Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-es -
resource tags
arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
05-10-2022 23:33
Static task
static1
Behavioral task
behavioral1
Sample
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Resource
win7-20220812-es
General
-
Target
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
-
Size
8.9MB
-
MD5
705385c167486ac75a5063f6934c5631
-
SHA1
d08da29cca536b6b502cec7ca2f5c9cb419308e2
-
SHA256
558af040bcfa1aaf774e953cca682eaaf38ec8c4f3ca4f3e24e0ea8a783ca1df
-
SHA512
67249411406d7a6f41a97a6e40facd364fb6777c2833465aacdc6081fde3854109c9a308f5dc6f03c6fd940cc2d291be7ce9b13c6dc5a45dc810d091e98d88af
-
SSDEEP
98304:7soxgg0Y8w5AUY52JgpVOEjrZGNw9J2/8w1MlpYRO1izoaRIS9NhICGucHATgwY0:p8Aohi8Y/+y
Malware Config
Extracted
asyncrat
0.5.7B
Default
maraddiego763.duckdns.org:1881
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe\"" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe -
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "0" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "0" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2968-150-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe -
Drops startup file 2 IoCs
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe -
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "0" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "0" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Desconocido> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exepid process 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exedescription pid process target process PID 5068 set thread context of 2968 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe installutil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7c2ea0fb-6e43-4fd4-be4f-1c437de97024.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221006013459.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1460 5068 WerFault.exe APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeAPROBACION DE PAGO REALIZADO EXITOSAMENTE.exemsedge.exemsedge.exeidentity_helper.exetaskmgr.exepid process 3640 powershell.exe 2560 powershell.exe 3708 powershell.exe 3508 powershell.exe 2560 powershell.exe 3708 powershell.exe 3640 powershell.exe 3508 powershell.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe 4412 msedge.exe 4412 msedge.exe 2052 msedge.exe 2052 msedge.exe 5724 identity_helper.exe 5724 identity_helper.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIODG.EXEtaskmgr.exedescription pid process Token: SeDebugPrivilege 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe Token: SeDebugPrivilege 3640 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 3508 powershell.exe Token: 33 3764 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3764 AUDIODG.EXE Token: SeDebugPrivilege 3348 taskmgr.exe Token: SeSystemProfilePrivilege 3348 taskmgr.exe Token: SeCreateGlobalPrivilege 3348 taskmgr.exe Token: 33 3348 taskmgr.exe Token: SeIncBasePriorityPrivilege 3348 taskmgr.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
msedge.exetaskmgr.exepid process 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
Processes:
taskmgr.exepid process 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe 3348 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
APROBACION DE PAGO REALIZADO EXITOSAMENTE.exemsedge.exedescription pid process target process PID 5068 wrote to memory of 2560 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 2560 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 2560 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 3640 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 3640 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 3640 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 3708 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 3708 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 3708 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 3508 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 3508 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 3508 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe powershell.exe PID 5068 wrote to memory of 2968 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe installutil.exe PID 5068 wrote to memory of 2968 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe installutil.exe PID 5068 wrote to memory of 2968 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe installutil.exe PID 5068 wrote to memory of 2968 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe installutil.exe PID 5068 wrote to memory of 2968 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe installutil.exe PID 5068 wrote to memory of 2968 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe installutil.exe PID 5068 wrote to memory of 2968 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe installutil.exe PID 5068 wrote to memory of 2968 5068 APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe installutil.exe PID 2052 wrote to memory of 1056 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 1056 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4364 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4412 2052 msedge.exe msedge.exe PID 2052 wrote to memory of 4412 2052 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe"C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 22882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5068 -ip 50681⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dadmon%2Bgob%26form%3DWNSGPH%26qs%3DAS%26cvid%3D889ad7d7cb8e4f878772cac3d5ddc0d0%26pq%3DADMON%26cc%3DES%26setlang%3Des-ES%26nclid%3D03E26D907E30E8998728BC8DB27F263E%26ts%3D1665020088004%26nclidts%3D1665020088%26tsms%3D0041⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaed546f8,0x7fffaed54708,0x7fffaed547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=5288 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=audio --mojo-platform-channel-handle=5440 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=3984 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff61f075460,0x7ff61f075470,0x7ff61f0754803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4660580629757659769,17390810551154737859,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b4 0x5141⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5974b547b9c47178dc159643052902fb2
SHA1eb5ecd8b69670078c5913788a474baa4faec0677
SHA25622c310f931ed2b5bac6074ed0952bec99d509e06f82cfd61e4e392d62c0a8af7
SHA512b54175cd8bedc288b3cc26c7c8f450f9355f53a8453ff9a9934f8c120473004c803a5fef5c41baeafe97b487ffa0bc4f23a931b39370a6652fc342d71fa7d34d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f647b50690df702d7a7e4cd6974f2581
SHA19324c7c29804e7305bdb72c9e673d909fe976e5a
SHA2561a3219f130da2b5f13c9d470f99a6682cbf8155e62ad21cd7eafe7d0b16a72a2
SHA51201c5545adc2177bd5607d86fa9b4fdded9e9bb58c9395b94a99e88f6228d8bf025af132e52b75585e93d476d7cb075cc5ecb83675c1bed9361d29a3e1e1320fd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5de95639651c7fbfc9af1fa26162e42cf
SHA1f13217d915626621329f8d12308e2d974394b0dc
SHA2567e78d7a383f3a2abf059ad29d77f8c62e732125408a61a5516b39c4251d65181
SHA51266c3f6cdc72c0adde58634cb2f0b16d168a7f9ffebf964bb3d078a156b0f991319a3af6a35e2fa38b7b6ba50ca6f25a41a7b53a8902e06a7ffecdbe48cf0b5fd
-
\??\pipe\LOCAL\crashpad_2052_HRQRJZUUXEKVVZGUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1056-169-0x0000000000000000-mapping.dmp
-
memory/1480-179-0x0000000000000000-mapping.dmp
-
memory/1764-185-0x0000000000000000-mapping.dmp
-
memory/1768-181-0x0000000000000000-mapping.dmp
-
memory/2520-187-0x0000000000000000-mapping.dmp
-
memory/2560-144-0x00000000060B0000-0x0000000006116000-memory.dmpFilesize
408KB
-
memory/2560-152-0x000000006F420000-0x000000006F46C000-memory.dmpFilesize
304KB
-
memory/2560-158-0x0000000007B50000-0x0000000007B6A000-memory.dmpFilesize
104KB
-
memory/2560-141-0x00000000055E0000-0x0000000005662000-memory.dmpFilesize
520KB
-
memory/2560-140-0x00000000057E0000-0x0000000005E08000-memory.dmpFilesize
6.2MB
-
memory/2560-159-0x0000000007BC0000-0x0000000007BCA000-memory.dmpFilesize
40KB
-
memory/2560-138-0x0000000005090000-0x00000000050C6000-memory.dmpFilesize
216KB
-
memory/2560-135-0x0000000000000000-mapping.dmp
-
memory/2560-155-0x0000000006DF0000-0x0000000006E0E000-memory.dmpFilesize
120KB
-
memory/2560-143-0x0000000005F10000-0x0000000005F76000-memory.dmpFilesize
408KB
-
memory/2968-150-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2968-149-0x0000000000000000-mapping.dmp
-
memory/3248-183-0x0000000000000000-mapping.dmp
-
memory/3508-162-0x00000000076E0000-0x00000000076EE000-memory.dmpFilesize
56KB
-
memory/3508-156-0x000000006F420000-0x000000006F46C000-memory.dmpFilesize
304KB
-
memory/3508-139-0x0000000000000000-mapping.dmp
-
memory/3640-145-0x0000000006180000-0x0000000006190000-memory.dmpFilesize
64KB
-
memory/3640-136-0x0000000000000000-mapping.dmp
-
memory/3640-160-0x0000000007ED0000-0x0000000007F1A000-memory.dmpFilesize
296KB
-
memory/3640-157-0x00000000082F0000-0x000000000896A000-memory.dmpFilesize
6.5MB
-
memory/3640-151-0x0000000007B80000-0x0000000007BB2000-memory.dmpFilesize
200KB
-
memory/3640-163-0x0000000007FA0000-0x0000000007FBA000-memory.dmpFilesize
104KB
-
memory/3640-142-0x0000000005EF0000-0x0000000005F12000-memory.dmpFilesize
136KB
-
memory/3640-154-0x000000006F420000-0x000000006F46C000-memory.dmpFilesize
304KB
-
memory/3640-146-0x0000000006850000-0x0000000006952000-memory.dmpFilesize
1.0MB
-
memory/3640-147-0x0000000006980000-0x000000000699E000-memory.dmpFilesize
120KB
-
memory/3708-137-0x0000000000000000-mapping.dmp
-
memory/3708-153-0x000000006F420000-0x000000006F46C000-memory.dmpFilesize
304KB
-
memory/3708-161-0x0000000007470000-0x0000000007506000-memory.dmpFilesize
600KB
-
memory/3708-164-0x0000000007430000-0x0000000007438000-memory.dmpFilesize
32KB
-
memory/4160-175-0x0000000000000000-mapping.dmp
-
memory/4364-171-0x0000000000000000-mapping.dmp
-
memory/4412-172-0x0000000000000000-mapping.dmp
-
memory/4744-177-0x0000000000000000-mapping.dmp
-
memory/5068-132-0x0000000000620000-0x0000000000F06000-memory.dmpFilesize
8.9MB
-
memory/5068-148-0x0000000006AF0000-0x0000000006B30000-memory.dmpFilesize
256KB
-
memory/5068-134-0x0000000005ED0000-0x0000000006474000-memory.dmpFilesize
5.6MB
-
memory/5068-133-0x000000001A350000-0x000000001A3EC000-memory.dmpFilesize
624KB
-
memory/5232-189-0x0000000000000000-mapping.dmp
-
memory/5284-191-0x0000000000000000-mapping.dmp
-
memory/5300-193-0x0000000000000000-mapping.dmp
-
memory/5512-194-0x0000000000000000-mapping.dmp
-
memory/5532-195-0x0000000000000000-mapping.dmp
-
memory/5724-196-0x0000000000000000-mapping.dmp