Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
31-05-2022 07:20
Static task
static1
Behavioral task
behavioral1
Sample
0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe
Resource
win10v2004-20220414-en
General
-
Target
0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe
-
Size
600KB
-
MD5
fd18bebdfc7ee86b2dc299ff3b53bb30
-
SHA1
7cc63d85fabe99c64f94c6c8089575f566519fc1
-
SHA256
0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4
-
SHA512
80e94663bd49603f5bda543343f61a22a2c7949cde139fac52480ae7f057417542981d93d95c23266f1ff38fbe60c03bfe8c3c7fae81a195155fa5cfe15b22b6
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\asasin.bmp" 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e1ae9214-46c3-440a-bdac-adf6e319115b.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220531094044.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3924 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\WallpaperStyle = "0" 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\TileWallpaper = "0" 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 4236 msedge.exe 4236 msedge.exe 1664 msedge.exe 1664 msedge.exe 116 identity_helper.exe 116 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exevssvc.exedescription pid process Token: SeDebugPrivilege 4168 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe Token: SeTakeOwnershipPrivilege 4168 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe Token: SeBackupPrivilege 4168 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe Token: SeRestorePrivilege 4168 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe Token: SeBackupPrivilege 204 vssvc.exe Token: SeRestorePrivilege 204 vssvc.exe Token: SeAuditPrivilege 204 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 1664 msedge.exe 1664 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exemsedge.exedescription pid process target process PID 4168 wrote to memory of 1664 4168 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe msedge.exe PID 4168 wrote to memory of 1664 4168 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe msedge.exe PID 4168 wrote to memory of 3284 4168 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe cmd.exe PID 4168 wrote to memory of 3284 4168 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe cmd.exe PID 4168 wrote to memory of 3284 4168 0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe cmd.exe PID 1664 wrote to memory of 2876 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2876 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2580 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 4236 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 4236 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3776 1664 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe"C:\Users\Admin\AppData\Local\Temp\0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\asasin.htm2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffeac9a46f8,0x7ffeac9a4708,0x7ffeac9a47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5364 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff79ca75460,0x7ff79ca75470,0x7ff79ca754804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,4541148710623949995,5776229108405017001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\0610dae1ee563513ec9bab3ae13b0eb2ee509a791f79b6b8bbf91fd46aaca2c4.exe"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All1⤵
- Interacts with shadow copies
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\asasin.htmFilesize
8KB
MD5c260fc7acf866708f90707c70df0ce1f
SHA1cb45655688a25e55b7e6e97f4a35223edcb06fa6
SHA256e8c5c0e333860fc83f3afef039988771fe85cbd9350f6a5cb9cb29a283b659c3
SHA512425ab6c29fcb6579d40add778226e909413c3d1adf9df140692ef80939498cc53e9eff65db3ba04fa6978ae09aa579d361274356de7c5ba2b51dfc58a75c137e
-
\??\pipe\LOCAL\crashpad_1664_JWYNJQYFEGMZEOHPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-158-0x0000000000000000-mapping.dmp
-
memory/272-156-0x0000000000000000-mapping.dmp
-
memory/428-144-0x0000000000000000-mapping.dmp
-
memory/1664-133-0x0000000000000000-mapping.dmp
-
memory/2580-138-0x0000000000000000-mapping.dmp
-
memory/2876-135-0x0000000000000000-mapping.dmp
-
memory/3284-134-0x0000000000000000-mapping.dmp
-
memory/3384-151-0x0000000000000000-mapping.dmp
-
memory/3776-141-0x0000000000000000-mapping.dmp
-
memory/3788-146-0x0000000000000000-mapping.dmp
-
memory/4120-149-0x0000000000000000-mapping.dmp
-
memory/4168-130-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4168-136-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4168-131-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4168-132-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4236-139-0x0000000000000000-mapping.dmp
-
memory/4240-157-0x0000000000000000-mapping.dmp
-
memory/4380-155-0x0000000000000000-mapping.dmp
-
memory/4412-153-0x0000000000000000-mapping.dmp