Overview

overview

10

Static

static

10

BRUH WTF/b...gs.xml

windows11-21h2-x64

4

Resubmissions

24-12-2024 19:02

241224-xp5fastrdy 10

16-07-2024 19:00

240716-xn2b9avhmm 10

29-04-2024 18:50

240429-xhbjmsac4x 10

29-04-2024 18:47

240429-xffetahh23 10

Analysis

  • max time kernel
    90s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-12-2024 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BRUH WTF/bin/settings.xml

  • Size

    688B

  • MD5

    5769c0618b9fe4873c9256b5cbbf2b95

  • SHA1

    e123705e308feb804baf0f23949f966e78162dd5

  • SHA256

    a5828dc580978f8e1f37459d33e8158416b6c8a0c2881e9eabced034ecfbd15c

  • SHA512

    15f80ce7cb33125c856dd7b6ed032dedc0ea30c40eb72d44e0c4f7cecefe33e54449c51f70efe88154dc35f52bdaa78b6fa6079cc55425aefcd7088d3f25acae

Score
4/10
discovery

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
    "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BRUH WTF\bin\settings.xml"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\BRUH WTF\bin\settings.xml
      2⤵
      • Modifies Internet Explorer settings
      PID:5016
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:4196
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:4424
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1576
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:5032
    • C:\Windows\system32\control.exe
      "C:\Windows\system32\control.exe" netconnections
      1⤵
      • Modifies registry class
      PID:1272
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" devmgr.dll,DeviceProperties_RunDLL /DeviceId "PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18"
        2⤵
          PID:4924
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
        1⤵
        • Modifies data under HKEY_USERS
        PID:1652

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\0c0f3547-3700-4061-a8ab-378fc715816c.down_data
        Filesize

        555KB

        MD5

        5683c0028832cae4ef93ca39c8ac5029

        SHA1

        248755e4e1db552e0b6f8651b04ca6d1b31a86fb

        SHA256

        855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

        SHA512

        aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

        Download Submit

      • memory/3096-4-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-1-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-8-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-5-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-7-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-6-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-10-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-9-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-3-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-2-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-12-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-11-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-13-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-17-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-15-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-14-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-16-0x00007FF81AED0000-0x00007FF81AEE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3096-18-0x00007FF85AE40000-0x00007FF85B049000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3096-0-0x00007FF85AEE3000-0x00007FF85AEE4000-memory.dmp

        Filesize

        4KB

        Download