da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94

General
Target

da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94

Filesize

N/A

Completed

21-01-2020 07:37

Score
6 /10
SHA256

da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94

Malware Config
Signatures 11

Filter: none

Defense Evasion
Discovery
Impact
Lateral Movement
  • Drops autorun.inf file
    da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe

    Tags

    TTPs

    Replication Through Removable Media

    Reported IOCs

    descriptioniocprocess
    File createdC:\autorun.infda989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe
    File opened for modificationC:\autorun.infda989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe
  • Checks whether UAC is enabled
    MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

    Tags

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAMicrosoftEdge.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAMicrosoftEdgeCP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAMicrosoftEdgeCP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAMicrosoftEdgeCP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAMicrosoftEdgeCP.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAMicrosoftEdgeCP.exe
  • Modifies registry class
    MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "0"MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsingMicrosoftEdgeCP.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet SettingsMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\ActiveMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"MicrosoftEdge.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c3f73cc935d0d501MicrosoftEdge.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152aMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet ExplorerMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearchMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesVersion = "6"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet ExplorerMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet SettingsMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ToolbarMicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{B0D89898-3538-4AB6-9C80-13B5A701AB47}"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\HistoryMicrosoftEdgeCP.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"MicrosoftEdgeCP.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a34bcfc835d0d501MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorageMicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistryMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\MainMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\MainMicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\ = "0"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"MicrosoftEdgeCP.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\MainMicrosoftEdge.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefixMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\RoamingMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsingMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistryMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"MicrosoftEdgeCP.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com\ = "0"MicrosoftEdgeCP.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000MicrosoftEdgeCP.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = db769bfcbc85d501MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "0"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"MicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "6"MicrosoftEdgeCP.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"MicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatusMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.comMicrosoftEdgeCP.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatusMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\CookiesMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usageMicrosoftEdge.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"MicrosoftEdgeCP.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000MicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageStateMicrosoftEdgeCP.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"MicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNamesMicrosoftEdge.exe
  • Suspicious use of AdjustPrivilegeToken
    da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4988da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe
    Token: SeDebugPrivilege4684MicrosoftEdge.exe
    Token: SeDebugPrivilege4256MicrosoftEdgeCP.exe
    Token: SeDebugPrivilege772MicrosoftEdgeCP.exe
  • Suspicious use of SetWindowsHookEx
    MicrosoftEdge.exeMicrosoftEdgeCP.exe

    Reported IOCs

    pidprocess
    4684MicrosoftEdge.exe
    4160MicrosoftEdgeCP.exe
  • Suspicious use of WriteProcessMemory
    MicrosoftEdgeCP.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4160 wrote to memory of 42564160MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe
  • Modifies Internet Explorer settings
    MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MainMicrosoftEdgeCP.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MainMicrosoftEdge.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Mainbrowser_broker.exe
  • Modifies control panel
    da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exeMicrosoftEdge.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\WallpaperStyle = "2"da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\TileWallpaper = "0"da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe
    Key created\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\ColorsMicrosoftEdge.exe
  • Suspicious behavior: MapViewOfSection
    MicrosoftEdgeCP.exe

    Reported IOCs

    pidprocess
    4160MicrosoftEdgeCP.exe
  • Sets desktop wallpaper using registry
    da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cyborg_DECRYPT.jpg"da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe
  • Drops file in Windows directory
    MicrosoftEdge.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\ESE.TXTMicrosoftEdge.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe
    "C:\Users\Admin\AppData\Local\Temp\da989874b3610efe92f46f67d6a83b5f81f2ac1c90fb1133adc27b0b29c96b94.exe"
    Drops autorun.inf file
    Suspicious use of AdjustPrivilegeToken
    Modifies control panel
    Sets desktop wallpaper using registry
    PID:4988
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    Checks whether UAC is enabled
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Modifies Internet Explorer settings
    Modifies control panel
    Drops file in Windows directory
    PID:4684
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    Modifies Internet Explorer settings
    PID:4776
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Checks whether UAC is enabled
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    Suspicious behavior: MapViewOfSection
    PID:4160
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Checks whether UAC is enabled
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Modifies Internet Explorer settings
    PID:4256
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Checks whether UAC is enabled
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    PID:772
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Checks whether UAC is enabled
    Modifies registry class
    PID:372
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    Checks whether UAC is enabled
    Modifies registry class
    PID:1008
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads

                  • memory/4988-0-0x000000000A3B0000-0x000000000A3B2000-memory.dmp

                    Download