Analysis
-
max time kernel
165s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
03-02-2022 15:26
Static task
static1
Behavioral task
behavioral1
Sample
bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe
Resource
win7-en-20211208
General
-
Target
bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe
-
Size
373KB
-
MD5
742e33685f0b3257ac192e7b6695c8f5
-
SHA1
a3043a63883165298b6c62a44a9aeb6c3d27b762
-
SHA256
bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555
-
SHA512
4410f522f0c626f409ab0a919562e3dd64f66ce0c3272c89a44cf4c99fe486ab2f5c2820eb8776d34d3e4ac985f5366a682980e0cdf6f9bff15c966b7c952c19
Malware Config
Extracted
njrat
0.7.3
Lime
soportesltda30.duckdns.org:4433
Client.exe
-
reg_key
Client.exe
-
splitter
jairpicc
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 1236 windows.exe -
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.EXE WScript.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\leer.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.488692" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132885527791656672" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3860" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe -
Modifies registry class 2 IoCs
Processes:
bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 452 msedge.exe 452 msedge.exe 1568 msedge.exe 1568 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 2948 TiWorker.exe Token: SeRestorePrivilege 2948 TiWorker.exe Token: SeBackupPrivilege 2948 TiWorker.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 1568 msedge.exe 1568 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exemsedge.exedescription pid process target process PID 1888 wrote to memory of 1568 1888 bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe msedge.exe PID 1888 wrote to memory of 1568 1888 bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe msedge.exe PID 1568 wrote to memory of 2492 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 2492 1568 msedge.exe msedge.exe PID 1888 wrote to memory of 3888 1888 bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe WScript.exe PID 1888 wrote to memory of 3888 1888 bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe WScript.exe PID 1888 wrote to memory of 3888 1888 bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe WScript.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3000 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 452 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 452 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe PID 1568 wrote to memory of 3624 1568 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe"C:\Users\Admin\AppData\Local\Temp\bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\leer.pdf2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe094a46f8,0x7ffe094a4708,0x7ffe094a47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2400 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3224 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6108 /prefetch:63⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:13⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\win.vbs"2⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 4a3899e628d9d834fc7f1a4c440ffdde NLVZI12Q3kScGIpd+L3auw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\leer.pdfMD5
1db6b198366804e52fa1fbc3599934bf
SHA1171b5758a6483ce5ccddfc3d5dc5e9d40c7aa7b1
SHA25660205229cab8dce06632c2b9d61b0628186e74ff6fc7db66112d149a576ec8dc
SHA51235631ecaf2124ee272f78e6382dc4b8f939ff8fe4b11f874176e44d20526b524b3540d5bf7fd2e21c81e92a69f7f31257e5f1ea1cf9f7e79ba01fd2a7f77efed
-
C:\Users\Admin\AppData\Local\Temp\win.vbsMD5
466373d5f9d9e8daa9052c303071080f
SHA1410d62f9075cae08e6b31c5e666f67892982a6ba
SHA256f4056dbe3779c8e0700567ed46b782ddc7bfda547e7e63b43d2748ef60e12c12
SHA512de1eca6b8f17980d44ed5c4de455a78865bc117cf51b02e9e1f026096d417e6593272aa64f45fb8f2657b646608b84df25842b2a5b9b45cda4b2e55bc3e0a303
-
C:\Users\Admin\AppData\Local\Temp\windows.exeMD5
e755d66ec3fb3877c81b6c6818ef083e
SHA1e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f
SHA25656203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad
SHA512f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e
-
C:\Users\Admin\AppData\Local\Temp\windows.exeMD5
e755d66ec3fb3877c81b6c6818ef083e
SHA1e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f
SHA25656203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad
SHA512f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e
-
\??\pipe\LOCAL\crashpad_1568_PNXJULSRWNUSAPHPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3624-350-0x00007FFE26490000-0x00007FFE26491000-memory.dmpFilesize
4KB