hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/L0Lz[.]bat

Resubmissions

28-12-2024 22:24

241228-2bslsstndj 10

28-12-2024 22:19

241228-18zwpstjcx 7

Analysis

max time kernel
270s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/L0Lz.bat

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6112-370-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/6112-372-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32	wscript.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IconDance.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alerta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColorBug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArcticBomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Bolbi"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Bolbi"	wscript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
224	msedge.exe
224	msedge.exe
4656	identity_helper.exe
4656	identity_helper.exe
6024	msedge.exe
6024	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
2660	MEMZ.exe
2660	MEMZ.exe
4488	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
4488	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
4488	MEMZ.exe
4488	MEMZ.exe
1144	MEMZ.exe
1144	MEMZ.exe
528	MEMZ.exe
528	MEMZ.exe
1144	MEMZ.exe
1144	MEMZ.exe
4488	MEMZ.exe
4488	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
1144	MEMZ.exe
1144	MEMZ.exe
2660	MEMZ.exe
4488	MEMZ.exe
4488	MEMZ.exe
3092	MEMZ.exe
3092	MEMZ.exe
528	MEMZ.exe
528	MEMZ.exe
4488	MEMZ.exe
4488	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
1144	MEMZ.exe
1144	MEMZ.exe
4488	MEMZ.exe
4488	MEMZ.exe
528	MEMZ.exe
528	MEMZ.exe
3092	MEMZ.exe
3092	MEMZ.exe
4488	MEMZ.exe
4488	MEMZ.exe
1144	MEMZ.exe
1144	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
1144	MEMZ.exe
1144	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5232	OpenWith.exe
1300	MEMZ.exe
2660	MEMZ.exe
4488	MEMZ.exe
1144	MEMZ.exe
528	MEMZ.exe
3092	MEMZ.exe
2400	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1964	224	msedge.exe	82
PID 224 wrote to memory of 1964	224	msedge.exe	82
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 1504	224	msedge.exe	83
PID 224 wrote to memory of 4828	224	msedge.exe	84
PID 224 wrote to memory of 4828	224	msedge.exe	84
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85
PID 224 wrote to memory of 3720	224	msedge.exe	85

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!"	wscript.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/L0Lz.bat
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb397546f8,0x7ffb39754708,0x7ffb39754718
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,5594621226329289543,13929979877090339209,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4084

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\IconDance.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\IconDance.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5496

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3844

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6064

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Bolbi.vbs"
1⤵
- Checks computer location settings
PID:6084
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Bolbi.vbs" /elevated
  2⤵
  - Drops file in Windows directory
  - Modifies Control Panel
  - System policy modification
  PID:1424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1300
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2660
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4488
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1144
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:528
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3092
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2400
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
54876bf26fc76fd3a4ebd5a5c0fd6780

SHA1
c0bac534e417e1398b6e3cee7bc96de67b215fb6

SHA256
1db7882ac9ff0eca87b3476ec0bd22e7a4d1c978ef22b04ad5c15f9f00cbfdc3

SHA512
2dfc1bbb87b7e8bf33cc28698325927fa9a950fae0c7a7edd79cb2a35f01455b4f9338068702eb09f3ffc2af25546b6df709070853461d3498266f30cca4548c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
0028a1a5c441a3cd5a60c34da771564f

SHA1
e15d27a8322b435564ebcd36467b997d0fa8ef32

SHA256
8dc36283781a25af9e2ae76d255ae311b2715396f710ff0e9850b0e64525759d

SHA512
e26efd2be3114e733acdc00fb54150790872b10c88a7c4d3a19a16383bf58897ad89f14b3255a984f836666b98bafc099d8988532d03acda0dee7a7a7da3f40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70b8748e8d3be468542e4b8f5ae1abb4

SHA1
3f7c5a3a16aca874dda413b0828011b329194480

SHA256
8d3a2724c7d52a9d4c248bc7b75c79915831fe3596bafc22ceeb42924f16faa1

SHA512
9a4a6a2d3a67cba0f5a04b3ffaa56509d5d51f8cb4d64b724db627faea54f2f06729cac79c8f123986d20dbf7bd736a668e409c28861c6345c1cc0ed7f11f09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
35378a624d4804c23d1b6c6d2fb9a14e

SHA1
8cf3ba395bfa4990939c4ededbd2c58783ba9fee

SHA256
fba55fce9d43759fcfcd1543bc27f778468625c1aabce3117153c63a3e342257

SHA512
efd7ec3e4bc7c922c25a8ec5ea8ce56050b24b0e818bfea4bfb9bc28cc727cdd6efd056ab59f2d3ded248f83b7b915db9312e275faeb7fa849e6c821ad985eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf78b30e558dddb9c875a45f6adefb82

SHA1
184c2b1df51f4fee9a32ae457bfbdcad2cf5531d

SHA256
f91abe020d4c3b17d1aa2b8e849fe5452fede9eb6f84937dfb67e0738e30fa30

SHA512
f0ab2ecefacab932913fd973ce03bcdd2afc81f453067c801c480e888a1bb51abe1bfce6694de6d64d4838560ece0a269b220959bd6976ea5bd4ff5255d903d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f83e8a3b20ab4cae2a4f6df97d9017c

SHA1
f6848e5acfd17b7a05894571f132d0a40c65319f

SHA256
a7bfe2b2ca3b5aee9f68900026785c0f9d1a4e695df5a642c9c1da0c27f8a424

SHA512
1e8e39aab521d97b738d5362da6ee7ff273dbb3543a2ea6922443de1ecffe14f58de0c5684a5c669e39d435f70c76103df257db0af2d9a070166026e29f68c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
43f97a6516e3cf6e1a23f782f9aed985

SHA1
082178a397d8f07b1ff8f58bb0c3c7efd24b669c

SHA256
aac89310506e5055b436e03d2a3a86a4fd1353e7e52d8e74f91b9108cf5a670c

SHA512
1e081b72202f4a937cc429152901894ad955b94e960903f6a7912ab6e9e724f8903120baa60a5b79f8fbc64fd94528b6e7c7501d6093e789a3bb4464cfd2d7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581690.TMP

Filesize
1KB

MD5
e60475dd39bb474f5c3cc867779d0352

SHA1
dde8255f3fe7ca68aae11a45bcbec1228311f1ea

SHA256
33956668885883af101798e50b9f7f190a520554c8c8193357ca1d69b3ecb825

SHA512
b214f6b22ef9ba0bdaca556b4b572a885db96d178ad4deb9f29d3ab60eeb45dd1c44cc56c9cee9a20587cd8f63c022b37f15912f70feb06cce66b2d2d4ac8f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f7bc6eb2bf96947711439e1d0aeb80b3

SHA1
c28511c53ffd3b47a70f2f51e0f076bbfcf463dd

SHA256
bf6b87de4886a7df6e5616a85ae94e094ab72f0659f4c33a99d4c4c6881a1dc0

SHA512
5aa871cb28f11160dfa56244b331eb59f4fbaf02e1cc77d93791e62c5406c41c32358fc61607de74b5a06c7e911f6d71047b4b916655bc80b04e808a93560a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bae86dd8eacaf79924e513ea61b781f9

SHA1
727b9b05325c32c472bd9adcebb6cd6013e4d9a1

SHA256
3e9c6cafdcf4146a00586c77e2fe6a6ed0a5d8b7570d35d35252f0ec05fb756f

SHA512
bddf38e1f9580512e0259b7ee7df64c7dcc93f3e51a550c628fa20be37cba18cb7a5e74980ed5f9b5b26d52c5543607d6f1c45878a9b365dfae74c1cbedc2762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5158ed9a58d45127e299ce8c576571f0

SHA1
bb10995858884c93c9a18a5831a75ee24f265b59

SHA256
8e9d20ad7b19e9a79d58711b876e974abbe8e58480673866010da2928bfacf9e

SHA512
0d8cc29f8f881fcbd46bead2c46123525212a22b8a2ab84a48e42abd231d5bacfa8fcb48e5702a564a9b2901a9090ead72626e346c57460d3b0629780f948a89

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/3844-369-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5496-353-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6112-370-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/6112-372-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download