be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde

Analysis

max time kernel
150s
max time network
138s
platform
windows10_x64
resource
win10v20201028
submitted
24-12-2020 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
Size

425KB
MD5

c486aedae4bb88c1bd5064f12df7e188
SHA1

9880e8a0655cf1d0dad855703b85e1bb9bd4db82
SHA256

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde
SHA512

fbcccfbc92782740ad542038b2ae3b0d6926d87deeaed6f25dbcf1db4bc00a36af1fe8e74a642fd6a40ee625199b210fad119afbc2a5b7c87c96f603343b2f16

Score

8^/10

ransomware spyware

Malware Config

Signatures

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompressSave.png => C:\Users\Admin\Pictures\CompressSave.png.CAC50BD47EACE43CB9DA623777DCBDAC2E6691EDCD76CBA906AFF09CFD76CA63	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SendRestore.tiff	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SearchReceive.crw => C:\Users\Admin\Pictures\SearchReceive.crw.508D4748D062D497A726992B604EFFBA02C31E286C550040F066E549FF80970F	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\DisableMeasure.tif => C:\Users\Admin\Pictures\DisableMeasure.tif.495911A7F4B28344546CCC51412333AACCA184ABF361BEBA81EDDAD908474466	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SendRestore.tiff => C:\Users\Admin\Pictures\SendRestore.tiff.C4E66D53995D42C72B7F3A1538F6B06F20EF277A47E099896C473EDEE6F73A28	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Drops startup file 1 IoCs

Processes:

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 27 IoCs

Processes:

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

description	ioc	process
File opened (read-only)	\??\O:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\P:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\K:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\L:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\Z:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\B:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\W:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\R:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\E:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\N:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\I:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\G:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\H:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\M:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\T:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\U:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\S:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\F:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\J:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\X:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\V:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\Q:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\Y:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Modifies Control Panel 1 IoCs
evasion

Processes:

MicrosoftEdge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors MicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 268 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{A60E8211-BA71-45F5-9659-3F18384194F7}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesVersion = "6"	MicrosoftEdge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3992 MicrosoftEdgeCP.exe
3992 MicrosoftEdgeCP.exe

pid	process
3992	MicrosoftEdgeCP.exe
3992	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

vssvc.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeBackupPrivilege	2224	vssvc.exe
Token: SeRestorePrivilege	2224	vssvc.exe
Token: SeAuditPrivilege	2224	vssvc.exe
Token: SeDebugPrivilege	1740	MicrosoftEdge.exe
Token: SeDebugPrivilege	1740	MicrosoftEdge.exe
Token: SeDebugPrivilege	1740	MicrosoftEdge.exe
Token: SeDebugPrivilege	1740	MicrosoftEdge.exe
Token: SeDebugPrivilege	2440	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2440	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2440	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2440	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3816	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3816	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

1740 MicrosoftEdge.exe
3992 MicrosoftEdgeCP.exe
3992 MicrosoftEdgeCP.exe

pid	process
1740	MicrosoftEdge.exe
3992	MicrosoftEdgeCP.exe
3992	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

MicrosoftEdgeCP.exe

description	pid	process	target process
PID 3992 wrote to memory of 2440	3992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3992 wrote to memory of 2440	3992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3992 wrote to memory of 2440	3992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3992 wrote to memory of 2440	3992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3992 wrote to memory of 2440	3992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3992 wrote to memory of 2440	3992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
PID:500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3896

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\YOUR_FILES_ARE_ENCRYPTED.HTML

MD5
6778b2816344ffb5c9595dbe9baf8278

SHA1
c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

SHA256
f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

SHA512
af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\YOUR_FILES_ARE_ENCRYPTED.HTML

MD5
6778b2816344ffb5c9595dbe9baf8278

SHA1
c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

SHA256
f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

SHA512
af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\YOUR_FILES_ARE_ENCRYPTED.HTML

MD5
6778b2816344ffb5c9595dbe9baf8278

SHA1
c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

SHA256
f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

SHA512
af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

Download Submit
C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML

MD5
6778b2816344ffb5c9595dbe9baf8278

SHA1
c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

SHA256
f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

SHA512
af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

Download Submit