Analysis
-
max time kernel
177s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
31-01-2022 23:50
Static task
static1
Behavioral task
behavioral1
Sample
52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
Resource
win10v2004-en-20220113
General
-
Target
52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe
-
Size
4.2MB
-
MD5
80cfda61942eb4e71f286297a1158f48
-
SHA1
6c9ae388fa5d723a458de0d2bea3eb63bc921af7
-
SHA256
52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea
-
SHA512
5e02f22c9c367d2111d4b1a6000691286da04c52aae9fd7b716b0911e31256aa679ac227d24443bfd75450b1dd7f9c20eae0593d1fc42324b9281852e20fcbe7
Malware Config
Extracted
C:\NEFILIM-DECRYPT.txt
Signatures
-
Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
-
Nefilim Ransomware Executable 2 IoCs
File contains patterns typical of Nefilim samples.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE nefilim_ransomware C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE nefilim_ransomware -
Executes dropped EXE 3 IoCs
Processes:
inj.exeinj.exeCOVID-~1.EXEpid process 1008 inj.exe 3304 inj.exe 1660 COVID-~1.EXE -
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
inj.exepid process 3304 inj.exe 3304 inj.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Detects Pyinstaller 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 3124 msedge.exe 3124 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 3212 svchost.exe Token: SeCreatePagefilePrivilege 3212 svchost.exe Token: SeShutdownPrivilege 3212 svchost.exe Token: SeCreatePagefilePrivilege 3212 svchost.exe Token: SeShutdownPrivilege 3212 svchost.exe Token: SeCreatePagefilePrivilege 3212 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exeinj.exeinj.exemsedge.exedescription pid process target process PID 2360 wrote to memory of 1008 2360 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe inj.exe PID 2360 wrote to memory of 1008 2360 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe inj.exe PID 2360 wrote to memory of 1008 2360 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe inj.exe PID 1008 wrote to memory of 3304 1008 inj.exe inj.exe PID 1008 wrote to memory of 3304 1008 inj.exe inj.exe PID 1008 wrote to memory of 3304 1008 inj.exe inj.exe PID 3304 wrote to memory of 1664 3304 inj.exe msedge.exe PID 3304 wrote to memory of 1664 3304 inj.exe msedge.exe PID 1664 wrote to memory of 484 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 484 1664 msedge.exe msedge.exe PID 2360 wrote to memory of 1660 2360 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe COVID-~1.EXE PID 2360 wrote to memory of 1660 2360 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe COVID-~1.EXE PID 2360 wrote to memory of 1660 2360 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe COVID-~1.EXE PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2984 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3124 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3124 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 1632 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 1632 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 1632 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 1632 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 1632 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 1632 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 1632 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 1632 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 1632 1664 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe"C:\Users\Admin\AppData\Local\Temp\52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://199.204.251.210/4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x15c,0x16c,0x7ffc092946f8,0x7ffc09294708,0x7ffc092947185⤵PID:484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵PID:2984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:85⤵PID:1632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:15⤵PID:2348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:15⤵PID:3640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:15⤵PID:2920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:15⤵PID:1344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:15⤵PID:2020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:15⤵PID:2240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2214803876266273437,17949018507073604185,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1140 /prefetch:15⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COVID-~1.EXE2⤵
- Executes dropped EXE
PID:1660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3716
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 4e5bb866f8ab62f39f54434a9760186f v4TlscNIC0O0khsjZD893A.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
PID:3604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
95a2dd9a94b803df1579d58bbba31b0e
SHA15275c4ab060ce190938b37f6d6ef3c12a70615b4
SHA2565104b8abb22cca1b078dd5b86e61f515a73404b0269fe7e6765ec818fbdf830b
SHA5122355ce69b7026c67b312e870d9ee4c3290ca54295af6ec6ee4ebec04ec4ec25306cefde3c23bc7b6dbf0d8c9dc1b5eaa3fa81efdcccbe9b4e755929138fe9bf5
-
MD5
95a2dd9a94b803df1579d58bbba31b0e
SHA15275c4ab060ce190938b37f6d6ef3c12a70615b4
SHA2565104b8abb22cca1b078dd5b86e61f515a73404b0269fe7e6765ec818fbdf830b
SHA5122355ce69b7026c67b312e870d9ee4c3290ca54295af6ec6ee4ebec04ec4ec25306cefde3c23bc7b6dbf0d8c9dc1b5eaa3fa81efdcccbe9b4e755929138fe9bf5
-
MD5
705d469e78736d4d6a17feb14f03c38d
SHA11a86ab9c377eb3bd99107a567defb100482aab90
SHA2560fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656
SHA51264d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f
-
MD5
705d469e78736d4d6a17feb14f03c38d
SHA11a86ab9c377eb3bd99107a567defb100482aab90
SHA2560fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656
SHA51264d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f
-
MD5
705d469e78736d4d6a17feb14f03c38d
SHA11a86ab9c377eb3bd99107a567defb100482aab90
SHA2560fe4a809110e2633e9b74d624b7bf4333a0e954ef899d17610badbbde0c4f656
SHA51264d6ffbc961cf45cbe82d62b820633033e2a5e447f8b874afdea84020f42c14f344d3979e934ee8c05b9aecca18692f231b9b7ea3fe5e09d50ae8508925bc41f
-
MD5
6ae4a18b7591824366b0b41f24d52d45
SHA1e22e8abf69c8676b68fe42d9f26c2bd5f731af39
SHA256f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a
SHA512f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c
-
MD5
891c51c1e0e4f0fb2ea96f4b8920c90a
SHA14951908c955eea848fb8227eda9b50713fa6e6de
SHA25680db6cf6b0d75694c9f584090f3e616df7c0a71aa45418b6078ddfb65682cc18
SHA512e7495718898ada51fbbdbbc9c2eb352e07842e330984f0cc6c099244c69ff15c3be331096ff4ff9d2c3a7f235daabdd5611e98fa6bfdd1258494985fae61189c
-
MD5
9bd072fdd178efc44276b53fbcdc17d6
SHA124b7f989b19308ec91bbdd099f7fd6bd3add97eb
SHA256b5ed923a52fa1bf7f524008f3b393077807cd32ea45aca392065cd8cae0171d6
SHA51269f91f83bbd0cef7785029a881278977740ffe26fdc03e19fe8b67a284ff77363d9ae451cf45675447fb01484b4790f0b369867558e10265c5d3c22d42e4efeb
-
MD5
9bd072fdd178efc44276b53fbcdc17d6
SHA124b7f989b19308ec91bbdd099f7fd6bd3add97eb
SHA256b5ed923a52fa1bf7f524008f3b393077807cd32ea45aca392065cd8cae0171d6
SHA51269f91f83bbd0cef7785029a881278977740ffe26fdc03e19fe8b67a284ff77363d9ae451cf45675447fb01484b4790f0b369867558e10265c5d3c22d42e4efeb
-
MD5
6ae4a18b7591824366b0b41f24d52d45
SHA1e22e8abf69c8676b68fe42d9f26c2bd5f731af39
SHA256f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a
SHA512f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e