Overview

overview

8

Static

static

11fa6ab6bf...c8.exe

windows7-x64

8

11fa6ab6bf...c8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

  • Size

    31KB

  • MD5

    5917fd985744f864f7fc02892ced4e60

  • SHA1

    c2077be8cbf1a790bb87db9c4c4f81819c8a5a35

  • SHA256

    11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8

  • SHA512

    e45b8cfd315dffd3ba9a185200f423e32e471cb84cf26e460157cae0709478d2028dbc701ebbbe405d5782da583b75c4a14fa329cb9e26eed29a68ea7a2d6828

  • SSDEEP

    384:iPX0UBPAAGNDX+Mk4964fpbB0s6Ahkzq8fWWWDE8vQWapUUpe2p8sG0:ivPoiMkJ4j0Chkr6vUVOsr

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
    "C:\Users\Admin\AppData\Local\Temp\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11FA6A~1.EXE > nul
      2⤵
        PID:4964
    • C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
      C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10050
            4⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:4484
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10050
              5⤵
              • Drops file in System32 directory
              • Enumerates system info in registry
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of WriteProcessMemory
              PID:2204
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffcc99d46f8,0x7ffcc99d4708,0x7ffcc99d4718
                6⤵
                • Drops file in System32 directory
                PID:2448
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
                6⤵
                  PID:4740
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
                  6⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3968
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
                  6⤵
                  • Modifies data under HKEY_USERS
                  PID:1416
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
                  6⤵
                  • Modifies data under HKEY_USERS
                  PID:2588
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
                  6⤵
                  • Modifies data under HKEY_USERS
                  PID:2200
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
                  6⤵
                    PID:3696
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
                    6⤵
                      PID:4732
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
                      6⤵
                        PID:716
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
                        6⤵
                          PID:1428
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
                          6⤵
                            PID:620
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:364

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Credential Access

                  Discovery

                  System Information Discovery

                  2
                  T1082

                  Query Registry

                  1
                  T1012

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
                    Filesize

                    31KB

                    MD5

                    5917fd985744f864f7fc02892ced4e60

                    SHA1

                    c2077be8cbf1a790bb87db9c4c4f81819c8a5a35

                    SHA256

                    11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8

                    SHA512

                    e45b8cfd315dffd3ba9a185200f423e32e471cb84cf26e460157cae0709478d2028dbc701ebbbe405d5782da583b75c4a14fa329cb9e26eed29a68ea7a2d6828

                    Download Submit
                  • C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
                    Filesize

                    31KB

                    MD5

                    5917fd985744f864f7fc02892ced4e60

                    SHA1

                    c2077be8cbf1a790bb87db9c4c4f81819c8a5a35

                    SHA256

                    11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8

                    SHA512

                    e45b8cfd315dffd3ba9a185200f423e32e471cb84cf26e460157cae0709478d2028dbc701ebbbe405d5782da583b75c4a14fa329cb9e26eed29a68ea7a2d6828

                    Download Submit
                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    60cdaebe6898f7bb892f0f9d1768e198

                    SHA1

                    00a04a790888c41aedf1abe0e4bf331ba39566b7

                    SHA256

                    7e24ae9cda12a8edbd95f937b2a7c3b622657166742095f0a26a1439e7284a23

                    SHA512

                    d536d2bd429d5bd48de448aa11fb72a69662ae36f452dd0ad781da847751277f056bb0d56759b65ffc29e8bd5d1d1a59c37506e3ad32d5e665a4395a6d94e856

                    Download Submit
                  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat
                    Filesize

                    20B

                    MD5

                    9e4e94633b73f4a7680240a0ffd6cd2c

                    SHA1

                    e68e02453ce22736169a56fdb59043d33668368f

                    SHA256

                    41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

                    SHA512

                    193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

                    Download Submit
                  • \??\pipe\LOCAL\crashpad_2204_TVYACUKTZWTJSFLK
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit
                  • memory/620-162-0x0000000000000000-mapping.dmp
                    Download
                  • memory/716-158-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1416-148-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1428-160-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2200-152-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2204-139-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2448-140-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2588-150-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3696-154-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3968-145-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3992-135-0x0000000000400000-0x000000000040C016-memory.dmp
                    Filesize

                    48KB

                    Download
                  • memory/4484-138-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4732-156-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4740-144-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4964-134-0x0000000000000000-mapping.dmp
                    Download
                  • memory/5112-137-0x0000000000400000-0x000000000040C016-memory.dmp
                    Filesize

                    48KB

                    Download
                  • memory/5112-136-0x0000000000400000-0x000000000040C016-memory.dmp
                    Filesize

                    48KB

                    Download