Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/11/2024, 18:59
General
-
Target
http://FreeRiderHD.com
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://FreeRiderHD.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa97c046f8,0x7ffa97c04708,0x7ffa97c047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3496 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15053354613082707373,2518649166565009350,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4928 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x348 0x3e01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
648B
MD596b8e2abda565c3c25ff2ebba8ede095
SHA119a402b7ff5809061191e354426c4e7358ba5d29
SHA25646688a89de70b87105dc1948510228f52351c3b8cdd976e3d01ff1f56daa41f9
SHA51287b4b084973cf3361de0d75135a9b914f4c8b4d463f563206997185d58665b76042b364b0e1f5717bb7585690b5a9771b2a6b8043c71be01f1b8730bc14fe7f3
-
Filesize
4KB
MD5892d6a5ea14d4972f1642d6f149334c8
SHA1ee1c7de2076add654461edbcf3a76de9aece8797
SHA256335975bb0c4d511576812bcab69a777396c7893f6b0e083cc2539307f2441316
SHA5128c6dcbf2bba5de5605ab9e02a1642686a0b7dc3f68d4733efe24b7df15380e126d48ad5c649e6852015e618a97db02670a5fcd7b59b33f931829471819285b61
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
8KB
MD5f96c68c9c6bfb30d534450fc2a122b42
SHA1ff278279e0db0140b7de1efcf13cdbe5bf42b797
SHA256471a55468639ce084d371200443584cae075de30a64fbcc54fd2752e8b7c9ba5
SHA51273dcc40effac3d9b85963077c10967283fb36522d10d336c16498e9d69e317e48e1a927f63034347e1120726d02f02a596e24ac8fe74e491b66297312938657b
-
Filesize
5KB
MD59da8f766e8a8917aa35364fb22627663
SHA17706c08533d8a4f08930da6b8caeb74d3f8f0b95
SHA2566707ae17356af53aad96280782932672c8d5d34a038621d3793b772939a6bba4
SHA512ef471635f620f2e93d53333f4d122f61754bf37f4a0478fc9f35ecc433de9f0eec46031c8c34eb2922bc0d74c05685fbe2cb38b0a743203faf017c9ef21a0031
-
Filesize
6KB
MD5c353393cc6d029295570a9397c245c9f
SHA15a91fbe98396a8ec4484e56be3678b940c682cc4
SHA2569315c7371784226b63f446a5a430d3d5ac24d9008f63cb4c8eedb456016a2f28
SHA51290512564ec523dcc995c9c5b225ee657a982e0f8d16bdbe1d61c25adb31abb8bdc65701dc8a82e749eb7e3f062d329c9993e41cd21427d21d948c62d86d1803b
-
Filesize
456B
MD5f17a04febe46a96c483de8155c962b50
SHA106c41198dd57e4efc2ee8226eecf36ccf01f7e98
SHA2567b340a36955ccf524c8bccb2945ec095992bd668dc7c698ea7446c9eb82b31f8
SHA512830a1afa8efff96469168c710b95305435db71425a587d1513847c4b673a7b4c8d2d14a3b455402165ff5c5d9be1a6a8ba9d1789030547edd3632c4af886c041
-
Filesize
48B
MD579cd8671c4b5777fe63ff134b705d858
SHA184433843cb6a8a7a896cdd525422f98a1abba47a
SHA256124337244e39fb13a4e764f169ad22676937963afa1d29f792958319b2849d64
SHA512cf0b934557006cee236313bf5b93423c6779bf0418ec530182c167c45eb582a77eb3ecc960f9f8d113521ea11a98a1f66b8dffe5bac099dd5d0afd4106ec6594
-
Filesize
101B
MD5427e4bd4e7e68d28e788ec0ee352261a
SHA102bebf00bdf2eb1ba83237c68c61d91a75e416af
SHA2567a7acb6c79ef9a4e9ed35fa4a596f65177155c9abf6af9377523dd49b5204222
SHA512dba35c061b7a15a74caaef956d63adc23733ed3cb80999a45617ed1f569540afb124ff8118a8e835d5b1bfe79e11c1953ee484241292e28628c1267ed6cfd7d7
-
Filesize
96B
MD5beda236d5d676589483eba8cefaa39bf
SHA15043df3861a7a6c5d7970cfa63851946baa1c6cb
SHA256d2a7207975a8a83b93a0edd2bf72cceae26a94821f62b69fc92a486cac730a90
SHA512d1701319258b257ee1e340309290ab54ff1b2e38948a536aef5a016a684ce80a1252ec6d87ce68db058a4de6c670bf4025af174028d609b2cafa22a0367c3233
-
Filesize
72B
MD5e83a1c5983c66b730da2b5784ac4a52a
SHA1accca55b5e45127bcdbbf0bb968168791c5e1b07
SHA256c12fae3818bcedcac77be2ea9cbc053485035ce5507766d5d8e5c94d05e59f04
SHA512b8dd8816b9706732f170e446fdd9102c623c9af451e57c95832250006dd2a7e35e8745894acea433412ebcecc2fce985cbafb6e011cc1ab9a04f056b296d1fa3
-
Filesize
48B
MD5ee642169c9d9802f9609a4af79504332
SHA14bf2d213f6c3a63c618bdf04a47f09349d4adba1
SHA25602b9ac7fd5d6f0264729fdd5116281b579bf90e60d94657e8b8c5f101d67dcb3
SHA5124828daf4e9d49d88d54026f531834ec6546c592a1a3f740a1d0b5e2aa1395bd8e2e3d44c7445b19127cd66d827343c9df5d6f121e5044d0063546d59e293f7bf
-
Filesize
1KB
MD58ed4ec470dd178ff7d164bc1177bb164
SHA191c0118220ef9f0e97b18493aa42a86456022ed9
SHA256d77323133dea706eb873284a6ae6165b31cbe891d695605a9873609515a4f1d5
SHA5128abed2d54f680fa4e618dabbe3a4137183f066b48e4a9de30ce0acffe7c43df88430b73e520fd9b80ab99c8bb44f946f20e39c18343499a7cd17766d70d9f114
-
Filesize
873B
MD558652411cd5d8807f253b93eccd19392
SHA12bacd92f969a53bd6d38c3046073f3f659bc83e6
SHA256945e84c93bb10f43955cc6467ccd668eb17d22bbfda232339f9d8917330daca4
SHA512afd1c836d8a6ba985f0ef64151739f811d6509941931648c7bf3f4e2a4e7ab182c6ffc0b2cf28d2c207dd10d83ead724e68c0ae9259735a63fcaeac0116f9304
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD56d10e12491c76366d4ca67cb2b1e5eeb
SHA1d551c83512c4c7b34a264148e23a9f49e0734e23
SHA25620672b0bcf8acae8aaa19aa66ae99cd0c6d92ad296449c4eda3b7f65fe0ecc70
SHA5122f55642a47ac437428c5cc850822e5501b6b8131f35ec2a5aad3be60e7138597e5bf4080f80588dd979f5b0efe9b6fceb5fb2bac981d1e3c1c22928efa9aa975