625a73a544830cdf20dd0d945cb2382269df737d69add344a6b5e9c3f876603a

Analysis

max time kernel
40s
max time network
40s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ng2-raider-main/main.py
Size

187KB
MD5

34e0f1004a864d96dfade70e923fb390
SHA1

9a049a6b9d232280232b3b50ad9db27d858b7b08
SHA256

d441cc963fd6f75a8858affdee5a87afff4bb9f3e0da7c30514fd8500cf072b8
SHA512

99908c160efebe46af43d27d903c0385d54ce20f7063ef496e697c6d10e8cc3b0f923ca0bbb52133b5a153b2dfa108daeee156fb04a9d386d0db9f7b2a87c286
SSDEEP

24:F++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++H:X

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exe

pid process

3120 chrome.exe
3120 chrome.exe
3120 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4932 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3120 chrome.exe
3120 chrome.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

chrome.exe

description pid process

Token: SeShutdownPrivilege 3120 chrome.exe
Token: SeCreatePagefilePrivilege 3120 chrome.exe
Token: SeShutdownPrivilege 3120 chrome.exe
Token: SeCreatePagefilePrivilege 3120 chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

OpenWith.exe

pid	process
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe
4932	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exechrome.exe

description	pid	process	target process
PID 4932 wrote to memory of 4452	4932	OpenWith.exe	NOTEPAD.EXE
PID 4932 wrote to memory of 4452	4932	OpenWith.exe	NOTEPAD.EXE
PID 3120 wrote to memory of 3272	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 3272	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2436	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 4464	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 4464	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe
PID 3120 wrote to memory of 2312	3120	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ng2-raider-main\main.py
1⤵
- Modifies registry class
PID:524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ng2-raider-main\main.py
2⤵
PID:4452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4908

C:\Program Files\Windows Mail\wab.exe
"C:\Program Files\Windows Mail\wab.exe" /contact "C:\Users\Admin\Downloads\PushApprove.contact"
1⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Downloads\UninstallStart.shtml
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffccb129758,0x7ffccb129768,0x7ffccb129778
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1908,i,4149578309735601971,15142535344155050148,131072 /prefetch:2
2⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1908,i,4149578309735601971,15142535344155050148,131072 /prefetch:8
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,4149578309735601971,15142535344155050148,131072 /prefetch:8
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1908,i,4149578309735601971,15142535344155050148,131072 /prefetch:1
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1908,i,4149578309735601971,15142535344155050148,131072 /prefetch:1
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\b5eaa042-8aff-4531-b5ef-fec2b7f7072f.tmp
Filesize
677B

MD5
6a8364119aa2d853640ab3e70fa32439

SHA1
5c06e5aad760521a290512dc9e9bccdf164d88eb

SHA256
44f3f442839d39f403792831505f4e8fcfa30745a8dd844011f1512a96918b5c

SHA512
cecd1d405581c31d87d179d3d4c296923d3222be48854465c90e9aed39b069a0e81ae532d634915152f4d9348e486aaad593f954fe9fa1f578ccaf29cd75bfec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
303c02fa96f747a9d51d1e556b6e8903

SHA1
805b18b72e470ee91b23cba1f389ed33398190e5

SHA256
bcdd1d6d7c361d0d7e108541b25e467c0ce1bba3cc9714c496dc9c60e919b387

SHA512
1bb9547d2192f2fb83e460d4b59a8d296df38fe20daaf0a3a61bba29ce4e57630950f3088d38eeb37124a58c918465e7da2fde85165107fd81f97f22ae7baa99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
137KB

MD5
b699046120b3b5f4cb806679b65b2743

SHA1
e073f5c73d0b5c3c6f8ea53f6ce022d91e358b78

SHA256
a3dcae4a5b7c960552694cdb01b5762a088e048969aa3f947630bd7d6829a58e

SHA512
26a6935e20844bca2764ceccedf85bac5221b5d7ffa4591241464e4502175c517ad6b2ac0039e78f3eb3d9ae088c1bd14d304f9a696e9eb5eba1bdccf041e01b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
291KB

MD5
cccd60c827563e0b5a1749fe36fb739f

SHA1
ed71d1b8105e42ff3ff1badd52d60765c8d0daec

SHA256
e61d540d13ceb952c1b897f3697e85ff567ddd589920addd65e0faf56220429d

SHA512
ade4b84a17cc6676f26fdb7fce89197dcc2cf7f98fe4fb893e365777a1f367f8b16554d03be91032897bdb04e2aa1a63fc37c55b6040cddca3f7fb1f56bfa733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\crashpad_3120_PMFRPZTHHJRNUZYS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit