hxxps://www[.]dropbox[.]com/s/v74d5j0q01fe6uk/File[.]zip?dl=0

General

Target

https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AD9E4BD2-3585-11ED-A0EE-EAB2B6EB986A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

3600 msedge.exe
3600 msedge.exe
3980 msedge.exe
3980 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3980 msedge.exe
3980 msedge.exe

pid	process
3600	msedge.exe
3600	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

iexplore.exemsedge.exe

pid	process
448	iexplore.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

448 iexplore.exe
448 iexplore.exe
1448 IEXPLORE.EXE
1448 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exemsedge.exe

description	pid	process	target process
PID 448 wrote to memory of 1448	448	iexplore.exe	IEXPLORE.EXE
PID 448 wrote to memory of 1448	448	iexplore.exe	IEXPLORE.EXE
PID 448 wrote to memory of 1448	448	iexplore.exe	IEXPLORE.EXE
PID 3980 wrote to memory of 4532	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 4532	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2284	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 3600	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 3600	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe
PID 3980 wrote to memory of 2056	3980	msedge.exe	msedge.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.dropbox.com/s/v74d5j0q01fe6uk/File.zip?dl=0
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:448 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd4fb546f8,0x7ffd4fb54708,0x7ffd4fb54718
2⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3413641320749799929,16458042424171669002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
2⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3413641320749799929,16458042424171669002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3413641320749799929,16458042424171669002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
2⤵
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3413641320749799929,16458042424171669002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3413641320749799929,16458042424171669002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
2⤵
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3413641320749799929,16458042424171669002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
2⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,3413641320749799929,16458042424171669002,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5452 /prefetch:8
2⤵
PID:5356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
c10a8a488174f5ce89ae284595fd1f45

SHA1
579e1bfa4fdc7387568530a99e758d387e18547c

SHA256
a1f8f3d77bc8653995ae2950c21abb8a666066e3b9ecdd1db70ec3115962ccdf

SHA512
7dff855735a69e39c1ef4429e03e99b5cc14c57d18de695c4e5db83d4e1335e81628d0fa10ca98aaf5a77ac1378ae6a2f0c9a0b30370c464f557003360a75897

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
10c6fe493f64dacd362cdc325ef82c9a

SHA1
df3fdb5030fbe9ad33085becab026e70e17dbc97

SHA256
07102ea10a81c9ce7e9ad7823574f9b09da8acd6e474b33be03df061895b2ec1

SHA512
f45d52320225c6eb59c64c75f03e39aebaf124a30c15e0d617e9bed7bcb2cc76a5dfaee48035fcbe770f0c3704ed11e7345d11173abd8f8659466778157fa47f

Download Submit
\??\pipe\LOCAL\crashpad_3980_IHMZSVTPFIJOAFBJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1680-144-0x0000000000000000-mapping.dmp

Download
memory/2056-138-0x0000000000000000-mapping.dmp

Download
memory/2284-134-0x0000000000000000-mapping.dmp

Download
memory/3600-135-0x0000000000000000-mapping.dmp

Download
memory/3652-142-0x0000000000000000-mapping.dmp

Download
memory/4532-132-0x0000000000000000-mapping.dmp

Download
memory/4636-140-0x0000000000000000-mapping.dmp

Download
memory/5356-148-0x0000000000000000-mapping.dmp

Download

pid	process
448	iexplore.exe
448	iexplore.exe
1448	IEXPLORE.EXE
1448	IEXPLORE.EXE

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads