545-8635-AD94D47CBA6F}	000.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2560	msedge.exe
2560	msedge.exe
3784	msedge.exe
3784	msedge.exe
3136	identity_helper.exe
3136	identity_helper.exe
5620	msedge.exe
5620	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	taskkill.exe
Token: SeShutdownPrivilege	5320	000.exe
Token: SeCreatePagefilePrivilege	5320	000.exe
Token: SeDebugPrivilege	5384	taskkill.exe
Token: SeIncreaseQuotaPrivilege	372	WMIC.exe
Token: SeSecurityPrivilege	372	WMIC.exe
Token: SeTakeOwnershipPrivilege	372	WMIC.exe
Token: SeLoadDriverPrivilege	372	WMIC.exe
Token: SeSystemProfilePrivilege	372	WMIC.exe
Token: SeSystemtimePrivilege	372	WMIC.exe
Token: SeProfSingleProcessPrivilege	372	WMIC.exe
Token: SeIncBasePriorityPrivilege	372	WMIC.exe
Token: SeCreatePagefilePrivilege	372	WMIC.exe
Token: SeBackupPrivilege	372	WMIC.exe
Token: SeRestorePrivilege	372	WMIC.exe
Token: SeShutdownPrivilege	372	WMIC.exe
Token: SeDebugPrivilege	372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	372	WMIC.exe
Token: SeRemoteShutdownPrivilege	372	WMIC.exe
Token: SeUndockPrivilege	372	WMIC.exe
Token: SeManageVolumePrivilege	372	WMIC.exe
Token: 33	372	WMIC.exe
Token: 34	372	WMIC.exe
Token: 35	372	WMIC.exe
Token: 36	372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	372	WMIC.exe
Token: SeSecurityPrivilege	372	WMIC.exe
Token: SeTakeOwnershipPrivilege	372	WMIC.exe
Token: SeLoadDriverPrivilege	372	WMIC.exe
Token: SeSystemProfilePrivilege	372	WMIC.exe
Token: SeSystemtimePrivilege	372	WMIC.exe
Token: SeProfSingleProcessPrivilege	372	WMIC.exe
Token: SeIncBasePriorityPrivilege	372	WMIC.exe
Token: SeCreatePagefilePrivilege	372	WMIC.exe
Token: SeBackupPrivilege	372	WMIC.exe
Token: SeRestorePrivilege	372	WMIC.exe
Token: SeShutdownPrivilege	372	WMIC.exe
Token: SeDebugPrivilege	372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	372	WMIC.exe
Token: SeRemoteShutdownPrivilege	372	WMIC.exe
Token: SeUndockPrivilege	372	WMIC.exe
Token: SeManageVolumePrivilege	372	WMIC.exe
Token: 33	372	WMIC.exe
Token: 34	372	WMIC.exe
Token: 35	372	WMIC.exe
Token: 36	372	WMIC.exe
Token: SeShutdownPrivilege	5320	000.exe
Token: SeCreatePagefilePrivilege	5320	000.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe
3784	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5320	000.exe
5320	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 1728	3784	msedge.exe	84
PID 3784 wrote to memory of 1728	3784	msedge.exe	84
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 3552	3784	msedge.exe	85
PID 3784 wrote to memory of 2560	3784	msedge.exe	86
PID 3784 wrote to memory of 2560	3784	msedge.exe	86
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87
PID 3784 wrote to memory of 4484	3784	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1a0a46f8,0x7ffb1a0a4708,0x7ffb1a0a4718
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,9640446043533802571,4922186269013571382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\Alerta.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\Alerta.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5968

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5384
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:5196

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395d055 /state1:0x41c64e6d
1⤵
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7fc6a4e0dd756d670f9b59d2f2169474

SHA1
84476b954d0c9ca09ca8f95fa28f1315ba8a6e51

SHA256
b983be5afba82809328aeb560a323cb1db46882b1bc36ae9fe2b876d15c9adc3

SHA512
73df3c61f1c14aff9202881a82d79980177c182335ed7fe58a09c3eb98bfb7b0a51368cbcb985732132d381a4e7df5e68b0d23858600cefe5bd918bd0893e643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
a6d346f58cbec0a6e4015327b25f1537

SHA1
750056e65a8b1c20b1a6051f5adcdf35821a6ac1

SHA256
1a715b1b5b62ef83ca8c62a18eddb3b5b6b738be2c654ab7a38cf22fdc8bea56

SHA512
74e563217a28cd6427739731f51ba2e35ee060c8ae6959d458d06a0416e17ffc6a49f8d0bbcb8d17cef144a45c36eb9f3b92305389ab0cfc5043f530d9f28d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78e5afae9a0d5d7889323e017d134ddf

SHA1
061afeb5ed3916f632eaace561afc6580b1926fb

SHA256
a0189db3075658034625d671d11e04d34659c4de94a3f9ce875c8300f3307fff

SHA512
7c8b95ca1bcdd98f944d0827b2d454e9ebd9565aa45db074d75439c38625e7dd551fa4043d7fc2795fa315515b838e27c0d3699d486767c0fe2378875b07a302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d3eb415f-80cd-4038-9e54-233952a6a0c2.tmp

Filesize
5KB

MD5
3330b41c7ecf01f0d6dfe73dcbb37cd8

SHA1
20259b2878b127bd4fbd90a35401e87718c1e14d

SHA256
1a85bb059fe873abeeb7ef45474c1bf0cb557329a2ede9c0d490976f869fb808

SHA512
d432b0a246eebc3b56250a57fd6b178ae2850ab1734945186f2934d1d8e916968207627108f8faac1993df6fbcb60d936b5200f25d858ae5e6ba2bb62ac765b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e2c18cfaa8a84ccb6e904b9eb0e5ff1c

SHA1
f0869d60317ad0fe421d6a719507c2df35e98fae

SHA256
fafe316d0c984ac587754f13a157f18f9147fab301b266a364177219a358ce7e

SHA512
81f96a290a5d3c1ff52418b4f83fde4f7c5e89b4bb9e85a1197b142c2071bb0ce6a07c2cc62b1d56949797d903c179a37b94dc5a71f155e11e2cbeccfe36edae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c4b1184ccde874a5a79afccfcfeb7582

SHA1
4e53a86c60f39ee02d977dc6ba7c30d2bcf6e1ef

SHA256
b36acb71313bfd8c6af35824f7d93297049a1ad0303d7e877f259a8e17aa7d3a

SHA512
45f2c441b4f5c10429baa18effb55c1bacb2cfe7c73c975b6689ac4290d09fe77409f850bf7412899a372dffae64cf473035c87d7ea2e727753d1dbcc52b42d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
b1f649bcf64cf947e43ffec767a08827

SHA1
f9ba159a7b1735f0616b979cb7af613905364bef

SHA256
21f89ca2fd6528349df9d18e0a8529410e16b45a3f7fa8e6cccb15af98eb267f

SHA512
7115f4ed6bfdd04f7dfb6675fb7235b12224b039edd823b3c24d64c8009d7eae11c0f4eaab4bd0699dc04a6f8f6dc59786635e93be26bb7f048e27faaa21fd61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
memory/5320-281-0x000000000B740000-0x000000000B778000-memory.dmp

Filesize
224KB

Download
memory/5320-287-0x000000000B7B0000-0x000000000B7C0000-memory.dmp

Filesize
64KB

Download
memory/5320-285-0x000000000B7B0000-0x000000000B7C0000-memory.dmp

Filesize
64KB

Download
memory/5320-288-0x000000000B7B0000-0x000000000B7C0000-memory.dmp

Filesize
64KB

Download
memory/5320-286-0x000000000B7B0000-0x000000000B7C0000-memory.dmp

Filesize
64KB

Download
memory/5320-292-0x000000000B860000-0x000000000B870000-memory.dmp

Filesize
64KB

Download
memory/5320-294-0x000000000B7B0000-0x000000000B7C0000-memory.dmp

Filesize
64KB

Download
memory/5320-295-0x000000000B7B0000-0x000000000B7C0000-memory.dmp

Filesize
64KB

Download
memory/5320-293-0x000000000B860000-0x000000000B870000-memory.dmp

Filesize
64KB

Download
memory/5320-296-0x000000000B860000-0x000000000B870000-memory.dmp

Filesize
64KB

Download
memory/5320-282-0x000000000B540000-0x000000000B54E000-memory.dmp

Filesize
56KB

Download
memory/5320-263-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/5320-262-0x00000000006F0000-0x0000000000D9E000-memory.dmp

Filesize
6.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads