hxxps://github[.]com/ColossusYTTV/GorillaTag-Account-Manager

Resubmissions

31/03/2025, 05:49

250331-gjhfkstzcy 4

31/03/2025, 00:47

250331-a5dwysztfw 10

Analysis

max time kernel
10s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ColossusYTTV/GorillaTag-Account-Manager

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878738090397056"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1062200478-553497403-3857448183-1000\{25AF8D75-83E7-470F-8EA7-E94FD52830CD}	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3036	2108	msedge.exe	85
PID 2108 wrote to memory of 3036	2108	msedge.exe	85
PID 2108 wrote to memory of 332	2108	msedge.exe	86
PID 2108 wrote to memory of 332	2108	msedge.exe	86
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 5176	2108	msedge.exe	87
PID 2108 wrote to memory of 4896	2108	msedge.exe	88
PID 2108 wrote to memory of 4896	2108	msedge.exe	88
PID 2108 wrote to memory of 4896	2108	msedge.exe	88
PID 2108 wrote to memory of 4896	2108	msedge.exe	88
PID 2108 wrote to memory of 4896	2108	msedge.exe	88
PID 2108 wrote to memory of 4896	2108	msedge.exe	88
PID 2108 wrote to memory of 4896	2108	msedge.exe	88
PID 2108 wrote to memory of 4896	2108	msedge.exe	88
PID 2108 wrote to memory of 4896	2108	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ColossusYTTV/GorillaTag-Account-Manager
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f4,0x7ffafca8f208,0x7ffafca8f214,0x7ffafca8f220
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1928,i,1310005129456035808,9714779712212066071,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2256,i,1310005129456035808,9714779712212066071,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2572,i,1310005129456035808,9714779712212066071,262144 --variations-seed-version --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3508,i,1310005129456035808,9714779712212066071,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3516,i,1310005129456035808,9714779712212066071,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4840,i,1310005129456035808,9714779712212066071,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5020,i,1310005129456035808,9714779712212066071,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5540,i,1310005129456035808,9714779712212066071,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5540,i,1310005129456035808,9714779712212066071,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
7c654faa5f2a16fc5f8dbc3c97bfe59d

SHA1
02d3e463927357fac0410adcc5578833fd84073b

SHA256
432ba52e5ad3aa75c89b5b9030cdfd056e160598d3607ccd3d1f720f382e67f8

SHA512
2203ca95326e5c307900125c3bae36967b2505b3821f16cbd1b45136b99c1789692316b721ece3d5b541e4c82a7eff8a5ef5d6d3364d2324f72d8d9f9b57e7b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
5477d216019cd103d3f999cb96622153

SHA1
05bc728822e5ea3548ba51f66d459e79e24ccdde

SHA256
6878bf95aaa9c04e0d6a8bd65f660b8dc991ef26e951c5b22497328728b6709e

SHA512
07cf0598eb303ab6e825cf35e4a8af65351441a6f807e380964ccdcea3b46201b784614ad9f1fcc45078f3d80ffd93f5bdb33372a36762f23df6db95f47dabdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
32f66e8fe7ae6b9ef0ef58b014405d4a

SHA1
25f6b268b4d5971a2bd489d1e979ea005b02f80b

SHA256
0c64500755acc39c75aa131342671f1e9f284df71c8be93e78c9cdb2a4a8b1c3

SHA512
516dad6f6602fc6d5fb095f38d82c1d47af39806413c2020444e510ab86348dcedb6cd4e8c97fc674c03f15571dbbd2f4974eab168fae53dc55c53cf18ee2665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
7c0b909f2a233f6bb89b7d5bb89e2732

SHA1
1a70a271e72f2caa833049b1c18bb25b2049a1bb

SHA256
995c2e0f8845e25a46424597c9321890ca833a738df98f0bdc9172a9c508e9e1

SHA512
c3f2394f73d6a613e1ba3e609ddf57734459d0bcd3347d00133811650a918d0c5f95995deb6ce0b01077eef6f9cdfea5b49109f554870574691839b7336378d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
e94165267bcb5b1357e6b4ef66a7e7af

SHA1
7facfab1a170dc66704a46020f4900c6c86a3505

SHA256
d16d2f17eddbb5742c44c662e6101b8fbb27c1ddde3e077744adc3318e64d322

SHA512
8bc0894f5a68f0e7a67f22df3210bdf40831b31343fcf53d56cbb2e984b4c1569517775438d20be3771de5efab2bcb1292a1d20721c5f566255ee5085e4a93bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
028a14f8b09734ec27c6f870d6979fcd

SHA1
5e2741f12cc5f15b7ca07d78ba00c6b6d84dadfb

SHA256
d5227deb8bb08229b5a55365d5fb7daf55b129201ee53f4fde0470d0d252a315

SHA512
29d4f2d1ace016d884e0e354bd04283e474efacbf6ae7a68fad214b7f20d841465b216d1200b4ab35d0c537f51b1f82a87149e07414846fe80418fc131a99c47

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads