Analysis
-
max time kernel
128s -
max time network
131s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
03-12-2024 17:33
General
-
Target
https://github.com/AyuGram/AyuGramDesktop
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Modifies registry class 33 IoCs
-
NTFS ADS 4 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 16 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/AyuGram/AyuGramDesktop1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffed5e23cb8,0x7ffed5e23cc8,0x7ffed5e23cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5160 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,5121041966176632551,6107091854743388494,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5344 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\AyuGram.exe"C:\Users\Admin\Downloads\AyuGram.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53d68c7edc2a288ee58e6629398bb9f7c
SHA16c1909dea9321c55cae38b8f16bd9d67822e2e51
SHA256dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b
SHA5120eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f
-
Filesize
152B
MD5c03d23a8155753f5a936bd7195e475bc
SHA1cdf47f410a3ec000e84be83a3216b54331679d63
SHA2566f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca
SHA5126ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41
-
Filesize
25.4MB
MD5da3cf19f88301b65ba0fb96dfeb8389d
SHA1ad2d79a3728f3465f950272be440c2b2136d1cba
SHA2562f6b8f01f34b79af40f2aedacd125ffb0a0a0f4b6f5cae266335d79d65e47bf0
SHA5124a4d7bed170aec7d9662ede8e808b47fde78786706e8f4f400f79b042dd0e384c78445923e6ef15f7c0286deed8b674eb40fe6e7cae6df64311cc5931c661429
-
Filesize
1KB
MD5ba5cd96b0acb4517d6b9f29e7e3a9d35
SHA17a4708ed0c5ad6a9ed61d30d69b2f0b9b38965bf
SHA2562c43a6c78468ea88610ef7e89c0e282a59a3563f6f09669887ae37908cd3a93f
SHA512dd04603ba2dea358fe956bc24418c1034f5ad05f4a1e1ed8e0c42e037a9ff44ad0d3bfa926ee71d6cf1a84896d51b7960022bf12196118c083d66610424c58c3
-
Filesize
1KB
MD5b161b56615dbe7512e16f3200526a466
SHA152afb85bfdb6ae2cc826b46f7fbf0a5467573f37
SHA25607a5ada7dca1be78dbee97cec2134a9e4394f2ae912082aa9de964f02c1c7bf3
SHA512c0b3e88318101c7ed9cbf78797c9ae1d322cc0ff19e2f17016984ea2d582891ea591cfe23902ab32ee1e2110cc084076eed5ef5508f3550ac1965562e9bf0083
-
Filesize
656B
MD56dedf5bbc9076d1d785dff0ee22c64c4
SHA13bc18ec646e15279ff19c25f7fdd8e61cddef052
SHA256bf8aa662d6aa8fb59cdfdfa1904e88b87e7e218a3714af2a805ce63741314961
SHA512e149499519830a7dbe34375547ad43acb9d0df152ad877ddebedcfe59131e5f8edf27deed13bc254a6f06162311afed8119bfc63c8135780762ffc9b17a160f0
-
Filesize
5KB
MD5bb785c6a7d616658ca04f5b9a11d63bd
SHA1cce57bb2308fad9a354280ae1564fbd2f17675be
SHA256403a5938e235c9ce94c88f6d7d81f682821256adce1fcbaf9b62674e7f5897ec
SHA512ed7bf3d677a5192746801cb26db83275cdd1046b6da777da5612cebfcfe696016cb209f34ef103c0e6bee3247aaf0824a17c06ec39bce27e9da0d575ac1408ce
-
Filesize
6KB
MD5da67cd46cbe9a4426e6feeeb4c0f9441
SHA14115e63c6968d505968d17d630819a29f0ba61d3
SHA256a93c0ed87682f8a51f5fdc4a4bbcb4f9211780a92f675904ba2986b0d2a4f803
SHA5122793179fa317c0f4f9eafc89e7ff41876eb3f89a157e599bed4fbe244d38d9919317c0fae6793d799398f4ddb0cdb0f8c327e1edc9e13fd54520204459360bdb
-
Filesize
1KB
MD5ee330dbb2961ada19ada3c77d3d636f5
SHA1d851cc99f44f1eea1e113a25b6649fe324af5328
SHA25632a7f7e6adbfc729fb6dea98185de73e69bf606dc3ff10e6625e5cb670eb5c6b
SHA5124f0c0b3cdb1ffc92e5021e3485f94886ecb2a676efe9ad0ba02435272a31b052946705ef1d0e9988d578c413f5a77534c63589a1873c8b3eed049e6769df106a
-
Filesize
1KB
MD5700ee88de9e7d2db5606845c1b827fe9
SHA1132a521225d11ccd7bf9c6bee071f01036b97551
SHA25663badfcd5d22ac64b18224a3eed4b2fc3581ad41204955835846f57798dd78db
SHA51269f22f7ade8646fd634bf149ad956bcd28a769338ce1506ea4e54591dce9aab11f63bcd85b7cb2fcfc5264f9263507e047df959ee894e254e090fd514662ce34
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD58bb2d8d706a7be763c3bf47d7b80f22b
SHA12631ae7538e3cf279b028604882d5438cb972d43
SHA256ed8023d357066a72edb9ff3218f3ad499f78e3975b73f9f82bdb78c9cf49d3f9
SHA51287ae0249bdd241b83d7428d11919f51bc778be5eb546e0404a2cf82883bd78ce78ed49b3f2cba848cdc03bea7c6df679ebace0f8eb5881eba04d6503bdac73ea
-
Filesize
10KB
MD5879bbd4535642db69a0f78ec9953a9e2
SHA1569069045f6b47376d2b5ebe30be0d9d02107f9f
SHA2563f40f97e2ad19a53596aa00462c55b5ed6f0326917b9f51aa0c30a531d80304d
SHA512acbfaa546c21f103d33a4e2992802970a2a3016e0ee0f20bae0889aedf3af1e0b5cc2daa02b62dd0c1b24a0f21db64049d6cbdb62a26f03f5d4026b246545834
-
Filesize
10KB
MD5b4694c7f947990f4cc03a0c3b1ee8331
SHA1839ae5cd28ed3fd1589e028390f7bc3b1ee6100c
SHA2568ab48cbc036a092a267477ce16fc2f8496d383d21c727cdc157af190dddd76f1
SHA51251cda875491e814538e6c6405e0762032b44f562d2ad916173286d7651f11d5075f7d6168baaf5f9762b4113d86ee56cb7f5d44ee1b4ac04b788f619038b65fd
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
925B
MD58afd81cb13dc356b31889564434b8007
SHA1be81705e1c35d2a8d360c7ccd03a200cd53a9d6a
SHA25639449219b3838d4aea41e23d6d83530d127c634fabdeffc94965fd1e8791b24b
SHA51239d7a9a5115cb9fb148645713a20f106d1bf50f2e86ad74a463431870da8edf5550a6f878bb956b0a6ec6c5fc973821d2d54f679c13336112e6c6482df386057
-
Filesize
1KB
MD51fcbb597d29a1adc2746c584f3be8976
SHA19f9703a7d7ddf3bc31f6aa0a55086fdb718ccd5a
SHA2560fe5342e2112bfc794cf248502c5e513e1a8b198fa60b7ec9d562d8ee47098cf
SHA51275b69eca44a5e879171ac1f0f565dbfec807180173f7643c535a01f5983246fdfb48c948715e421412e74f263711fbd7e4d816c17731ff75bdaa55dd78f13563
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e