ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021

General

Target

ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
Size

340KB
MD5

ca8c7e9015dbffe5d98424ae052454c5
SHA1

71160094de74fbc0eae6b031f1d1a50f2caa625d
SHA256

ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021
SHA512

55894a2c954914e25fab8fe8484831c7ba5be8524c7d131d6eac551ccd638ef3f3aa9d1700806bcfa07bb093b54bff91dd9eea9df5a68ef3db55505d9071f194
SSDEEP

6144:czG8nriOnW/rGgGg2pIxc/TQEja0iq82EhZM+u6Jbt/XBc:I1DYr9odlGa+u6VtfK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

cssrs.exe

pid process

4772 cssrs.exe

pid	process
4772	cssrs.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 9 IoCs

Processes:

ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Data.Msi\3proxy.cfg	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
File opened for modification	C:\Program Files (x86)\Data.Msi\cssrs.exe	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
File opened for modification	C:\Program Files (x86)\Data.Msi\pic.url	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
File opened for modification	C:\Program Files (x86)\Data.Msi\startup.vbe	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
File opened for modification	C:\Program Files (x86)\Data.Msi\System.exe	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d5ce3d68-f855-43d3-b3b8-975205140987.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221123090943.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Data.Msi\alg.vbe	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
File opened for modification	C:\Program Files (x86)\Data.Msi\DiskDoctor.lnk	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

msedge.execa8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1912	msedge.exe
1912	msedge.exe
940	msedge.exe
940	msedge.exe
2720	identity_helper.exe
2720	identity_helper.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

940 msedge.exe
940 msedge.exe
940 msedge.exe
940 msedge.exe
940 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

940 msedge.exe
940 msedge.exe
940 msedge.exe

pid	process
940	msedge.exe
940	msedge.exe
940	msedge.exe
940	msedge.exe
940	msedge.exe

pid	process
940	msedge.exe
940	msedge.exe
940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exeWScript.exeWScript.exemsedge.exe

description	pid	process	target process
PID 1852 wrote to memory of 1000	1852	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe	WScript.exe
PID 1852 wrote to memory of 1000	1852	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe	WScript.exe
PID 1852 wrote to memory of 1000	1852	ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe	WScript.exe
PID 1000 wrote to memory of 3608	1000	WScript.exe	WScript.exe
PID 1000 wrote to memory of 3608	1000	WScript.exe	WScript.exe
PID 1000 wrote to memory of 3608	1000	WScript.exe	WScript.exe
PID 3608 wrote to memory of 4772	3608	WScript.exe	cssrs.exe
PID 3608 wrote to memory of 4772	3608	WScript.exe	cssrs.exe
PID 3608 wrote to memory of 4772	3608	WScript.exe	cssrs.exe
PID 1000 wrote to memory of 940	1000	WScript.exe	msedge.exe
PID 1000 wrote to memory of 940	1000	WScript.exe	msedge.exe
PID 940 wrote to memory of 4680	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4680	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1708	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1912	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 1912	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4936	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4936	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4936	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4936	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4936	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4936	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4936	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4936	940	msedge.exe	msedge.exe
PID 940 wrote to memory of 4936	940	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe
"C:\Users\Admin\AppData\Local\Temp\ca8534b91743b42ef3e1ebe6e2ad3bc97a34d13a8d5e6759af3bade465396021.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Data.Msi\startup.vbe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Data.Msi\alg.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3608

C:\Program Files (x86)\Data.Msi\cssrs.exe
"C:\Program Files (x86)\Data.Msi\cssrs.exe"
4⤵
- Executes dropped EXE
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://s886.photobucket.com/albums/ac61/R1carbon/?albumview=slideshow
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8353346f8,0x7ff835334708,0x7ff835334718
4⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2504 /prefetch:2
4⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3100 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3164 /prefetch:8
4⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
4⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
4⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 /prefetch:8
4⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
4⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5672 /prefetch:8
4⤵
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
4⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
4⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
4⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff76d545460,0x7ff76d545470,0x7ff76d545480
5⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2348 /prefetch:8
4⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1128 /prefetch:8
4⤵
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:8
4⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1736 /prefetch:8
4⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9970057182730631050,18310932602950403031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5784 /prefetch:8
4⤵
PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Data.Msi\3proxy.cfg

Filesize
139B

MD5
c4c25bde1ba85f5bc17fc4e2bac6bf78

SHA1
58f23e746fd7b664eeceaf6f87a88f8c5a7a71b7

SHA256
bfad4e1baca0889fe1793b2df40d6b75d10a3b0cb54fed9f850b63da8ac23f19

SHA512
06420521fdad35a275c6bfc3a6935815565f16d89021bf162d78e07b1fc3f092c08bec270d96098a1901bcaac418aaa0c6ffeded99fa8af2695fdfad620cb55f

Download Submit
C:\Program Files (x86)\Data.Msi\DiskDoctor.lnk

Filesize
549B

MD5
62b6f07ff4542911588b2b2da1f3a330

SHA1
1ac03191de119df59fd2f4d057a4f02f6534b4da

SHA256
b057e868a69ffdcca51993ff44f7378f2b98c9e580b69927bc9e30a9ddd54453

SHA512
37b1ad9c62854cf99ecdbbe6c29a4098566bd50a80738e176c5f24a3bacc660b757df5e125fedf1b18390aea52cc378bd0b47c409b20b39e5b048048207dac22

Download Submit
C:\Program Files (x86)\Data.Msi\alg.vbe

Filesize
1KB

MD5
b9cb5f6aed0ff561400e2fb82bd27eb5

SHA1
1b49f6709d90f4c96468bb192662576e2aa50b8a

SHA256
027dc8cffe78bae9947b3de6ce00f1ceb74c5eef43e3b1aa673347ccc34c2586

SHA512
5c19268f42ff8eca1c140c44172d99f211ffe4b772d0f2184ca9e3378aa2a957d8dc04bce80a38658c79206c4f6e1685423252d7c99669d35644ee236d6bd6b3

Download Submit
C:\Program Files (x86)\Data.Msi\cssrs.exe

Filesize
147KB

MD5
dc2f24966a06d009b4f47c061f52c2aa

SHA1
86c3f13bd90a8eab8c0a055403fb9abc37e27770

SHA256
921875f29efded5f4ee9ab9b4274ba9a5130f8bd7186af0d1f5b0dc11557309c

SHA512
2cbf7122f33f140a118f825b5a0966fd8b5e3d4a41f29a654e4ca2a18706079136eaaa53a90ea5af003b1714656de6699ec33d9ef160ffceae9e5772b6db1bfb

Download Submit
C:\Program Files (x86)\Data.Msi\cssrs.exe

Filesize
147KB

MD5
dc2f24966a06d009b4f47c061f52c2aa

SHA1
86c3f13bd90a8eab8c0a055403fb9abc37e27770

SHA256
921875f29efded5f4ee9ab9b4274ba9a5130f8bd7186af0d1f5b0dc11557309c

SHA512
2cbf7122f33f140a118f825b5a0966fd8b5e3d4a41f29a654e4ca2a18706079136eaaa53a90ea5af003b1714656de6699ec33d9ef160ffceae9e5772b6db1bfb

Download Submit
C:\Program Files (x86)\Data.Msi\pic.url

Filesize
231B

MD5
eb7a6757088969c85c202d99659216fb

SHA1
6fc569ef336cc177d37c863182072a8e463367e3

SHA256
578ede7bfdaee4b0959d0ffd8755cd40b3e94f9ce968c0562bd584c1be09bdf6

SHA512
34a6c9699dd6c17d54a4074a3318e558f144b2ee97d19129d1800f3bba60f96a8254d1db4a8d8275a8c44bd282a7f4f62bf167de4129188e3bbd9f9e3061f904

Download Submit
C:\Program Files (x86)\Data.Msi\startup.vbe

Filesize
122B

MD5
02d2050d1162bd9476964d3f3b99da19

SHA1
f0766493d8a78d27601d69c910602cea65076176

SHA256
b58de4ffcc1e3e14ced36ebbad17cf36169ae0c0c412baa86b7af40d8d2351f3

SHA512
704675cb74a74dff12b250769f037ef0aa8e98a9f76da7fdd6f1b9ced471049f0ede39097121d632d1855a7087a93a77d1af1de354c7b7a0fbb07827b233064d

Download Submit
\??\pipe\LOCAL\crashpad_940_YWSKQFAKBRMPRCCP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-174-0x0000000000000000-mapping.dmp

Download
memory/548-172-0x0000000000000000-mapping.dmp

Download
memory/940-142-0x0000000000000000-mapping.dmp

Download
memory/1000-132-0x0000000000000000-mapping.dmp

Download
memory/1008-157-0x0000000000000000-mapping.dmp

Download
memory/1064-163-0x0000000000000000-mapping.dmp

Download
memory/1296-175-0x0000000000000000-mapping.dmp

Download
memory/1380-177-0x0000000000000000-mapping.dmp

Download
memory/1468-164-0x0000000000000000-mapping.dmp

Download
memory/1708-145-0x0000000000000000-mapping.dmp

Download
memory/1912-146-0x0000000000000000-mapping.dmp

Download
memory/2384-168-0x0000000000000000-mapping.dmp

Download
memory/2720-166-0x0000000000000000-mapping.dmp

Download
memory/3048-155-0x0000000000000000-mapping.dmp

Download
memory/3284-159-0x0000000000000000-mapping.dmp

Download
memory/3608-135-0x0000000000000000-mapping.dmp

Download
memory/3808-170-0x0000000000000000-mapping.dmp

Download
memory/4340-153-0x0000000000000000-mapping.dmp

Download
memory/4620-151-0x0000000000000000-mapping.dmp

Download
memory/4664-165-0x0000000000000000-mapping.dmp

Download
memory/4680-143-0x0000000000000000-mapping.dmp

Download
memory/4772-138-0x0000000000000000-mapping.dmp

Download
memory/4848-161-0x0000000000000000-mapping.dmp

Download
memory/4936-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads