Analysis
-
max time kernel
40s -
max time network
13s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 20:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/D8yVWJ
Resource
win11-20241007-en
General
-
Target
https://gofile.io/d/D8yVWJ
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3124 c94f12da-a95a-4d38-aa44-f7b68107663d.exe 1636 c94f12da-a95a-4d38-aa44-f7b68107663d.exe -
resource yara_rule behavioral1/files/0x001c00000002ab63-54.dat themida behavioral1/memory/3124-125-0x0000000140000000-0x0000000141240000-memory.dmp themida -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\c94f12da-a95a-4d38-aa44-f7b68107663d.exe:Zone.Identifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 270365.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\c94f12da-a95a-4d38-aa44-f7b68107663d.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2524 msedge.exe 2524 msedge.exe 2456 msedge.exe 2456 msedge.exe 128 identity_helper.exe 128 identity_helper.exe 4744 msedge.exe 4744 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2456 wrote to memory of 3368 2456 msedge.exe 80 PID 2456 wrote to memory of 3368 2456 msedge.exe 80 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 1776 2456 msedge.exe 81 PID 2456 wrote to memory of 2524 2456 msedge.exe 82 PID 2456 wrote to memory of 2524 2456 msedge.exe 82 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83 PID 2456 wrote to memory of 2016 2456 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/D8yVWJ1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb78fe3cb8,0x7ffb78fe3cc8,0x7ffb78fe3cd82⤵PID:3368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:22⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:12⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:12⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5696 /prefetch:82⤵PID:904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,17953251729078657185,6103246790754814446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4500
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1552
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3128
-
C:\Users\Admin\Downloads\c94f12da-a95a-4d38-aa44-f7b68107663d.exe"C:\Users\Admin\Downloads\c94f12da-a95a-4d38-aa44-f7b68107663d.exe"1⤵
- Executes dropped EXE
PID:3124
-
C:\Users\Admin\Downloads\c94f12da-a95a-4d38-aa44-f7b68107663d.exe"C:\Users\Admin\Downloads\c94f12da-a95a-4d38-aa44-f7b68107663d.exe"1⤵
- Executes dropped EXE
PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e9a2c784e6d797d91d4b8612e14d51bd
SHA125e2b07c396ee82e4404af09424f747fc05f04c2
SHA25618ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6
SHA512fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1
-
Filesize
152B
MD51fc959921446fa3ab5813f75ca4d0235
SHA10aeef3ba7ba2aa1f725fca09432d384b06995e2a
SHA2561b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c
SHA512899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5c9d8d97f15b5284dd8d456ae1df10f6a
SHA1eb6220d56b4521215f23fa3c3c036a99ff07fa84
SHA256dba102f84e3c489e0d22fef2d8e8a05673d344502f01fc43614eb5cf2caabd84
SHA512d9db673f9f80bd0c0d14efb6e46bc46d8b7f7cfb1192286c90cf41f88475058be1b3d031fb17fd424e2b1502d22b18f4831917a167a66290820bb4041e5062bd
-
Filesize
6KB
MD59686343cc3b34ab4931b916092c00889
SHA1c3903c72e8ef40abc5aec87858994860f15a9d7c
SHA2568ae45145ffcb90b6ccd57aec1a08473cde7fc8289295568a48330cee7d911636
SHA5126e2eea9517499e7aa524fec38f1a88b771fc4873fa444f03b763610f84bd91123320b7513536c3f24c083542ec98390995b6f8bcfc3058f93cdee2f23a2c0d2e
-
Filesize
5KB
MD5d395f5ffbe2e3aa16036548494992277
SHA149c9891c255e41b6cf30ff68464dd50014be2ca6
SHA256abb013affa434f377adce81c284f6dd24f6672c002f573737b07ca38ee7c6b63
SHA5124ab5790417135bcb5d254fa177149082a257d39fffa2def8c2c1c54ed7dc51568b2dac8e67ef782d0bc2f2b805e00e1e3b770e5c3bde463da891d6ceed9e69e3
-
Filesize
6KB
MD5380684d97fa997e66f8a2340751fc7b2
SHA1f8961a8eb7870130b3ce9a0c26e4a91c70b08ed3
SHA256bc5d218c2a7c6d74c2bc53584fc5a3a0470f8955b53e0bbd038c3649d8db1fc1
SHA5129db14b0dd0ee2b0f6dab5b8eff8e81962670b45904b15c2a74310de90988f4d838a265f3dd1b283692531354dfb11e1a3bec84a0ab5e902e2e4606185a972044
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD51431b0ff60766bf1ba455b1b02549338
SHA1973c2af5a7a10e85bc9910ec4e6f697f95f962a7
SHA25669aaf36557a75c365cfe0f0f41a4a4ea9c4309ab52c9b66f13b6fc5a65a0e5b5
SHA51206f9f43e414abac25dba27c9a1d7b4358ef3ae913afb2ba16d26f79c8fe98930269f724a74c3e8af817a80b0e11d3f91df28a9448d286532fb0410d25820918d
-
Filesize
10KB
MD532c9cc54ec222ca7224941bc1dbee0f2
SHA1e7a5f20b66c99480a0fb8e1342933576cea7c855
SHA256642c4019c18ce5387e42d7bef0efb791b73a40152298a3b7e70e62253c9897aa
SHA512f80db7cfac77013a384ebf5ffafe2218bfdc366bc5ab98bf46deb943940530cc31cb671fb815dc3fa5176dc3b31f089edc9e11324701258bda1b332cc0d87417
-
Filesize
7.5MB
MD518b97324c5f586e8e25c1c4e1395662c
SHA16326d9e0cbbbccb928622ad5c76b82a68abc1c27
SHA256007025df640d0fe793489d49ad8237e6a75a0d12eef30c3b395073d9b2c7f4c6
SHA51245cfad5b391d48847bcefb22a34605d211ee1c75360dc2a0d36c2b7fa56ed753e13687525fc367b30d34535922725f9189c96b6ae5a20c1b66eeae1570c7e3de
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98