njrat | bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555

General

Target

bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe
Size

373KB
MD5

742e33685f0b3257ac192e7b6695c8f5
SHA1

a3043a63883165298b6c62a44a9aeb6c3d27b762
SHA256

bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555
SHA512

4410f522f0c626f409ab0a919562e3dd64f66ce0c3272c89a44cf4c99fe486ab2f5c2820eb8776d34d3e4ac985f5366a682980e0cdf6f9bff15c966b7c952c19

Score

10^/10

njrat lime link pdf persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

soportesltda30.duckdns.org:4433

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
jairpicc

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

windows.exe

pid process

1236 windows.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1236	windows.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.EXE WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.EXE	WScript.exe

Drops file in Windows directory 2 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\leer.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

WaaSMedicAgent.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.488692"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132885527791656672"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3860"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe

Modifies registry class 2 IoCs

Processes:

bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

452 msedge.exe
452 msedge.exe
1568 msedge.exe
1568 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

1568 msedge.exe
1568 msedge.exe
1568 msedge.exe
1568 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TiWorker.exe

description pid process

Token: SeSecurityPrivilege 2948 TiWorker.exe
Token: SeRestorePrivilege 2948 TiWorker.exe
Token: SeBackupPrivilege 2948 TiWorker.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

1568 msedge.exe
1568 msedge.exe

pid	process
452	msedge.exe
452	msedge.exe
1568	msedge.exe
1568	msedge.exe

pid	process
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe

description	pid	process
Token: SeSecurityPrivilege	2948	TiWorker.exe
Token: SeRestorePrivilege	2948	TiWorker.exe
Token: SeBackupPrivilege	2948	TiWorker.exe

pid	process
1568	msedge.exe
1568	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exemsedge.exe

description	pid	process	target process
PID 1888 wrote to memory of 1568	1888	bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe	msedge.exe
PID 1888 wrote to memory of 1568	1888	bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe	msedge.exe
PID 1568 wrote to memory of 2492	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 2492	1568	msedge.exe	msedge.exe
PID 1888 wrote to memory of 3888	1888	bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe	WScript.exe
PID 1888 wrote to memory of 3888	1888	bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe	WScript.exe
PID 1888 wrote to memory of 3888	1888	bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe	WScript.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3000	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 452	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 452	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3624	1568	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe
"C:\Users\Admin\AppData\Local\Temp\bd46f270801c9d49f3075005afeec82600948c8d9794e70baad67050f2ace555.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\leer.pdf
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe094a46f8,0x7ffe094a4708,0x7ffe094a4718
3⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2400 /prefetch:2
3⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3224 /prefetch:8
3⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
3⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
3⤵
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 /prefetch:8
3⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
3⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6108 /prefetch:6
3⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5044677525230708782,7861012605312764774,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
3⤵
PID:3560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\win.vbs"
2⤵
- Checks computer location settings
- Drops startup file
PID:3888

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
3⤵
- Executes dropped EXE
PID:1236

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:3496

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:1748

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2136

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4a3899e628d9d834fc7f1a4c440ffdde NLVZI12Q3kScGIpd+L3auw.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\leer.pdf
MD5
1db6b198366804e52fa1fbc3599934bf

SHA1
171b5758a6483ce5ccddfc3d5dc5e9d40c7aa7b1

SHA256
60205229cab8dce06632c2b9d61b0628186e74ff6fc7db66112d149a576ec8dc

SHA512
35631ecaf2124ee272f78e6382dc4b8f939ff8fe4b11f874176e44d20526b524b3540d5bf7fd2e21c81e92a69f7f31257e5f1ea1cf9f7e79ba01fd2a7f77efed

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.vbs
MD5
466373d5f9d9e8daa9052c303071080f

SHA1
410d62f9075cae08e6b31c5e666f67892982a6ba

SHA256
f4056dbe3779c8e0700567ed46b782ddc7bfda547e7e63b43d2748ef60e12c12

SHA512
de1eca6b8f17980d44ed5c4de455a78865bc117cf51b02e9e1f026096d417e6593272aa64f45fb8f2657b646608b84df25842b2a5b9b45cda4b2e55bc3e0a303

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
\??\pipe\LOCAL\crashpad_1568_PNXJULSRWNUSAPHP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3624-350-0x00007FFE26490000-0x00007FFE26491000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads