wannacry | 283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

Resubmissions

13/02/2022, 15:34 UTC

220213-sz5ftsbch7 10

13/02/2022, 15:31 UTC

220213-syb3wsbcg4 10

13/02/2022, 15:17 UTC

220213-sn7rtadbaq 10

Analysis

max time kernel
166s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
13/02/2022, 15:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Endermanch@WannaCrypt0r.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Executes dropped EXE 4 IoCs

pid	Process
660	taskdl.exe
2144	taskdl.exe
760	taskdl.exe
3500	taskdl.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1188	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
628	chrome.exe
628	chrome.exe
1224	chrome.exe
1224	chrome.exe
3908	chrome.exe
3908	chrome.exe
2980	chrome.exe
2980	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe
2980	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2420	1220	Endermanch@WannaCrypt0r.exe	61
PID 1220 wrote to memory of 2420	1220	Endermanch@WannaCrypt0r.exe	61
PID 1220 wrote to memory of 2420	1220	Endermanch@WannaCrypt0r.exe	61
PID 1220 wrote to memory of 1188	1220	Endermanch@WannaCrypt0r.exe	63
PID 1220 wrote to memory of 1188	1220	Endermanch@WannaCrypt0r.exe	63
PID 1220 wrote to memory of 1188	1220	Endermanch@WannaCrypt0r.exe	63
PID 1220 wrote to memory of 660	1220	Endermanch@WannaCrypt0r.exe	67
PID 1220 wrote to memory of 660	1220	Endermanch@WannaCrypt0r.exe	67
PID 1220 wrote to memory of 660	1220	Endermanch@WannaCrypt0r.exe	67
PID 1220 wrote to memory of 2316	1220	Endermanch@WannaCrypt0r.exe	68
PID 1220 wrote to memory of 2316	1220	Endermanch@WannaCrypt0r.exe	68
PID 1220 wrote to memory of 2316	1220	Endermanch@WannaCrypt0r.exe	68
PID 2316 wrote to memory of 1120	2316	cmd.exe	71
PID 2316 wrote to memory of 1120	2316	cmd.exe	71
PID 2316 wrote to memory of 1120	2316	cmd.exe	71
PID 2980 wrote to memory of 864	2980	chrome.exe	73
PID 2980 wrote to memory of 864	2980	chrome.exe	73
PID 1220 wrote to memory of 2144	1220	Endermanch@WannaCrypt0r.exe	76
PID 1220 wrote to memory of 2144	1220	Endermanch@WannaCrypt0r.exe	76
PID 1220 wrote to memory of 2144	1220	Endermanch@WannaCrypt0r.exe	76
PID 1428 wrote to memory of 3724	1428	chrome.exe	78
PID 1428 wrote to memory of 3724	1428	chrome.exe	78
PID 3016 wrote to memory of 372	3016	chrome.exe	81
PID 3016 wrote to memory of 372	3016	chrome.exe	81
PID 1220 wrote to memory of 760	1220	Endermanch@WannaCrypt0r.exe	82
PID 1220 wrote to memory of 760	1220	Endermanch@WannaCrypt0r.exe	82
PID 1220 wrote to memory of 760	1220	Endermanch@WannaCrypt0r.exe	82
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87
PID 2980 wrote to memory of 3720	2980	chrome.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2420	attrib.exe

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2768

C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@WannaCrypt0r.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:2420
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 286281644769963.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:1120
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe435b4f50,0x7ffe435b4f60,0x7ffe435b4f70
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,14364782139186522990,5917603968391526008,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,14364782139186522990,5917603968391526008,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,14364782139186522990,5917603968391526008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14364782139186522990,5917603968391526008,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,14364782139186522990,5917603968391526008,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,14364782139186522990,5917603968391526008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe435b4f50,0x7ffe435b4f60,0x7ffe435b4f70
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1720,18030504528405036982,12775874388489121762,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,18030504528405036982,12775874388489121762,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe435b4f50,0x7ffe435b4f60,0x7ffe435b4f70
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1708,1506975779705565083,9020489910136587516,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,1506975779705565083,9020489910136587516,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224

Network

DNS

api.msn.com

Remote address:

8.8.8.8:53

Request

api.msn.com

IN A

Response

api.msn.com

IN CNAME

api-msn-com.a-0003.a-msedge.net

api-msn-com.a-0003.a-msedge.net

IN CNAME

a-0003.a-msedge.net

a-0003.a-msedge.net

IN A

204.79.197.203
DNS

dns.google

chrome.exe

Remote address:

8.8.8.8:53

Request

dns.google

IN A

Response

dns.google

IN A

8.8.8.8

dns.google

IN A

8.8.4.4
DNS

clientservices.googleapis.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clientservices.googleapis.com

IN A

Response

clientservices.googleapis.com

IN A

142.251.39.99
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.179.206
DNS

accounts.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.179.173
GET

http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx

chrome.exe

Remote address:

34.104.35.123:80

Request

GET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx HTTP/1.1
Host: edgedl.me.gvt1.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

accept-ranges: bytes
content-disposition: attachment
content-length: 248531
content-security-policy: default-src 'none'
content-type: application/x-chrome-extension
etag: "83cafb"
last-modified: Fri, 29 Jan 2021 00:09:35 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Sun, 13 Feb 2022 10:31:03 GMT
age: 18220
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000
x-request-id: 2aaf10a5-5ee6-46a4-99d4-b94db0a0d228
cache-control: public,max-age=86400
GET

https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_variation_6.pb

chrome.exe

Remote address:

142.250.179.131:443

Request

GET /safebrowsing/csd/client_model_v5_variation_6.pb HTTP/2.0
host: ssl.gstatic.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

93.184.220.29:80

260 B
5
204.79.197.203:443

api.msn.com

tls

3.9kB
44.1kB
52
50
8.8.8.8:443

dns.google

tls, https

chrome.exe

2.5kB
9.2kB
21
24
8.8.8.8:443

dns.google

tls, https

chrome.exe

2.8kB
10.1kB
24
30
8.8.8.8:443

dns.google

tls, https

chrome.exe

943 B
5.8kB
8
8
8.8.8.8:443

dns.google

tls

chrome.exe

839 B
5.1kB
7
7
8.8.8.8:443

dns.google

tls

chrome.exe

839 B
5.1kB
7
7
8.8.8.8:443

dns.google

tls, https

chrome.exe

943 B
5.8kB
8
8
8.8.8.8:443

dns.google

tls

chrome.exe

839 B
5.1kB
7
7
8.8.8.8:443

dns.google

tls

chrome.exe

839 B
5.1kB
7
7
8.8.8.8:443

dns.google

tls, https

chrome.exe

943 B
5.8kB
8
8
8.8.8.8:443

dns.google

tls, https

chrome.exe

943 B
5.8kB
8
8
142.250.179.173:443

accounts.google.com

tls, https

chrome.exe

1.7kB
6.9kB
13
15
142.250.179.206:443

clients2.google.com

tls, https

chrome.exe

1.9kB
9.6kB
13
15
8.8.8.8:443

dns.google

tls, https

chrome.exe

943 B
5.8kB
8
8
8.8.8.8:443

dns.google

tls, https

chrome.exe

943 B
5.8kB
8
8
34.104.35.123:80

http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx

http

chrome.exe

4.5kB
256.1kB
90
176

HTTP Request

GET http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx

HTTP Response

200
172.217.168.193:443

clients2.googleusercontent.com

tls, https

chrome.exe

14.8kB
849.7kB
298
585
142.250.179.131:443

https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_variation_6.pb

tls, http2

chrome.exe

3.3kB
91.8kB
51
69

HTTP Request

GET https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_variation_6.pb

8.8.8.8:53

api.msn.com

dns

57 B
132 B
1
1

DNS Request

api.msn.com

DNS Response

204.79.197.203
8.8.8.8:53

dns.google

dns

chrome.exe

56 B
88 B
1
1

DNS Request

dns.google

DNS Response

8.8.8.8

8.8.4.4
224.0.0.251:5353

1.1kB
18
8.8.8.8:53

dns.google

dns

chrome.exe

75 B
91 B
1
1

DNS Request

clientservices.googleapis.com

DNS Response

142.251.39.99
8.8.8.8:53

dns.google

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

142.250.179.206
8.8.8.8:53

dns.google

dns

chrome.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.179.173
8.8.8.8:443

dns.google

https

chrome.exe

3.5kB
7.1kB
8
8

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-166-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.