Overview
overview
10Static
static
URLScan
urlscan
https://nawa-store.c...
windows7_x64
6https://nawa-store.c...
windows7_x64
1https://nawa-store.c...
windows7_x64
6https://nawa-store.c...
windows11_x64
8https://nawa-store.c...
windows10_x64
10https://nawa-store.c...
windows10_x64
10https://nawa-store.c...
windows10_x64
10Analysis
-
max time kernel
152s -
max time network
163s -
platform
windows11_x64 -
resource
win11 -
submitted
01-12-2021 00:09
Static task
static1
URLScan task
urlscan1
Sample
https://nawa-store.com/shopinside
Behavioral task
behavioral1
Sample
https://nawa-store.com/shopinside
Resource
win7-ja-20211104
Behavioral task
behavioral2
Sample
https://nawa-store.com/shopinside
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
https://nawa-store.com/shopinside
Resource
win7-de-20211104
Behavioral task
behavioral4
Sample
https://nawa-store.com/shopinside
Resource
win11
Behavioral task
behavioral5
Sample
https://nawa-store.com/shopinside
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
https://nawa-store.com/shopinside
Resource
win10-en-20211104
Behavioral task
behavioral7
Sample
https://nawa-store.com/shopinside
Resource
win10-de-20211014
General
-
Target
https://nawa-store.com/shopinside
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
iexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "30926410" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "5140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2188323594" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exesvchost.exeWaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4284 msedge.exe 4284 msedge.exe 1956 msedge.exe 1956 msedge.exe 2280 identity_helper.exe 2280 identity_helper.exe 1120 msedge.exe 1120 msedge.exe 1120 msedge.exe 1120 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
svchost.exesvchost.exesvchost.exeWaaSMedicAgent.exedescription pid process Token: SeShutdownPrivilege 3800 svchost.exe Token: SeCreatePagefilePrivilege 3800 svchost.exe Token: SeShutdownPrivilege 3800 svchost.exe Token: SeCreatePagefilePrivilege 3800 svchost.exe Token: SeShutdownPrivilege 3800 svchost.exe Token: SeCreatePagefilePrivilege 3800 svchost.exe Token: SeShutdownPrivilege 1312 svchost.exe Token: SeCreatePagefilePrivilege 1312 svchost.exe Token: SeTcbPrivilege 3564 svchost.exe Token: SeTcbPrivilege 3564 svchost.exe Token: SeTcbPrivilege 3564 svchost.exe Token: SeTcbPrivilege 3564 svchost.exe Token: SeTcbPrivilege 3564 svchost.exe Token: SeTcbPrivilege 3564 svchost.exe Token: SeTakeOwnershipPrivilege 2200 WaaSMedicAgent.exe Token: SeSecurityPrivilege 2200 WaaSMedicAgent.exe Token: SeRestorePrivilege 2200 WaaSMedicAgent.exe Token: SeBackupPrivilege 2200 WaaSMedicAgent.exe Token: SeShutdownPrivilege 3800 svchost.exe Token: SeCreatePagefilePrivilege 3800 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msedge.exepid process 1956 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exemsedge.exedescription pid process target process PID 4368 wrote to memory of 1956 4368 iexplore.exe msedge.exe PID 4368 wrote to memory of 1956 4368 iexplore.exe msedge.exe PID 1956 wrote to memory of 412 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 412 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 3520 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4284 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4284 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe PID 1956 wrote to memory of 4376 1956 msedge.exe msedge.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://nawa-store.com/shopinside1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "https://nawa-store.com/shopinside"2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8654d46f8,0x7ff8654d4708,0x7ff8654d47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3088 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5084 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,12815486066799773494,1955067551118312958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:83⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e9d050a1f7d8024fdf62fa1efa6528d7 0p/mLyR8qEmxJSanPHh0Cg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e9d050a1f7d8024fdf62fa1efa6528d7 0p/mLyR8qEmxJSanPHh0Cg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\pipe\LOCAL\crashpad_1956_NKMINZJLJZPDEBNIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/412-196-0x000001AB411F0000-0x000001AB411F2000-memory.dmpFilesize
8KB
-
memory/412-197-0x000001AB411F0000-0x000001AB411F2000-memory.dmpFilesize
8KB
-
memory/412-195-0x0000000000000000-mapping.dmp
-
memory/1048-245-0x0000000000000000-mapping.dmp
-
memory/1120-268-0x0000000000000000-mapping.dmp
-
memory/1940-218-0x0000000000000000-mapping.dmp
-
memory/1956-192-0x0000000000000000-mapping.dmp
-
memory/1956-193-0x000001D456A40000-0x000001D456A42000-memory.dmpFilesize
8KB
-
memory/1956-194-0x000001D456A40000-0x000001D456A42000-memory.dmpFilesize
8KB
-
memory/2012-275-0x0000000000000000-mapping.dmp
-
memory/2144-235-0x0000000000000000-mapping.dmp
-
memory/2248-242-0x0000000000000000-mapping.dmp
-
memory/2280-255-0x0000000000000000-mapping.dmp
-
memory/3252-264-0x0000000000000000-mapping.dmp
-
memory/3520-209-0x00000235B9FF0000-0x00000235B9FF2000-memory.dmpFilesize
8KB
-
memory/3520-206-0x00000235B9FF0000-0x00000235B9FF2000-memory.dmpFilesize
8KB
-
memory/3520-205-0x00007FF887000000-0x00007FF887001000-memory.dmpFilesize
4KB
-
memory/3520-203-0x0000000000000000-mapping.dmp
-
memory/3520-202-0x00000235B9E8C000-0x00000235B9E8D000-memory.dmpFilesize
4KB
-
memory/3520-212-0x00000235B9FF0000-0x00000235B9FF2000-memory.dmpFilesize
8KB
-
memory/3632-221-0x0000000000000000-mapping.dmp
-
memory/3688-225-0x0000000000000000-mapping.dmp
-
memory/3800-200-0x000001B90CFA0000-0x000001B90CFB0000-memory.dmpFilesize
64KB
-
memory/3800-199-0x000001B90CF20000-0x000001B90CF30000-memory.dmpFilesize
64KB
-
memory/3800-201-0x000001B90F670000-0x000001B90F674000-memory.dmpFilesize
16KB
-
memory/4284-208-0x0000022E24DD0000-0x0000022E24DD2000-memory.dmpFilesize
8KB
-
memory/4284-207-0x0000022E24DD0000-0x0000022E24DD2000-memory.dmpFilesize
8KB
-
memory/4284-204-0x0000000000000000-mapping.dmp
-
memory/4368-164-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-163-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-186-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-187-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-189-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-190-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-191-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-184-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-183-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-181-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-180-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-179-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-176-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-198-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-174-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-173-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-172-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-167-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-166-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-165-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-146-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-185-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-162-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-160-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-159-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-158-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-147-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-157-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-148-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-149-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-156-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-155-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-154-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-153-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-152-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-151-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4368-150-0x00007FF86E5D0000-0x00007FF86E635000-memory.dmpFilesize
404KB
-
memory/4376-215-0x0000027BCE3F0000-0x0000027BCE3F2000-memory.dmpFilesize
8KB
-
memory/4376-213-0x0000000000000000-mapping.dmp
-
memory/4376-211-0x0000027BCE29C000-0x0000027BCE29D000-memory.dmpFilesize
4KB
-
memory/4512-259-0x0000000000000000-mapping.dmp