Analysis
-
max time kernel
52s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 13:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1252604547776643200/1304798118377689129/30102024.rar?ex=6730b371&is=672f61f1&hm=ef7536aaf8422e57402cdefd397299755fc89b778c2ee78f2a40d31891b576a6&
Resource
win10v2004-20241007-en
General
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0007000000023d08-81.dat upx -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2960 msedge.exe 2960 msedge.exe 4600 msedge.exe 4600 msedge.exe 1308 identity_helper.exe 1308 identity_helper.exe 4280 msedge.exe 4280 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 5364 7zG.exe Token: 35 5364 7zG.exe Token: SeSecurityPrivilege 5364 7zG.exe Token: SeSecurityPrivilege 5364 7zG.exe Token: SeRestorePrivilege 5624 7zG.exe Token: 35 5624 7zG.exe Token: SeSecurityPrivilege 5624 7zG.exe Token: SeSecurityPrivilege 5624 7zG.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 5364 7zG.exe 5624 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe 4600 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3748 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4600 wrote to memory of 1292 4600 msedge.exe 83 PID 4600 wrote to memory of 1292 4600 msedge.exe 83 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 1984 4600 msedge.exe 84 PID 4600 wrote to memory of 2960 4600 msedge.exe 85 PID 4600 wrote to memory of 2960 4600 msedge.exe 85 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86 PID 4600 wrote to memory of 2728 4600 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1252604547776643200/1304798118377689129/30102024.rar?ex=6730b371&is=672f61f1&hm=ef7536aaf8422e57402cdefd397299755fc89b778c2ee78f2a40d31891b576a6&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3f6d46f8,0x7ffe3f6d4708,0x7ffe3f6d47182⤵PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:22⤵PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:12⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:82⤵PID:1732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4968 /prefetch:82⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2247943361665778102,18373277818409234659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵PID:4352
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3860
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1824
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3748
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5280
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3886:78:7zEvent74221⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5364
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2284:78:7zEvent36271⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
6KB
MD5eb142ce654301a2daa846fdeadc04adc
SHA14724fd1a592a875e64d41ce197233a0789fb2bb4
SHA25639d2e93aebb24064ed70da78a6483546f32833348d49bab36f44a569f93a29e2
SHA512d79a1f63b849998ce6925ee413b0248d7f008bf0f135dbcac3a6576612768062f2c33313611e58b2108770d5b4bb273213fbe9a931a3fcece1eae4f2a3b4475f
-
Filesize
5KB
MD58048617cf05d4570d66c82274aeabad9
SHA18e1ef62e33346e16e5f32d657ebd2be4e4723d6a
SHA256c5d036db829fd3549d41cb95672d7db063c2b9f227b7275b2e6703bb175d3805
SHA5123b2fc2a2667753ea0d67360db21adf2a5c9ec30b07757eb4fdf176a5f329d48a6f0e8fed996221dffa12d5ab8baf3d791551c0bd01e85da24be25c20e4947697
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD58cf6a1b1ab58c5b9d38b188d0955363f
SHA15487ca672f9fb11641b1f2ad8c458430df8f7dcc
SHA25666e2fef7c1a243178a5f3b589ac958f6970e017506603c786c979685c157f2e3
SHA512b8b8c139e5c1fd0461297006482020b042d10e8bd5e69558562ca12cca8450dcc2c899d3996f215c0d08b3da44a59320b6d4ce2cdece9baa3012b6cab80afd9a
-
Filesize
446KB
MD5b255071a0f908825b29a8b24e673dbdc
SHA104d43f5a0292f9b673697b2b9753d0b1a796dfbd
SHA25600e7c981229c98d9962f23d50d873af8a090f837a8219c888c1f96fc6a0588f9
SHA5121234be7deeacacbc405099e8a32ab485627d2559d98794892e3deceba142ee5319072714bf53046dbc7d7699c28d5f974bb4d53b7adf8f65f662434dca49d308
-
Filesize
447KB
MD558008524a6473bdf86c1040a9a9e39c3
SHA1cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA2561ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA5128cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31