locky | 1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3

General

Target

1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Size

589KB
MD5

e43244db36895d6a28850d3408d80f45
SHA1

86ef0edf0a3f2f3edf4192fdd3addedda48945c9
SHA256

1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3
SHA512

d55ae92112dccbc515e4b9790bf7470304ae9fe3c50d200d31ba91ebbf1870f15978cdb622b0b51c126656865e5c947a201cffae337f058c8783a58813286004

Score

10^/10

locky persistence ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\SwitchDismount.tiff	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
File opened for modification	\??\c:\Users\Admin\Pictures\UnlockUse.tiff	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opt321 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\asasin.bmp"	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\34569ba9-507e-4eb1-ba5f-1ddca64548e9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220613014032.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1752 vssadmin.exe

pid	process
1752	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\WallpaperStyle = "0"	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\TileWallpaper = "0"	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1492	msedge.exe
1492	msedge.exe
4812	msedge.exe
4812	msedge.exe
296	identity_helper.exe
296	identity_helper.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4812 msedge.exe
4812 msedge.exe
4812 msedge.exe
4812 msedge.exe

pid	process
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2272	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Token: SeTakeOwnershipPrivilege	2272	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Token: SeBackupPrivilege	2272	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Token: SeRestorePrivilege	2272	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
Token: SeBackupPrivilege	4412	vssvc.exe
Token: SeRestorePrivilege	4412	vssvc.exe
Token: SeAuditPrivilege	4412	vssvc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4812 msedge.exe
4812 msedge.exe
4812 msedge.exe

pid	process
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exemsedge.exe

description	pid	process	target process
PID 2272 wrote to memory of 4812	2272	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe	msedge.exe
PID 2272 wrote to memory of 4812	2272	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe	msedge.exe
PID 2272 wrote to memory of 3552	2272	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe	cmd.exe
PID 2272 wrote to memory of 3552	2272	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe	cmd.exe
PID 2272 wrote to memory of 3552	2272	1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe	cmd.exe
PID 4812 wrote to memory of 4516	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4516	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 116	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 1492	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 1492	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4928	4812	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe
"C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\asasin.htm
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83f3646f8,0x7ff83f364708,0x7ff83f364718
3⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
3⤵
PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
3⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
3⤵
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
3⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 /prefetch:8
3⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5052 /prefetch:8
3⤵
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
3⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff7de5e5460,0x7ff7de5e5470,0x7ff7de5e5480
4⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
3⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
3⤵
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
3⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4116 /prefetch:8
3⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3784 /prefetch:8
3⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,10841767604274535810,16221433164680158932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:8
3⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\1f1f7961cf583e6644eba26fb9727be8d091dc3754c9a8030c26b0b73f07e5a3.exe"
2⤵
PID:3552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
1⤵
- Interacts with shadow copies
PID:1752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\asasin.htm
Filesize
8KB

MD5
875dc4fa9aa5cd121a04b3b3b312971e

SHA1
921b443f02d17f94153eb3dfc9564286efc26db1

SHA256
1bd896f97fb789ff852036af869725ed6a83189c3cc09a893f15dfc9f49a2e51

SHA512
1d377d3a6362eb097baca48414154699736376a41884d97bcf260785a441f001e03ee5e47d55c6ceb46f2c3e58eaf9c94e8a6401e5b4e9f5edf788c01e240181

Download Submit
\??\pipe\LOCAL\crashpad_4812_TFBHSHXGXNOLSIZO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/116-140-0x0000000000000000-mapping.dmp

Download
memory/296-156-0x0000000000000000-mapping.dmp

Download
memory/1072-166-0x0000000000000000-mapping.dmp

Download
memory/1384-155-0x0000000000000000-mapping.dmp

Download
memory/1492-141-0x0000000000000000-mapping.dmp

Download
memory/1804-153-0x0000000000000000-mapping.dmp

Download
memory/1928-167-0x0000000000000000-mapping.dmp

Download
memory/2272-137-0x0000000000400000-0x000000000049A720-memory.dmp

Filesize
617KB

Download
memory/2272-134-0x0000000000400000-0x000000000049A720-memory.dmp

Filesize
617KB

Download
memory/2272-132-0x0000000000400000-0x000000000049A720-memory.dmp

Filesize
617KB

Download
memory/2272-131-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2272-130-0x0000000000400000-0x000000000049A720-memory.dmp

Filesize
617KB

Download
memory/2560-160-0x0000000000000000-mapping.dmp

Download
memory/2724-154-0x0000000000000000-mapping.dmp

Download
memory/2880-158-0x0000000000000000-mapping.dmp

Download
memory/3092-148-0x0000000000000000-mapping.dmp

Download
memory/3548-162-0x0000000000000000-mapping.dmp

Download
memory/3552-136-0x0000000000000000-mapping.dmp

Download
memory/3584-164-0x0000000000000000-mapping.dmp

Download
memory/3868-151-0x0000000000000000-mapping.dmp

Download
memory/3920-169-0x0000000000000000-mapping.dmp

Download
memory/3948-146-0x0000000000000000-mapping.dmp

Download
memory/4516-138-0x0000000000000000-mapping.dmp

Download
memory/4812-135-0x0000000000000000-mapping.dmp

Download
memory/4928-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads