Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 18:26
General
-
Target
https://bazaar.abuse.ch/browse/
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 16 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 3 IoCs
-
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/browse/1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa97bfcc40,0x7ffa97bfcc4c,0x7ffa97bfcc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,2765878773552732055,4654232677906869844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,2765878773552732055,4654232677906869844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,2765878773552732055,4654232677906869844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2408 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,2765878773552732055,4654232677906869844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,2765878773552732055,4654232677906869844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,2765878773552732055,4654232677906869844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,2765878773552732055,4654232677906869844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3664,i,2765878773552732055,4654232677906869844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap7826:190:7zEvent226881⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\8f8c5a3aaebc5417dd50c592f48863e0cf62bfb7d0f0e0c103c1528992cc64ca.exe"C:\Users\Admin\Downloads\8f8c5a3aaebc5417dd50c592f48863e0cf62bfb7d0f0e0c103c1528992cc64ca.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\8f8c5a3aaebc5417dd50c592f48863e0cf62bfb7d0f0e0c103c1528992cc64ca.exe"C:\Users\Admin\Downloads\8f8c5a3aaebc5417dd50c592f48863e0cf62bfb7d0f0e0c103c1528992cc64ca.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\8f8c5a3aaebc5417dd50c592f48863e0cf62bfb7d0f0e0c103c1528992cc64ca.exe"C:\Users\Admin\Downloads\8f8c5a3aaebc5417dd50c592f48863e0cf62bfb7d0f0e0c103c1528992cc64ca.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD511d46bc0559ea50f86f9fa74e3d95e04
SHA14ab062ea3e3a78927b800e538665b89b65c1be0e
SHA256833d605da6e83ca83250403330af28dbc2bb72690f61fb76277fad4b8977864d
SHA51294500874ae27158a77a8d212c74ed63c5b482d13cdd322032f65f55410479f4be3a6698ea1fd589da1fb3d6375cc1d7b76217883a8406d2a25c8398a531e40e8
-
Filesize
22KB
MD53b5537dce96f57098998e410b0202920
SHA17732b57e4e3bbc122d63f67078efa7cf5f975448
SHA256a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88
SHA512c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d
-
Filesize
102KB
MD5b12b25ae354345ec8ad517fcc4ac6699
SHA1b50d3e8ba21d0900abe2a70630017908cd85dd13
SHA2568049ea163360585ba2e6a66253fef81d33153ad795882114c52330e340e803c5
SHA5126039a8a54df82a6ecf96af3b460514f9a404a50888f6a58f4f46baeab7d46300884f3d59b6ba2dff658f7bbd349b1533d755b8aaa438987e5d8182abd7ca13f0
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
408B
MD5c0e83bca55f7109965ea3c52a4f6a301
SHA16e8bbfb98d57728299823d1d945feefe33ce8df6
SHA25604a87714b7f6a459288d91adeabafe02438ccd2dc25781e5931087f4a5246803
SHA512ba39a8bfef55e5504428068192f5787e505fe15d034b299adc1c4379cd14e48418a2b0c46ca230af7f20500cf0bcfa00c338faeed0c7f20cbe3064fe74d22ad3
-
Filesize
3KB
MD5cd3518fb01e35a3e21f7d34219c2391e
SHA13ad3f0e9934554cec5f1b03982342f35ea42c44a
SHA256abb20534fd01434952dd8972fec197b731085fde77c145646bc9fb85e52255f9
SHA512270f38aec1f636f600f166894dbac4bd8a25db83e5e1078380925ab18e02ed09d86e0fe7fad8d7a7e7f9b199d110c296d982e8a43ba7996d7f9adba782e645f2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD59417566c8d3ae0dd34f81a1a780eb7b2
SHA14f33dbb48aa8a96ce032f8217ffe5fba8686359f
SHA256fe0c0dd64012c4d06ed7a153494738f6b38b99104c188f45cc1f1b6020fa5773
SHA512122a64945fce73053b2ddf87ea0191aedfc0f0a833fc42f79325f2d82327bc4ca05e6a02bdf210c0cb4ccebed024aa18c1ed528a3472255cfb15303d7f2caf0b
-
Filesize
690B
MD5f055dbb20b632c530870e045e3ecde2c
SHA14f2e78992974df7f0eb36fe1f349415539593319
SHA25634ae5753c244c83819584b6a553576f3c144b2cd49b80f8954b7dcce0cd809e9
SHA512bc73136998e8672e799339a6d3176aff1daadbd14af7e74a502ec69fb54f28f583da38e33e7b790772b39c7d0b9f0890c069b810853fcec5b3a51ac3c823e932
-
Filesize
690B
MD59fd801f30f98fcfe169ca0f32294209c
SHA1171bdbe6f003ece4fbba6055d810b5678e943182
SHA2561fd6fdc2bb0ae44529c77745263fb73810fa4006a0e4163da8acc35efcabd3ed
SHA512efd713f09d21ce3810124368b59a2465e192c13e5b23d5e40803714b530c32878c6af9067fc63e82d4bd8b594524a647eb65ad9d97f18ab053a3fd6e411b2e04
-
Filesize
9KB
MD55fe2535261baeac9028693721e42f42e
SHA1e46dff243c80350fa09f1b0565eeb0e0a609903d
SHA256df4cbaff7ed54a18d56e77ce0ca8486b76f6bb7d4061e8e5572e59e44055ff00
SHA51253b1821857b1d07f92239f9f98e97075cc00f18c7d67b0a6b1285be6ac56cb8574b0f5d394c971ff4fb99a385eec2796a19c2ee4cc5fd0810dbb468887d0ac40
-
Filesize
9KB
MD54706e3bd1a70a12394bf5a2e31f01b4e
SHA1ac4de4b3db7fc446db311cd12a3f7e5e2e556341
SHA25622d74b9c3c2a40b56428100e1eb82817a9bfc4a93a85709fe915f9810f116b98
SHA5124109412e2e8a620d4e2ac60e7f9a36d3a4220d5e5ecaf3fdef4ecae30c08d0fd52f048700c37cea19932fb77da4d3374f54e938669958ed2d67891f85a4077e7
-
Filesize
9KB
MD50a5991676f1f760f4f3d9bfda0ba8915
SHA158ba1330eb2c2d7a1ed245d157b39efa9399614a
SHA256fff101c7e99e175cad8f018158a8f4f8971d250ba61ab585ab2b86f8e6e61616
SHA5124abb16014c50766a3b1e241aa3f2f7fc67e5eb1d026ca1ff2ec20e801be21af9f2dcfe0628550e358678f0b946bd3db0c36c70f5c6db70da6c499fd6bcd909c6
-
Filesize
9KB
MD5c4c0d88e2797282de90ad8c59b68fdcb
SHA19f5dc24272dbf18a8461f871d67dc8c1775d9938
SHA25608823375badd99f27adc6a100568acddbc2b15178800baeb7c31d84626202b9c
SHA51245f9ed808c10546cd24b2bc3dfb1ed388c93f3249d954bde6b2a7d5b9ff1b63a7278f2ad3ea6f05fe533fe85d2e468cf6fc72b812d222f8b3d52df274e5619ab
-
Filesize
116KB
MD5d416355ea514fa71c795c3e0b00423ed
SHA1d855f488a048fc22ddd183c106c3dbbc5d393e16
SHA2567b59eaae984fcaa595a499c1315c17edb033ee34588553c06ef30266b19969df
SHA512a2b686c4711de172158994805e5a786d03cf241fe74ca2788d605f962385c6edc88bdb78bc0be4d9f49da501d81c55a278a1e913b62cdb58fdcc0642f72266c1
-
Filesize
116KB
MD59f38f100e43369a8c55203568836a379
SHA158bb211104225a0c5e0440cf9e53be683c0b1fa7
SHA2569155e3c7ae2bf91a6cd612082c104897171388104f760cffee754309efb59f2f
SHA512b52959f2d6209b241dea93e1c83aa90cb4e8e5763a49f8b07a87fd1dbd0b71e519f6152387ce514e523fee1fcfa798462983b7345665119d3e81c8ef3f8bba93
-
Filesize
116KB
MD5676728aa805e87a57ced9895bab56886
SHA1b61b5e347f6ee3fe90983daba9c14b1f36a6f7ba
SHA2567baf97b076682ae9b1b1690641712dcf229e6f35c39e611e7fb5bc20aa2aac78
SHA51226956af0e1cabc900599c7ec2244836e37782a803bf8213728b73fc2a8657a13afa7dc11a76debacdb464fa36989413423a268e0764e187496c695db69c0fda1
-
Filesize
264KB
MD5963272c78f6889c9183bdd949a6bca40
SHA1ae47d0021a7e559e59a64cb89530cbc8a916b970
SHA256c3ba73e93a6b7e773bb2a232c282b8b8f651c071dd53432c94349f9fc4363a73
SHA512e187ffeba3e4c48938b35cdfe0c9431d0c19a1baf2a0dcd8a9e5aad50af50d32910d87a0f5b7494c72ec9b5c81cc8989f98dbdd0ce6f7f92601fd8e0ada60d03
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
2.7MB
MD5a995722eb11b80e3969246017340d6de
SHA12579f3a6bb52cb4640fbdde30435139b2383b8bb
SHA2568f8c5a3aaebc5417dd50c592f48863e0cf62bfb7d0f0e0c103c1528992cc64ca
SHA5122260e1f65c04adda4bc7f1a0fc173974fc220d925b0e70d7aebc7fbcf401d93c03b0503103984749ef3ca9e860fe9232c718bcfbb7b2ce8adbe03a501c208325
-
Filesize
1.6MB
MD598469fdffbc0508e37fc699245667327
SHA1b0612872ad0e70dc8ffa87d5b9ff1add4091611a
SHA2564cc4f9ecc9b1d00385cd78a88cad6f6e4b8a68ce5948707624cba75585f1b57e
SHA512f3e5cd813904a997a99227313572053ac5eae7e8923a125ddd8940c146c2465d688a4d26a57df5dd0d1b4abbcf7a056ef7c648c61b5dd08790eaf12f6d21b03b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB