11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
Size

31KB
MD5

5917fd985744f864f7fc02892ced4e60
SHA1

c2077be8cbf1a790bb87db9c4c4f81819c8a5a35
SHA256

11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8
SHA512

e45b8cfd315dffd3ba9a185200f423e32e471cb84cf26e460157cae0709478d2028dbc701ebbbe405d5782da583b75c4a14fa329cb9e26eed29a68ea7a2d6828
SSDEEP

384:iPX0UBPAAGNDX+Mk4964fpbB0s6Ahkzq8fWWWDE8vQWapUUpe2p8sG0:ivPoiMkJ4j0Chkr6vUVOsr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5112	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_0	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\index	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_1	msedge.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\f843e9d7-8ea2-4ade-8f36-cd52233fd641.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\000001.dbtmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\cache	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\warnStateCache	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1	msedge.exe
File created	C:\Windows\SysWOW64\mssvc32.dll	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\0804ae49-961e-4be1-bd61-2447bc6fcb1c.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\b1372ba6-5899-4d9f-a094-4d1ff54010ce.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Reporting and NEL-journal	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\favicon[2].ico	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\0804ae49-961e-4be1-bd61-2447bc6fcb1c.tmp	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\data_1	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Web Data-journal	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\6ca46fb2-73af-48dd-a917-0cb8d968b96f.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Web Data	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\index	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\177d8b5c-f11d-4991-9eac-7aa414ead016.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\MANIFEST-000001	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\First Run	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\download_cache	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_2	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\known_providers_download_v1[1].xml	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\73e79b96-a76d-49ca-8f8e-fe6d8c32aa38.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\History	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\MANIFEST-000001	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\6199c34c-9a1a-4cfb-a8be-8a3354acf372.tmp	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0	msedge.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1	msedge.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\ncbjelpjchkpbikbpkcchkhkblodoama = "03850342D1150CA2C82C1EAA4F4CB3F07BDE636D4C0078F8A9620915175A8B82"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ie_to_edge_stub.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\pinned_tabs = "6305E4FEACA8A6018F841B7E1A0B0522888748AC45F3C34C58BE6D09669D6EB6"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	msedge.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\fikbjbembnmfhppjfnmfkahdhfohhjmg = "4997C62ED8E8AD5E7F60B39B976C0F11D00B20E5E558893835ADAFFF7B433A56"	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\SmartScreenEnabled\ = "1"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\SmartScreenPuaEnabled\ = "0"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e6070b000400180004000f000100420101000000644ea2ef78b0d01189e400c04fc9e26e	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Flags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ie_to_edge_stub.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\mhjfbmdgcfjbbpaeojofohoefgiehjai = "C10D411DC26AC5BD4D1F1BD18A09E7C36421CBA09E5F7B4EE4C19DCB23DC9B6F"	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "30998531"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@ieframe.dll,-12512 = "Bing"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e6070b000400180004000e003300510100000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
5112	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
5112	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
3968	msedge.exe
3968	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1756	iexplore.exe
1756	iexplore.exe
1756	iexplore.exe
1756	iexplore.exe
1756	iexplore.exe
1756	iexplore.exe
1756	iexplore.exe
1756	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1756	iexplore.exe
1756	iexplore.exe
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4964	3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	84
PID 3992 wrote to memory of 4964	3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	84
PID 3992 wrote to memory of 4964	3992	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	84
PID 5112 wrote to memory of 1756	5112	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	85
PID 5112 wrote to memory of 1756	5112	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	85
PID 5112 wrote to memory of 1756	5112	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	85
PID 1756 wrote to memory of 1828	1756	iexplore.exe	89
PID 1756 wrote to memory of 1828	1756	iexplore.exe	89
PID 1756 wrote to memory of 1828	1756	iexplore.exe	89
PID 1828 wrote to memory of 4484	1828	IEXPLORE.EXE	90
PID 1828 wrote to memory of 4484	1828	IEXPLORE.EXE	90
PID 4484 wrote to memory of 2204	4484	ie_to_edge_stub.exe	91
PID 4484 wrote to memory of 2204	4484	ie_to_edge_stub.exe	91
PID 2204 wrote to memory of 2448	2204	msedge.exe	92
PID 2204 wrote to memory of 2448	2204	msedge.exe	92
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 4740	2204	msedge.exe	96
PID 2204 wrote to memory of 3968	2204	msedge.exe	97
PID 2204 wrote to memory of 3968	2204	msedge.exe	97
PID 2204 wrote to memory of 1416	2204	msedge.exe	98
PID 2204 wrote to memory of 1416	2204	msedge.exe	98
PID 2204 wrote to memory of 1416	2204	msedge.exe	98
PID 2204 wrote to memory of 1416	2204	msedge.exe	98
PID 2204 wrote to memory of 1416	2204	msedge.exe	98
PID 2204 wrote to memory of 1416	2204	msedge.exe	98
PID 2204 wrote to memory of 1416	2204	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
"C:\Users\Admin\AppData\Local\Temp\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11FA6A~1.EXE > nul
  2⤵
  PID:4964

C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10050
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=10050
        5⤵
        Drops file in System32 directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffcc99d46f8,0x7ffcc99d4708,0x7ffcc99d4718
        6⤵
        Drops file in System32 directory
        
        PID:2448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        6⤵
        
        PID:4740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:3968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
        6⤵
        Modifies data under HKEY_USERS
        
        PID:1416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
        6⤵
        Modifies data under HKEY_USERS
        
        PID:2588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
        6⤵
        Modifies data under HKEY_USERS
        
        PID:2200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
        6⤵
        
        PID:3696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
        6⤵
        
        PID:4732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
        6⤵
        
        PID:716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
        6⤵
        
        PID:1428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7132062355662252177,45596774790238297,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
        6⤵
        
        PID:620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

Filesize
31KB

MD5
5917fd985744f864f7fc02892ced4e60

SHA1
c2077be8cbf1a790bb87db9c4c4f81819c8a5a35

SHA256
11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8

SHA512
e45b8cfd315dffd3ba9a185200f423e32e471cb84cf26e460157cae0709478d2028dbc701ebbbe405d5782da583b75c4a14fa329cb9e26eed29a68ea7a2d6828

Download Submit
C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

Filesize
31KB

MD5
5917fd985744f864f7fc02892ced4e60

SHA1
c2077be8cbf1a790bb87db9c4c4f81819c8a5a35

SHA256
11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8

SHA512
e45b8cfd315dffd3ba9a185200f423e32e471cb84cf26e460157cae0709478d2028dbc701ebbbe405d5782da583b75c4a14fa329cb9e26eed29a68ea7a2d6828

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60cdaebe6898f7bb892f0f9d1768e198

SHA1
00a04a790888c41aedf1abe0e4bf331ba39566b7

SHA256
7e24ae9cda12a8edbd95f937b2a7c3b622657166742095f0a26a1439e7284a23

SHA512
d536d2bd429d5bd48de448aa11fb72a69662ae36f452dd0ad781da847751277f056bb0d56759b65ffc29e8bd5d1d1a59c37506e3ad32d5e665a4395a6d94e856

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
memory/3992-135-0x0000000000400000-0x000000000040C016-memory.dmp

Filesize
48KB

Download
memory/5112-137-0x0000000000400000-0x000000000040C016-memory.dmp

Filesize
48KB

Download
memory/5112-136-0x0000000000400000-0x000000000040C016-memory.dmp

Filesize
48KB

Download