Resubmissions
25/03/2025, 16:06
250325-tkcb6syvbt 1025/03/2025, 15:51
250325-tagh5sytay 825/03/2025, 15:46
250325-s71slsskt5 825/03/2025, 00:18
250325-alyf9aytby 10Analysis
-
max time kernel
127s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
-
submitted
25/03/2025, 15:46
Errors
General
-
Target
https://github.com/TheDarkMythos/windows-malware
Malware Config
Signatures
-
Downloads MZ/PE file 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 1 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/TheDarkMythos/windows-malware1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82776dcf8,0x7ff82776dd04,0x7ff82776dd102⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1860,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1852 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2240 /prefetch:112⤵
- Downloads MZ/PE file
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2332,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2480 /prefetch:132⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3184 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3204 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4164,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4176 /prefetch:92⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5108,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5116 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5232,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5368 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5216 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5144 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4228,i,93335327433350817,12261302678404609549,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5400 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /watchdog2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\geometry dash auto speedhack.exe"C:\Users\Admin\Downloads\geometry dash auto speedhack.exe" /main2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD58e3c94ea49e51de1c004685cd773bb5a
SHA114965be5e15406ce9d1c805a43b262b28ac82e6a
SHA256643c4a39239807122db79922ff59137babc38fec607c5b96d38fb9ec0439ce28
SHA512c76e049ccf30226eebf25518acc541467dc381d5494b5b9024f898d3d684e1f21eb3986dcd9f90ea678cc6277e08d2ea96f31d4f3f4af9a828a96fd746e8ab68
-
Filesize
2KB
MD5c1971b9fccbbe57c6479549ea4a6735e
SHA1264089201edb077d881856be43f54bbada2bb75d
SHA256f5428ee87bce23912850ceaba86aec2adb043949f5bb056b51ce2769feaf60c1
SHA5124ef9d67ec8ac54fbc558c7fa8d7038d9ba5e8cc5d494592c9dd42c911f66fb2778f5886840c905e3dea95f69bed22348b0c8ad8ab42c67a5ffab400b1eb3a842
-
Filesize
2KB
MD5eaef8884683c1878b8d419531ff0a433
SHA19fdaddd66821fb14801f04aff3d0880da28a094d
SHA25672e7f960035202574f42f74b822f51e3c1fad7695fd7807feb332db52e33fcf4
SHA5124553c6de56b8fa9bd6af52158697ed369919ea8e8bb30a6cd3f832d5f83018fd53a4266da492e59fe551b4c152a92f24d2599482824dcdd2b5bcf1a69a987797
-
Filesize
3KB
MD50cf312e6a7cdae16b664afca36f4644b
SHA19be3cd7dbd4065d7be2f363122b58ac290c5a24c
SHA25647a8e89872fc0b22c47ec473578063fff74b661f53e3f5578ae4fcc972e12951
SHA51218cf0717bf6ef8de2f52b9ca5d89f7dc92fcb56d207ea4a105280e3ca0e821f47d9a71f56ca771429428ddcca14ce80017c7e868c9cebfaab9a7ae90bb9590e4
-
Filesize
3KB
MD58a659fb868b8346bd361a53a7bf663a2
SHA168b090d1a61616205165625280fad6b58797ba1c
SHA2566fa60e2e6f70d8605e434b44ea776ae0a1ce2360c98bd80edfbea4bfd0733d72
SHA51217bb44f765114e95b45d6c86b80b69fb81112ef1b5e8679bc441acfd37f68428a0b1aad02911492de55de36e6dfc5e3f0487280726c08999d5e3e54c5d11a024
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD51c30cc5b1816169f5699c2b5fbf3dc07
SHA10dda2f21177d7f7a203337d6ee57363bdfba913c
SHA256610b2801cd32f65ac1b8c60aa4713af28108d2c33ab8d92177ff7ca3a54dfde2
SHA5125f6c594ea6a695d3a268d14440f95a0bf5fe9b2f2adfc66fa2e3dd1c05d3b9546327af01fc6b71d23fc96ef78cb1c8c8ace8b7851db5c47e5ca6a7d317c27abf
-
Filesize
11KB
MD5d8f40b8135eef228e2c003c28a9c5c4c
SHA1d516753e6d5791652ec6035a9c6c1edffa62ad31
SHA2565ea5d0e3c8cd9ab1b5980b4ed4ec925ec6b2cc161b254872333d7fff05d399cc
SHA5122c88608a45f4421dea0e1431dd2ae391d36702e3bb60dc3add5cfe63f9a583dde32d66cb8241c1320f74f9ed8fa69674fb891dcb68bca7d6e34f8e1b43999079
-
Filesize
11KB
MD5cf5174144e5643285b2b930bf703de86
SHA13c12a34007f938096e2338c58c702bf5edceab96
SHA256e46ce466a696edb980b61717e712d23e93f6f9976d5de183fae2e41443adb5ab
SHA5128007e1f2d12e40044ab89f17db3578cdb76b2e9241d4107d7414962d7ba7013b4a88db8241dcb3ee11982936dd5aec9657bdeea039a5e2c81d41f8648d4a3ab4
-
Filesize
11KB
MD54ce6b48106153dd33115083c165e9df8
SHA17cf5ace5e503f6a53e2740c073564b3fdb86e54b
SHA25686c59c02003203393f3efeae13e09f62afb048c4815a7934a5e67634276d9423
SHA51259543c9f80d9f5e5502c920cd635d5480e2dab6841756c822597286ec79973bd61d790271868a08a5b574a4f143ed16876c18984d87f3b5ed3a7c109295134e3
-
Filesize
11KB
MD54810f77dab9cb2cf6949df894f357c50
SHA1dd81dccbca0665c46969a9d22e4e19f002f80a9a
SHA256f6146d164aa2d59affcf47657bb553fa45efef6bbcfed78028cfc96a5450cc36
SHA51214ef3964b55e00b0fcbea6aca0e90f55f875a652850f42f02911c6ada308086c1643f279ea8ce2ce62fba9cdd25fdcb431258235e3525016ff0dfabf7aea249f
-
Filesize
11KB
MD5fefb4d8e8aa3dc37320f2f568fd626a0
SHA127c16e86fae2bb5128cc2aaaa59c11007eabecf9
SHA2568c98bcb52337f1e8ec9b095066dec5b87c79209bd90c2d82f2ca23ef2146cb7b
SHA512c19e632861fee074a0db1db9852c5bdd89fae119d88f297d238d69ecd097ea53c6b9fabfa51f44a9e577dc53b1fcd293db057a1d8cf6a19f98c7d20558bb0d10
-
Filesize
15KB
MD50c4ee74392bcb9c2651fb89da5d6ea38
SHA13b0c059f0763113bc1f02ff5dcbc7ab421b9bb30
SHA256271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869
SHA5120c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080
-
Filesize
72B
MD55f02585b306e4f7f97ff6ee6351159b8
SHA16b315cc76010964286d54ba3a3469a7cde746ac7
SHA2566a53acd3ef03bea3573cd39dfc36e1f1a1eb52c20b8cd8fc36b22df4ff7b5b34
SHA5124b6f7a1be873a1e9aef957576a008f5aef6de328f117388d8930c0820d6239b33bc6b31ce0da1f60cd150ec951b9126b224b1bdd44af594baa05247ee38d921f
-
Filesize
48B
MD5062c36be6ecd5b2cdb7ceffb08b776d4
SHA1c19f5ad5a5de786246337262689aa1908f261afc
SHA256f8621021821f55e619f6e6b67cfaa71636f443a823fc0178c4430419a7eec2da
SHA5124115df426b67b6419d4ae9eb61ebe99de97a15afee55806fb45efb2c7deff815c3f30a50c2503c2cda22009728dec133a71895fc925d4bab952908d91a0595ec
-
Filesize
264KB
MD564f6c45c71638b4da3d9e46c0194b78b
SHA1351a284b6143d5700ed170acced2bfc1efcf82ff
SHA256a207be7a7f1100ab710138c79be36e3988b78ebd65061f349961f4c59b1bc463
SHA512ca602635d9668f77266e664affa5fd8f68ce24f1a899520c659604e46a7be574c4e9a7c963e14432ad1cfe00091c9c070cd8f9627f8d3663ac39708340f1d498
-
Filesize
80KB
MD53b2216f600386f1732381f195f728ca2
SHA13f3fea5bb452abe34b10cb5477add704d356f32b
SHA256559d929b58d395e6fa9501301fdac2f00b87867a14860957dd1debc23a0450d1
SHA5120d80a8bea7817b8931b2458b24074af99d19173e6e3216644a0e13ebb807fa72e4740478da062d23eeab0a763ed7c3a1effd57f7552a851c1a3129d012564c16
-
Filesize
81KB
MD58c0e671a5fb6ba7741ca004cf29eb130
SHA1aac7ab7018492a120d557085b6f7884802c5d403
SHA2569136adc908f5b4c9e94af348d1a9e89739246b1ef04fde225964a9d7c5e22511
SHA5122762c77a6ed763de4ee46e335ecdcb454243f13e59c952d274295e2032b6dbfa697c0c6ff9d4816e0cae27559a8acc30615a8e5be7d267b63847cd18ba84b479
-
Filesize
81KB
MD52b63a6142f3f9671de8c4994c9370189
SHA149845bd1eed86ed81b83c071644c48b20ccd5d0c
SHA256572b647fa578ee239cbb3587127808132d69e4b54e04e3645ba961a3f905ffa6
SHA51272b2fb3f9a3bc27e30a15bbaaf9a6579390231df33b31158e1b96a0800d24242fecddf50334e930d9fc35ddffc3db6f0de7039b84927dfa9dfd7e152ce9eae51
-
Filesize
81KB
MD54da3d394c3414735d62ef6fa6a6db74c
SHA11da77b7129ca75a8ffd98cab004cdd1711da1ca9
SHA256bfd79ad72c25ac4fa7c9463f382b9c1ee0370a31a4d3f3d04b567cb63c09de6c
SHA5124afb310a57668955c8cbc0bc4ff2d4d249902a59abcb515de56c4813bf6664dd4a934099c5210c1e29b44ea6fd1c3f7446d7cc222b74a66f342ea4f5daf19b3e
-
Filesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf