Analysis
-
max time kernel
161s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/11/2024, 16:48
General
-
Target
http://www.funduc.com/ftp/Duplicate_File_Finder-Demo-Installer-x64.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 30 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 34 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 62 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.funduc.com/ftp/Duplicate_File_Finder-Demo-Installer-x64.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8ec646f8,0x7ffd8ec64708,0x7ffd8ec647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3380 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5564 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Duplicate_File_Finder-Demo-Installer-x64.exe"C:\Users\Admin\Downloads\Duplicate_File_Finder-Demo-Installer-x64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-T68TG.tmp\Duplicate_File_Finder-Demo-Installer-x64.tmp"C:\Users\Admin\AppData\Local\Temp\is-T68TG.tmp\Duplicate_File_Finder-Demo-Installer-x64.tmp" /SL5="$C0234,2836323,832512,C:\Users\Admin\Downloads\Duplicate_File_Finder-Demo-Installer-x64.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\DupFiles\Readme.txt4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5661014654762758205,6832704836431378025,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4996 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\DupFiles\DF64.exe"C:\Program Files\DupFiles\DF64.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5a6d15651f5c7cc1b88402642c85426f1
SHA1e1d27dcc2e1eec6d9e009d062e7789867947c7f1
SHA25691319e9ea307faefe5c34a182d9b55930c6c11cdb2a8bfbe7e1bc23085270820
SHA51261a8b3363b5a40910851f3a58ba020105de10d9fdbd849976d99189b595c4d6f8de9c395d25444905076d952446cc72d953649204208f37c2085e6f95c7c9285
-
Filesize
2KB
MD539f9837e6d8f3ea750e319d3e25a93b2
SHA1999c2debfc3e81ca2519a9330d065dd93010de23
SHA2561b9f4a3e5b524de67181557a3c29b14ce0016485cd138a6910cee8d49c97d7f1
SHA51264bdc671739b4c5f697dc71af61063d5117fca2883cda19acb8df7f2d805516d6b70fe3eb6b40c665189a299b4961dc7ea35b9c21d9526829b6bca688dbf4a03
-
Filesize
50KB
MD5e75d5b66d9095cd5bb3457afea8f1a8a
SHA15ecd481925f25b0bb2bdcc9b5726bc2fd6fe3615
SHA25676d65aa7a2da420efd6b95cfb29254209ffbe711d71f8671dc7f001171091f7e
SHA51245c60a078816615dcdb93b45a8620bfef0e3ea8c86c1dba4d7e335a8f425bab573ff5deddf4755b10592d89da8e152acd4f2f00d56fc43bfd352fdfc64229247
-
Filesize
765B
MD5d407d5257d0d53a96538f1a7e9b169bc
SHA1862422398699f1bfcb503109d4c0c487594a9c4f
SHA2565b1c8c416405ddc51d5e35e23978b9a1ca0bea6ea6b26ef7b38771ff491adc22
SHA512eb12ab6a40a0a370a6ba462384cc483829634e0e51febc88593bbdf5b47dfda88c10ab3a2997ba8f03d6ba10facd93dc711eb8be3bf337ac8770d61121e7c3ad
-
Filesize
638B
MD5568f75053b353dc87a8175e8a3cd5c53
SHA1ff60c7e23056c682545cd476a6c1c86987640194
SHA256ac6fedfe0ea1ab1d7224c771811ca10edece8928f4da2dcec734796da8d60895
SHA512b684cd4c39e3c56ac29031bdf3a2026e0e3cb99e898cf9a04bf601e8b393204e3e472cd17a3f688ccc7a7a051a4d065361c8085e4f5b86bce134b6bb52e8fd31
-
Filesize
1KB
MD5362f9b80fdc2b3bb2cf7ee350a3124e4
SHA1cd4ae1b58606d5a491e57928ab2e50adfe77b526
SHA25686812da6e5ec489c2f6fd040ff59888d1ac83b63604004f79989ee8f475046b1
SHA5122a5a5330a52dc919a8406c7aae5d6d0e5e2a00acea1ad14a18d0b632f89bd289a830201defc9ca0137f6c837958eee576b1cdf432419176f1f3e1d21f670f6eb
-
Filesize
484B
MD5d5934ffa7ce32ee4c7b40c91fac01fe6
SHA155b13f5e0adeca27397d75873d148a291147a79e
SHA2569be073d226ce5e9d2b6c35a872d75a7d09d2182b22b61ec61f68f53cc3d9cc5c
SHA512b640a5aa127fa23ee5eaa71899d9fb09df7823c8384ac3f9ece51a0cfbef1c3f9f2b2dae89963269c62ebfdcba6ced5673f27278be96d3b42e94a001a29797f1
-
Filesize
484B
MD5d1dc0ecfb99dac5fd827d1d862db9fca
SHA116ed28dcfb5a6cbb7af4111227ae4b068725ecf6
SHA25610579b55aecd4baca27cd3173b3b6bd8f32a9972d731b57341e7a1277081211f
SHA512a98b8c44f72af9404a8eb10976bc4992fa9da1f50af5f66213a1f13581a074a032dcc4308ae56d97a2a180e58395d77f53366f2f4bd6a2e613825577c3ad03b7
-
Filesize
482B
MD56910b7a26173e3b7969336402e85e966
SHA1aa00b97db00686ce7885a5995ca32845b6b5130f
SHA256832a10b859ef4a780901fc9207c16da773628f89426222304d5860b5059dd287
SHA512816b3b5738fdf62fb7acc87cbe07a769a114e8e1fa71b9b843de7cac66df02d7f368afdd4a8eaf09f9f9d5c1683e2891d51f66a9d04c97aab39bfdbe5295dc1d
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
6KB
MD5e7c3f5dceb36cac4bb6ddb40fd117e0a
SHA16f7e258f2e5dbd24559a80e3b7153d7eae618435
SHA2566291c5c6fe8f3799e896eec1b15389a09f32eba6fb02e6d7c6c642118a39c542
SHA512f975346477219c450712e040ab50f76e7dde219b356641198408a0a03ec99eea854cc36e01702743e5f50a70506f56def807e809fecdab7cbbfe474d74c016b8
-
Filesize
5KB
MD5b24797d27d37982e5bcb8e642305d562
SHA17cc64263b5ef80da90e8208df070387fee98ba7d
SHA256ba863e540c7e5b8b0ceec77f9dccf9e0b1599d3b2a1619766528c5cd6570b148
SHA512b09bd998f30984036d7ab5600b5a3e62b455fc489f0473591dd0ab80c37d2b219b9517a3fca0a6e9a874e837373df1f4a8074c6f323dd62d6113c89f5a50a459
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5224393200b3a1db4d4cba231f8d7a9a3
SHA19422be1f4555a6b3ece3cc77c9436bede79ce2d5
SHA256889afabb389f2c28d28b6fd9a2450ff226f2da5a570b4f09df6ffc614373df5c
SHA51279329dcca3eddae297c62932c4768c9548070824d5ee7614f390df6061500dc6e5d2adc354737fd3b5d618e5f36984dd44140e9c70dd0b46a68b04e8701eb83e
-
Filesize
10KB
MD5a1c25f1ddce78242522ade2280b46bef
SHA171e9b48e4bf64401b737e6ee27fa445b97ad790b
SHA2565f8c69014d6f0a09f16bb4943b49178ca4236ed9fcc961fc41c655a0b087166f
SHA512fd431a322b3a7b1f82da9c0643ce131c60f1b553ba37b7008b2adc992f8dabb6587dd53dc163dde1fa54b2f579beffdb93dea8b7464bf7128f115937ccbdf638
-
Filesize
3.1MB
MD57f424bf4eefe5e5e69e310a000714571
SHA1355cb264d9aae9627f8b409b4c76fa6a2125e4aa
SHA256fc405c72b18ab2f7236e0dd10672456346c61a2ab24f2ee90600293191cc29cc
SHA51285823a2b08c713a621a107e11f78cefdcb95d443d23377b7f701dba356f721d1e3d10a0aea1f419303b85855c4a8fc11b17f5e8a4316a23e9d3c7cf301bad2a4
-
Filesize
3.5MB
MD5e5c671285c03939db1c88bd94be2ca1e
SHA1fd2490a216a3768541845034695882c64a279948
SHA256afe8b26f3dcbca52ca08c63ad27ab853f86953efe79ec499e44c9b1ee40300ec
SHA512afa9a66c00b8c4b218be34ed2f50ec27f28307480fa6fd14a61cbbd9cc3b4ef43031fbb9dc50a80a437a89870165c4451255700c98a828b63ac13e5da7895ef2
-
Filesize
864KB
-
Filesize
864KB
-
Filesize
864KB
-
Filesize
3.1MB
-
Filesize
3.1MB