redline | 261923e2c95ef441a2f1f8e62572b57ed774b249db4d7a24ea06690e68fe381f

Resubmissions

14-07-2021 13:01

210714-w4kvm4debj 10

13-07-2021 10:45

210713-9ptm893yfs 10

Analysis

max time kernel
150s
max time network
156s
platform
windows10_x64
resource
win10v20210408
submitted
14-07-2021 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install.EXE
Size

1.3MB
MD5

eadac911eb5d946a0dbb7ac77887abfc
SHA1

0d20d32fc2bcf8663af5a140179e95364ac48543
SHA256

261923e2c95ef441a2f1f8e62572b57ed774b249db4d7a24ea06690e68fe381f
SHA512

40648c500c7659f9213e8687f8b2bc1c61970dfb2b7a4444588c93d2a858c388f1975fc5045054047b6b75357d14f6c86dcfe128fc0615efd748eee61f646f81

Score

10^/10

redline build1 crypted infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

Build1

45.142.213.135:30058

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3132-125-0x0000000000417E9A-mapping.dmp	family_redline
behavioral2/memory/3132-124-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

malware_crypter 2 IoCs

malware_crypter.

crypted

Processes:

resource	yara_rule
behavioral2/memory/3132-125-0x0000000000417E9A-mapping.dmp	malwarecrypter
behavioral2/memory/3132-124-0x0000000000400000-0x000000000041E000-memory.dmp	malwarecrypter

Executes dropped EXE 3 IoCs

Processes:

TELEGR~1.EXETELEGR~1.EXEInstall1.exe

pid process

1864 TELEGR~1.EXE
3132 TELEGR~1.EXE
1956 Install1.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation cmd.exe

pid	process
1864	TELEGR~1.EXE
3132	TELEGR~1.EXE
1956	Install1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Install.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Install.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Install.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

TELEGR~1.EXE

description pid process target process

PID 1864 set thread context of 3132 1864 TELEGR~1.EXE TELEGR~1.EXE
Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1864 set thread context of 3132	1864	TELEGR~1.EXE	TELEGR~1.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "t1pui1f"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 34a05bd6c178d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 706f7ecfc178d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000000c09cb0d9eb350e062bec7e911777a9194bd8a3811a690698bb8ca216b1d699d2f1b286bf19c2f785da48f073ce984a96b067131ffebfef0a587a19320d02c1caba274b389267591b7a5722ba70410240d54567b522291adab83b43bb7fb5983a6befe7052f2134d3fe42baf49694fb4e8c614af0bea80bca2ccef0add40af2a2c9014153f9ebce706802bd0b1b6f0a0b07ee2b9b3e26110c3826500a23eb7967536fca429cb04b3f598648f2f8d6b944b9ba76f1eac0bb481c54a5ee995bfc68bd163b5a2193b21214e42ece78cf8f9013d4b7145e7ff1f97b51bb7a4e54923358251b7f528bddedcc0be3dac54b7ec49849f5fab32ad97c272a5c27dce02f34c676895df98befd2610dddb2586b7b5a08f0f61692f7ba1e51cc20612f07d5ebaa16d9f6e0af12ec95c26d1dac0dadbf5804ef6887c9784b3d300512eebef07e35087c5121c290e45c65cf940a4b3bf0376b51cf7bb7ae0a8b7ea00465f8e320295732a186fdd7cf36c2df2f2d063cd4d9196c52e8b294890e891196fecf37a1f8eb8f60aa3ca08257082db8ce51437f2f0ce99fd8b89fd83f7cd55690b5d679b3d2dab943c	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{B2A32B45-64C1-46D3-815A-D509864271FB}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 218618c1c178d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3268 MicrosoftEdgeCP.exe

pid	process
3268	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

MicrosoftEdge.exeTELEGR~1.EXEMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	3116	MicrosoftEdge.exe
Token: SeDebugPrivilege	3116	MicrosoftEdge.exe
Token: SeDebugPrivilege	3116	MicrosoftEdge.exe
Token: SeDebugPrivilege	3116	MicrosoftEdge.exe
Token: SeDebugPrivilege	3132	TELEGR~1.EXE
Token: SeDebugPrivilege	3976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4360	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4360	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3116 MicrosoftEdge.exe
3268 MicrosoftEdgeCP.exe
3268 MicrosoftEdgeCP.exe

pid	process
3116	MicrosoftEdge.exe
3268	MicrosoftEdgeCP.exe
3268	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Install.EXETELEGR~1.EXEInstall1.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 620 wrote to memory of 1864	620	Install.EXE	TELEGR~1.EXE
PID 620 wrote to memory of 1864	620	Install.EXE	TELEGR~1.EXE
PID 620 wrote to memory of 1864	620	Install.EXE	TELEGR~1.EXE
PID 1864 wrote to memory of 3132	1864	TELEGR~1.EXE	TELEGR~1.EXE
PID 1864 wrote to memory of 3132	1864	TELEGR~1.EXE	TELEGR~1.EXE
PID 1864 wrote to memory of 3132	1864	TELEGR~1.EXE	TELEGR~1.EXE
PID 1864 wrote to memory of 3132	1864	TELEGR~1.EXE	TELEGR~1.EXE
PID 1864 wrote to memory of 3132	1864	TELEGR~1.EXE	TELEGR~1.EXE
PID 1864 wrote to memory of 3132	1864	TELEGR~1.EXE	TELEGR~1.EXE
PID 1864 wrote to memory of 3132	1864	TELEGR~1.EXE	TELEGR~1.EXE
PID 1864 wrote to memory of 3132	1864	TELEGR~1.EXE	TELEGR~1.EXE
PID 620 wrote to memory of 1956	620	Install.EXE	Install1.exe
PID 620 wrote to memory of 1956	620	Install.EXE	Install1.exe
PID 620 wrote to memory of 1956	620	Install.EXE	Install1.exe
PID 1956 wrote to memory of 2188	1956	Install1.exe	cmd.exe
PID 1956 wrote to memory of 2188	1956	Install1.exe	cmd.exe
PID 1956 wrote to memory of 2188	1956	Install1.exe	cmd.exe
PID 3268 wrote to memory of 3976	3268	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3268 wrote to memory of 3976	3268	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3268 wrote to memory of 3976	3268	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3268 wrote to memory of 3976	3268	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\Install.EXE
"C:\Users\Admin\AppData\Local\Temp\Install.EXE"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSD641.tmp\Install.cmd" "
3⤵
- Checks computer location settings
PID:2188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3116

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TELEGR~1.EXE.log
MD5
7438b57da35c10c478469635b79e33e1

SHA1
5ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5

SHA256
b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70

SHA512
5887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD641.tmp\Install.cmd
MD5
010c7779e83876c22f45f754962d0685

SHA1
3dc920d75918c952aa23ef94db66a1bafd514665

SHA256
3746731d0dec1f85576eb810f06dcfc763624ef13a306ec5dcd1b5ed00e3beb9

SHA512
2f5e06598ce7ea29cdedfd5e8306ab2a7e916a36a1430bf4fcb5a28fd2d73fd8a6aafcc1bcde6c28a7e3d09227761e2004b0e23f7e8a67b434f3ddc4ad9d6cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
MD5
dc8a248e89370a0aa5f00b0724146b64

SHA1
49f639b4182eac5afbb245d1c30d37bb86e8251c

SHA256
207a10eb249d3c413f441a8b53080ecb8e0cb08acaf5df56b9bf274c0cc5f5f9

SHA512
a4c89ff18885ed67777e2e4e8760e2312bf4a9d722cae63bf9ffa56d0953e42c401f92cd9ba2f0443537d435b5814e6097f0cda23b88388f811fa512c88dfe6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install1.exe
MD5
dc8a248e89370a0aa5f00b0724146b64

SHA1
49f639b4182eac5afbb245d1c30d37bb86e8251c

SHA256
207a10eb249d3c413f441a8b53080ecb8e0cb08acaf5df56b9bf274c0cc5f5f9

SHA512
a4c89ff18885ed67777e2e4e8760e2312bf4a9d722cae63bf9ffa56d0953e42c401f92cd9ba2f0443537d435b5814e6097f0cda23b88388f811fa512c88dfe6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
MD5
54db9520f3db0b612c492cd14b689b98

SHA1
cacba09c6883605d3918626c4a92cc4cb846bcda

SHA256
8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

SHA512
3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
MD5
54db9520f3db0b612c492cd14b689b98

SHA1
cacba09c6883605d3918626c4a92cc4cb846bcda

SHA256
8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

SHA512
3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TELEGR~1.EXE
MD5
54db9520f3db0b612c492cd14b689b98

SHA1
cacba09c6883605d3918626c4a92cc4cb846bcda

SHA256
8b013095eac15ef06fd67f6c2f101dfe14c04a33a10d63e278ee5d506c862910

SHA512
3cf6bd666d66ac95ed4b601ac0990839edac41f12786b8201778930daf42a72d53768c0eabaf84357e5741e10b9e4bbd0a219773e31791df863e7d8a3a7d584e

Download Submit
memory/1864-122-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/1864-123-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/1864-119-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1864-116-0x0000000000000000-mapping.dmp

Download
memory/1864-121-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/1956-132-0x0000000000000000-mapping.dmp

Download
memory/2188-139-0x0000000000000000-mapping.dmp

Download
memory/3132-131-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/3132-130-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3132-135-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3132-136-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3132-137-0x0000000004C80000-0x0000000005286000-memory.dmp

Filesize
6.0MB

Download
memory/3132-138-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3132-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3132-125-0x0000000000417E9A-mapping.dmp

Download