Resubmissions

13-12-2024 17:02

241213-vkk5rawqhr 8

13-12-2024 16:57

241213-vgll4svmby 5

13-12-2024 16:55

241213-vfa4zsvlht 5

Analysis

  • max time kernel
    121s
  • max time network
    102s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    13-12-2024 16:55

General

  • Target

    sample.html

  • Size

    267KB

  • MD5

    2c7efdbcd898a5074f861127c98af124

  • SHA1

    4e48d6098569572602e1c3dfc114092b8230c865

  • SHA256

    7f945a0e46602ccd3a5c13416268d3ebfecd733a8e15b068dbbce4c2c8441985

  • SHA512

    2c76c82b97c5c5db464ac19d1c7907f810464705cb6823484c27e4af8bd12120cc0ed0f581d9f48c50d79a4e3b035add2c51dc229b40264e3f9670f12b765299

  • SSDEEP

    3072:tTW0Oi+0joZJ6IXn/loJzh4kgEJ6LFIsg1AwtN+Tl/js2:tTW0A0joZIIXuJzgEJMIBgs2

Malware Config

Signatures

  • Detected potential entity reuse from brand MICROSOFT.
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8993e46f8,0x7ff8993e4708,0x7ff8993e4718
      2⤵
        PID:1036
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,17165674276901383287,8600254664646912746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1372 /prefetch:2
        2⤵
          PID:4844
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,17165674276901383287,8600254664646912746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:400
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,17165674276901383287,8600254664646912746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
          2⤵
            PID:4008
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17165674276901383287,8600254664646912746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
            2⤵
              PID:2160
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,17165674276901383287,8600254664646912746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
              2⤵
                PID:4884
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:4968
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:2192
                • C:\Windows\System32\oobe\UserOOBEBroker.exe
                  C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                  1⤵
                  • Drops file in Windows directory
                  PID:408
                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
                  C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
                  1⤵
                  • System Location Discovery: System Language Discovery
                  PID:4776
                • C:\Windows\system32\wwahost.exe
                  "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies data under HKEY_USERS
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:4656
                • C:\Windows\system32\SystemSettingsAdminFlows.exe
                  "C:\Windows\system32\SystemSettingsAdminFlows.exe" EditUser S-1-5-21-3829776853-2076861744-2973657197-1001
                  1⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:5460
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x0 /state0:0xa3a2a055 /state1:0x41c64e6d
                  1⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:5872
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                  1⤵
                    PID:3224

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0600_notdimmed.jpg

                    Filesize

                    101KB

                    MD5

                    1765a76a3cb1d60d429d2e9a0c500832

                    SHA1

                    7821bb35ce216937fa5f19383e3211899511f093

                    SHA256

                    1a3d88e9c6b858be7737aed9bf044494cf4c443683284c6ce97763b5785812ca

                    SHA512

                    6c0a2db0e39e0ce5fe4e7bb919fb0981cba55e1a51f0a47df67dd5a1f416e1ebe505d072fc89eb68cf956caf0c2abc272450dcd5410a51c7af6c17501f6d7e45

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                    Filesize

                    152B

                    MD5

                    e8978379b8b4dac705f196c82cddb401

                    SHA1

                    873169c69e4aaa8c3e1da1c95f3fc6b005f63112

                    SHA256

                    83528bc9af5e037e40f14bece26788301e4555a6164b31e6010d93d7d18f0afa

                    SHA512

                    2d73194d03ea51d4154ee9556950dee1e666720c4b53fe671cf2e7647889d480c2941757d6b9b4c60a29a6799478450136f4847b0bec5d4b6aa630d9ca856308

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                    Filesize

                    152B

                    MD5

                    c8c74ab5c035388c9f8ca42d04225ed8

                    SHA1

                    1bb47394d88b472e3f163c39261a20b7a4aa3dc0

                    SHA256

                    ea821d15371cdfef9f4c01c71fbe39f9db7bfd61e6a83e09b14886c5756cd9d9

                    SHA512

                    88922af80d561b3cf10963160d245044554f9011e4aec4fd40c740b06e5e87e9bc16ed309e296f549d9244b6cc93f627d6dd010eb2d325b38cbb1d43d8b95157

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

                    Filesize

                    70KB

                    MD5

                    e5e3377341056643b0494b6842c0b544

                    SHA1

                    d53fd8e256ec9d5cef8ef5387872e544a2df9108

                    SHA256

                    e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                    SHA512

                    83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                    Filesize

                    6KB

                    MD5

                    3b8e7c6ec6ed95d32bc4175c33e5a81e

                    SHA1

                    ccd65b6a4addb6ee2ebe5238f107ee4393767b16

                    SHA256

                    7670c83ed1580f39a9874ccba2e6a6b30ac3e06535c7d9dbbdc52e3a22a2eeba

                    SHA512

                    0d1552734fc7836ecd570713fc0a8172e3b28fae2e32ddcf03c6a464f427b65fcdde1d4b562994d8eaa33c81bbf8175d789fd18c225dd7410359ed8cafdfb0c9

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                    Filesize

                    5KB

                    MD5

                    1770ddc39623ffa2b989c6ffef6fc814

                    SHA1

                    b2d9b694e40e3182b889584048028a61b5db2292

                    SHA256

                    cef841d570f4ef509baa8c6cc5992156777ae802a240cd98319e463c2df2c341

                    SHA512

                    85b3cc4630fee0065642a227639ee6d9e9a59b3ef945e078390667045c39fec6166692185e09cfbd5fd9a43f938ed5f366b24f1bba9022071226150bef766404

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                    Filesize

                    24KB

                    MD5

                    671cfbd0275770e681ef4ede37140969

                    SHA1

                    ac145dd046e86ab6aff6340664c509c4fd5f1746

                    SHA256

                    dfafdb318c177ff96d9b85ed518f229398c3f5161f0ca48ff427516292b9d823

                    SHA512

                    d76a8d3a91d1e5e84b35cfa815736c1d0bd7252381f4e540a8d7102385224167b995f698559c95fa18ed3a50e14a58fb0a96bcedb57d4770df50f98c6d331faf

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                    Filesize

                    24KB

                    MD5

                    2dc0e85ad4fd458d34d9cc947aaf4010

                    SHA1

                    661bf6417b9df1931cc252dd4ca78defd903385f

                    SHA256

                    d043ceb120c7de0adc6120d0af09ea4844a7f957ec0023d3721a77f43061dc52

                    SHA512

                    d93e340824366e69e27838020633377f425094c9281cd31be06592760f18dc9ffaa95495846e648458f288e0253fcb9813fa74a94ce6a196be675b86a5d2506f

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

                    Filesize

                    16B

                    MD5

                    46295cac801e5d4857d09837238a6394

                    SHA1

                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                    SHA256

                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                    SHA512

                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

                    Filesize

                    41B

                    MD5

                    5af87dfd673ba2115e2fcf5cfdb727ab

                    SHA1

                    d5b5bbf396dc291274584ef71f444f420b6056f1

                    SHA256

                    f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                    SHA512

                    de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                    Filesize

                    8KB

                    MD5

                    7b0343c43f8ef886ce9654f249e24bc7

                    SHA1

                    d5a07f083adf0acf0c25bc25e49c3c55900665f5

                    SHA256

                    24cedba9910cccba88d83aa3ded640a3848e2137db04242b505d3a4247221e99

                    SHA512

                    f6cfd462841116b9e91793f1c979b11c472b4aafda889270e52c1188b7b98e0c5bbd9db27357cffa4acdfdb84fcbfcbdc051c4bfd2087e42eaf1d9719d9d8cc6

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                    Filesize

                    264KB

                    MD5

                    f50f89a0a91564d0b8a211f8921aa7de

                    SHA1

                    112403a17dd69d5b9018b8cede023cb3b54eab7d

                    SHA256

                    b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                    SHA512

                    bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\U2I291CS\account.live[1].xml

                    Filesize

                    13B

                    MD5

                    c1ddea3ef6bbef3e7060a1a9ad89e4c5

                    SHA1

                    35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

                    SHA256

                    b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

                    SHA512

                    6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

                  • memory/4656-401-0x00000251B92F0000-0x00000251B9310000-memory.dmp

                    Filesize

                    128KB

                  • memory/4656-553-0x00000251CC6E0000-0x00000251CC7E0000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4656-527-0x00000251CC560000-0x00000251CC660000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4656-513-0x00000251CC330000-0x00000251CC430000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4656-766-0x00000251CE6D0000-0x00000251CE7D0000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4656-756-0x00000251CD5D0000-0x00000251CD6D0000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4656-512-0x00000251CC330000-0x00000251CC430000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4656-979-0x00000251CFC00000-0x00000251CFD00000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4656-1426-0x00000251CC560000-0x00000251CC660000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4656-1529-0x00000251D0590000-0x00000251D05B0000-memory.dmp

                    Filesize

                    128KB

                  • memory/4656-508-0x00000251BC040000-0x00000251BC060000-memory.dmp

                    Filesize

                    128KB