Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 03:43

General

  • Target

    file (4).exe

  • Size

    97KB

  • MD5

    241421356dd99063199983faaaec1d8b

  • SHA1

    2f65f6007347bdeb6bce09f7b727ed3db30c86a8

  • SHA256

    ca1d9b37d93106cab5f20fde3e6943ac0ae4761589cf31e2554fbabfaf80bfd5

  • SHA512

    59757412acc955bbf6a0695fac8b1b7ac231ae9bee71a42307cc4ec793c09f4d52a7358b0a8b40fa0658fbc688743034eedcf16da36f8bd2643cc48deb2c73ee

  • SSDEEP

    1536:WUVdfhkoWcPdBW4TVu5nHhJKqMkwN7Y0S8iXU0CsNdyukfP+:WUVTVg5BWkfqUEsNYFfP+

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file (4).exe
    "C:\Users\Admin\AppData\Local\Temp\file (4).exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\Media\rdb.bat
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:5060
    • C:\ProgramData\Media\kasper_zaebal.exe
      -wait
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:3120
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.eu/
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3804
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab22046f8,0x7ffab2204708,0x7ffab2204718
        3⤵
          PID:2404
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
          3⤵
            PID:2928
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2988
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 /prefetch:8
            3⤵
              PID:2332
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
              3⤵
                PID:2668
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                3⤵
                  PID:3756
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
                  3⤵
                    PID:704
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                    3⤵
                      PID:3676
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
                      3⤵
                        PID:744
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
                        3⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3672
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
                        3⤵
                          PID:976
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
                          3⤵
                            PID:1424
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
                            3⤵
                              PID:4900
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
                              3⤵
                                PID:4316
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12657040567096605001,5615011472756216159,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6112 /prefetch:2
                                3⤵
                                  PID:408
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2428
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2620

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\ProgramData\Media\kasper_zaebal.exe

                                  Filesize

                                  97KB

                                  MD5

                                  241421356dd99063199983faaaec1d8b

                                  SHA1

                                  2f65f6007347bdeb6bce09f7b727ed3db30c86a8

                                  SHA256

                                  ca1d9b37d93106cab5f20fde3e6943ac0ae4761589cf31e2554fbabfaf80bfd5

                                  SHA512

                                  59757412acc955bbf6a0695fac8b1b7ac231ae9bee71a42307cc4ec793c09f4d52a7358b0a8b40fa0658fbc688743034eedcf16da36f8bd2643cc48deb2c73ee

                                • C:\ProgramData\Media\rdb.bat

                                  Filesize

                                  84B

                                  MD5

                                  c6f7299be3ecbb88acfde79c4dc2b63c

                                  SHA1

                                  1ce9da1d060431581f08d3fa83240aab5b281d81

                                  SHA256

                                  a22d2d0a98cec8c7efccea543dc7d770577b5a966735deffa2f1bce9ecfbad5d

                                  SHA512

                                  b7ce561caff59f6a08702f21dfc953b028ac6b47289c61f85468586ff9f941490bade7f78b4eb198ae958dcb58204c85db3b6ec1d071d9b0af6babe9534baa27

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  ba6ef346187b40694d493da98d5da979

                                  SHA1

                                  643c15bec043f8673943885199bb06cd1652ee37

                                  SHA256

                                  d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                  SHA512

                                  2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  b8880802fc2bb880a7a869faa01315b0

                                  SHA1

                                  51d1a3fa2c272f094515675d82150bfce08ee8d3

                                  SHA256

                                  467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                  SHA512

                                  e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                  Filesize

                                  408B

                                  MD5

                                  d053a3b8bd9d67888ccea515559e4f17

                                  SHA1

                                  b35e96247d46700d796346273cf58e7b9dc46a29

                                  SHA256

                                  1c8bd26b46ca691e0f20d2dc2755e035736f2f722d37b40f942a1295ec38db88

                                  SHA512

                                  a35ca5e15553456398afd7133dc5720680787e4c40ca79d0cdea62b31fe3f9113860b87a6a22d56863e6d1eb5e32a4d8af82c8c2d923efdc66483d7138c7d20d

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                  Filesize

                                  1KB

                                  MD5

                                  0cda9393746551fa07b11d2f2b7725d5

                                  SHA1

                                  e4534e2dfde2e93fe58f10caaabf398d7e097006

                                  SHA256

                                  153356fc7427a06931da957175ad30a6059d57fc24fa7597591d28d0485c5cf1

                                  SHA512

                                  e1890bb66728811514d4bf62b5f5fb877fb0ab4667141983f54e7b6b0ba1c4342e3ce91cea08de8070856d6d96bf97d91adfb909ba3a1d64d0370ce393258073

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  81f23c46791e7860158ce7413250e6a9

                                  SHA1

                                  6c2784233999dc9f90b847fe196642a31db90640

                                  SHA256

                                  6bae2d3badb314a4ad0676fbb82c7e74cdaf2e31a9dd0247d3bf8250363c5abf

                                  SHA512

                                  9efdf9cd8936bceb6679a5d81e46aadf56945738bd328ffc87f389f701716d97e34996f927529093f918ace4aba93be65e30711931ae2d29fb8801567b7e9f3c

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  7KB

                                  MD5

                                  b99af258ebf8d83a6c5da9c1b7e1f864

                                  SHA1

                                  970796f8bf5a6e440710ae4c368fadaee560ca61

                                  SHA256

                                  a01ce8f593fb80df32ab53d3a691421160211ce2bd74c07c7371ef2ecd2ffd65

                                  SHA512

                                  7a991be6b7e6006042108e5115d9b2c3a5b5a60a261f7f51bd71a924524ebf4dc13e536a52f40f1c6a493ceea6055c053086c7633590eafc1da0c00011886e0b

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                  Filesize

                                  168B

                                  MD5

                                  865a81ec6800f75a80f133fab6a02204

                                  SHA1

                                  2dcb53af590d0e4a24fe9bc4b12b4e0229894116

                                  SHA256

                                  409ebcee27ec1316c74074f86e8df9e3f590404dce79da38a40cd3023b2e0da7

                                  SHA512

                                  01816483fcd85c4ffbc099e34eebc8fc9fa36a027a0734f9d377b7d8da2d5c5243fe45d052a618303cc33adeef55239e441f9cb137a6b633f6028895ae48b9f1

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57df06.TMP

                                  Filesize

                                  48B

                                  MD5

                                  4d1a652772e36a647551fb3d707e2353

                                  SHA1

                                  8725a97bcc05e9bcf4ae9ebd5f76a21a685969ff

                                  SHA256

                                  f57f8635cd075bc85847c8646a578775f6ed6fb80dec0884765747ae487bb712

                                  SHA512

                                  da51f640076245d4e6967d3ecbea2612ed79268b5324d73364bd48877ab56b40dd32ad6ac0a130ddc11503db90d5ff382c41573fa019d071c40cd6bcea750ac9

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  10KB

                                  MD5

                                  caf1e9586228ad594be97aa8144e0f86

                                  SHA1

                                  76df69e9e9d7fc10b6197fe84593e4306f630c7a

                                  SHA256

                                  99aea1a78f9996ef13563a4ba0759b9b942a176ab638816e06dc442cef0e2e67

                                  SHA512

                                  c41d61563a6f20fde297f2822718e7b4764e438aba0aa86e748d41cda441e66c6aec1097e5c960ece65a59ab05c23b1da7e6284e1f8d1fcdffc4e1f684e07305

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  11KB

                                  MD5

                                  971625fc0507bfd05b3da76e4591caf1

                                  SHA1

                                  6229fd6d4116783073c1033fd3c81faae7a1670b

                                  SHA256

                                  d13e78fd815b7231639f0bb207da0567f38de88b2e7758631bc3d65497d7fdb6

                                  SHA512

                                  7cbe27ea80f1232d098d32d74b1fcf529b7c5dc1a65ee7e08fd7f1d4800e75148de7a3774717588b73f948910845145abce0b4b30914af2de926a832d344f657