Analysis

  • max time kernel
    306s
  • max time network
    314s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    12-08-2021 21:11

General

  • Target

    https://informationdeliveryshipping-8f3c3e.ingress-baronn.easywp.com/wp-users/

  • Sample

    210812-vb6w76c19x

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wlrmdr.exe
    -c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty
    1⤵
      PID:4664
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4668
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://informationdeliveryshipping-8f3c3e.ingress-baronn.easywp.com/wp-users/
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "https://informationdeliveryshipping-8f3c3e.ingress-baronn.easywp.com/wp-users/"
        2⤵
        • Adds Run key to start application
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa0fde46f8,0x7ffa0fde4708,0x7ffa0fde4718
          3⤵
            PID:452
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
            3⤵
              PID:3896
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3968
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:8
              3⤵
                PID:3448
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
                3⤵
                  PID:660
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
                  3⤵
                    PID:3388
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                    3⤵
                      PID:5228
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
                      3⤵
                        PID:5244
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
                        3⤵
                          PID:5456
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5500
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
                          3⤵
                            PID:6044
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3908 /prefetch:8
                            3⤵
                              PID:2420
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1956 /prefetch:8
                              3⤵
                                PID:3208
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1708 /prefetch:8
                                3⤵
                                  PID:2540
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3524 /prefetch:2
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1236
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 /prefetch:8
                                  3⤵
                                    PID:1564
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17447881192062400141,3233266150157883330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
                                    3⤵
                                      PID:1068
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                  1⤵
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of WriteProcessMemory
                                  PID:4884
                                  • C:\Windows\System32\pcaui.exe
                                    C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""
                                    2⤵
                                      PID:4736
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4256
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5464
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                      1⤵
                                      • Modifies data under HKEY_USERS
                                      PID:5768
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                      1⤵
                                        PID:5804
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                        1⤵
                                        • Drops file in Windows directory
                                        • Modifies data under HKEY_USERS
                                        PID:5264
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                        1⤵
                                        • Enumerates connected drives
                                        • Writes to the Master Boot Record (MBR)
                                        PID:5508
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                        1⤵
                                          PID:5208
                                          • C:\Program Files\Windows Defender\mpcmdrun.exe
                                            "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                            2⤵
                                              PID:2184
                                          • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
                                            C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
                                            1⤵
                                            • Checks processor information in registry
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:508

                                          Network

                                          MITRE ATT&CK Matrix ATT&CK v6

                                          Persistence

                                          Registry Run Keys / Startup Folder

                                          1
                                          T1060

                                          Bootkit

                                          1
                                          T1067

                                          Defense Evasion

                                          Modify Registry

                                          2
                                          T1112

                                          Discovery

                                          Query Registry

                                          3
                                          T1012

                                          Peripheral Device Discovery

                                          1
                                          T1120

                                          System Information Discovery

                                          3
                                          T1082

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_1033533384\1d147c3b-6a51-425f-a960-c0159921df27
                                            MD5

                                            22351f8e29208582a8c4a3be256433d7

                                            SHA1

                                            f05a56b94cfaf46b1c74f815cc9b9d80784ffb7e

                                            SHA256

                                            9ab1dc1c2c03aa5b274e583dc42891bc07dcceea577ac348940e112b48fa6006

                                            SHA512

                                            e13bf84d66b5f067508f5a8fb92cbea9bde8ffa3cca9a72ef1baf30d4675807de90fb2b461ea8f5ede9e13003c9fa5f3f56213aa09e4d8a2294f1f08c110a731

                                          • C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_1733780998\73488d35-4a20-45e5-a813-40b10aec38a5
                                            MD5

                                            30de66cb327e7099a99792617f0d2ee2

                                            SHA1

                                            477a8b9bebd09a70483f605e5e946a41c7cc11c1

                                            SHA256

                                            2b9686f8469e6fa45d1b911dbce40dd84a569f702c6d52586503ef8aa3cbc8d1

                                            SHA512

                                            d408e1d6b045aecfd40738b8344a9393a2a4a0e14e83c74710605a4c319a8c7655130885adf92656f7c81c9cd82388db5d39caf1b5eb3d4c3c6926b5516d0e27

                                          • C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_186035517\320fa221-fff7-48f5-b84b-2dd6068ee237
                                            MD5

                                            3c6861d6e575eebddfbc882af631e81e

                                            SHA1

                                            801ed776129028dfc70256707252682d07ab7cb1

                                            SHA256

                                            ac709ac32c42d190b315519bfdf8b1b7cfdd136bf13ec17f66b9a119d62e6604

                                            SHA512

                                            f4c74ee2a793b437d1a263ff1dac06bfb13b7bb3b1ccdf5768f3518c1fdcb39dc45df15ba9d14cb512d1cebd991648497ecb9c1041ebc428aec62c88f6773a58

                                          • C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_616103542\b22f5f18-f7ea-4290-929d-b13c03908334
                                            MD5

                                            a36d70bcd9333175811c53122f7d2c1d

                                            SHA1

                                            9a9a0c0ac2fc1db6e7b78868c8d4c96d747b8f1c

                                            SHA256

                                            26123bef7d73536450862d2c4d44963d720aa80b6fc2d8496f559cb9c1fdeb00

                                            SHA512

                                            e69aee2d91c50dd63030bd64cd12b5120c1db9871caf3c26b2cbf29ff96891b5f2e7d1388e4b731f77d7fb24904f379a6a8d5c1b2aacf8a8501fd0111ab0caf5

                                          • C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_70418047\0a5f110e-e0a3-4b12-a860-a8e62e3be71f
                                            MD5

                                            43456ea826951e20c9d0694a01f1886b

                                            SHA1

                                            9c848aa393d9ea2fd63873381e3af72b7a2e03f4

                                            SHA256

                                            68715ca8cdd03437049d6d9d2ceb47584b886a7807bc9b2b483e3faa174694df

                                            SHA512

                                            1c102ac415d393754e3ab07b5ffe6ebc60ad4888072bf194d85c57da07eef58fa7ba21ee2a6a45a287540325da1a72c9de362526fc62f122c340021d80ea0d74

                                          • C:\Users\Admin\AppData\Local\Temp\edge_BITS_5100_952835577\1d71b726-bb6c-499c-bc59-57a82a35d8d6
                                            MD5

                                            1b091fbe5d7937e50c27fc48d9a7b50e

                                            SHA1

                                            6477774d4abff26ab4944b4c627c92907817c9c9

                                            SHA256

                                            b45fc5f3479dc7b07e8e5822a11785819b7f1c249c9b47dcffcb28edbbc2d706

                                            SHA512

                                            2ee60c4408ebcec951570cdf0d6d49fd287febde607ef94128519fa2424823010e9fca080175f6f0e7e197232721def033ee82f9b4d9be9cdab6fb7e27526399

                                          • \??\pipe\LOCAL\crashpad_5100_LIVEPMFKSGVHSUMG
                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                          • memory/452-151-0x0000000000000000-mapping.dmp
                                          • memory/660-172-0x0000000000000000-mapping.dmp
                                          • memory/1068-245-0x0000000000000000-mapping.dmp
                                          • memory/1236-229-0x0000000000000000-mapping.dmp
                                          • memory/1564-239-0x0000000000000000-mapping.dmp
                                          • memory/2184-249-0x0000000000000000-mapping.dmp
                                          • memory/2420-213-0x0000000000000000-mapping.dmp
                                          • memory/2540-225-0x0000000000000000-mapping.dmp
                                          • memory/3112-146-0x00007FFA12800000-0x00007FFA12865000-memory.dmp
                                            Filesize

                                            404KB

                                          • memory/3208-219-0x0000000000000000-mapping.dmp
                                          • memory/3388-175-0x0000000000000000-mapping.dmp
                                          • memory/3448-167-0x0000000000000000-mapping.dmp
                                          • memory/3896-159-0x00007FFA32310000-0x00007FFA32311000-memory.dmp
                                            Filesize

                                            4KB

                                          • memory/3896-155-0x0000000000000000-mapping.dmp
                                          • memory/3968-156-0x0000000000000000-mapping.dmp
                                          • memory/4736-147-0x0000000000000000-mapping.dmp
                                          • memory/5100-148-0x0000000000000000-mapping.dmp
                                          • memory/5228-186-0x0000000000000000-mapping.dmp
                                          • memory/5244-189-0x0000000000000000-mapping.dmp
                                          • memory/5500-199-0x0000000000000000-mapping.dmp
                                          • memory/5768-236-0x0000020BB64F0000-0x0000020BB64F4000-memory.dmp
                                            Filesize

                                            16KB

                                          • memory/5768-235-0x0000020BB64F0000-0x0000020BB64F4000-memory.dmp
                                            Filesize

                                            16KB

                                          • memory/5768-204-0x0000020BB6130000-0x0000020BB6134000-memory.dmp
                                            Filesize

                                            16KB

                                          • memory/5768-203-0x0000020BB3B30000-0x0000020BB3B40000-memory.dmp
                                            Filesize

                                            64KB

                                          • memory/5768-202-0x0000020BB3AB0000-0x0000020BB3AC0000-memory.dmp
                                            Filesize

                                            64KB

                                          • memory/5768-250-0x0000020BB6450000-0x0000020BB6454000-memory.dmp
                                            Filesize

                                            16KB

                                          • memory/5768-251-0x0000020BB6430000-0x0000020BB6431000-memory.dmp
                                            Filesize

                                            4KB

                                          • memory/5768-252-0x0000020BB6160000-0x0000020BB6164000-memory.dmp
                                            Filesize

                                            16KB

                                          • memory/5768-253-0x0000020BB6150000-0x0000020BB6151000-memory.dmp
                                            Filesize

                                            4KB

                                          • memory/5768-254-0x0000020BB6150000-0x0000020BB6154000-memory.dmp
                                            Filesize

                                            16KB

                                          • memory/5768-255-0x0000020BB6030000-0x0000020BB6031000-memory.dmp
                                            Filesize

                                            4KB

                                          • memory/6044-207-0x0000000000000000-mapping.dmp