86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 20:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe
Size

1.2MB
MD5

1f597c26d7c80d9981ea823e1f39a14d
SHA1

9f5170a405b158411d1025be9012c0ca6d1b95a7
SHA256

86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692
SHA512

e07c01d30c55b4bed5ce87ac246967a45758999ce01f1a74c2f047334a434af87ce71050e29cd5b147e617bfdbec2008052a26f16e6cc332416a4bb621496dbe
SSDEEP

24576:584Fb6PHUotlxRz0rs2y62W5su0S7sBpbum:5/6PHpMA2y6L0S7sBpKm

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\safe.ico	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\progra~1\ico\649911e34e054458af2818ed46c5e6dd$dpx$.tmp\34dfdfe62be49b4a931bc171db220e69.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Video.ico	expand.exe
File opened for modification	C:\progra~1\ico\649911e34e054458af2818ed46c5e6dd$dpx$.tmp	expand.exe
File opened for modification	C:\progra~1\ico\649911e34e054458af2818ed46c5e6dd$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\progra~1\ico\Beauty.ico	expand.exe
File created	C:\progra~1\ico\649911e34e054458af2818ed46c5e6dd$dpx$.tmp\f8a78f7658ba8642b3fc5ef941206007.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Chat.ico	expand.exe
File created	C:\progra~1\ico\649911e34e054458af2818ed46c5e6dd$dpx$.tmp\c87b69dd0018cf42b207a1ca04e7bf4b.tmp	expand.exe
File created	C:\progra~1\ico\649911e34e054458af2818ed46c5e6dd$dpx$.tmp\8b6e29d058f4ad499ee6ef41dae76b3b.tmp	expand.exe
File created	C:\progra~1\ico\649911e34e054458af2818ed46c5e6dd$dpx$.tmp\a66b6c085f2e6a4895ac9217847ab630.tmp	expand.exe
File opened for modification	C:\progra~1\ico\meiv.ico	expand.exe
File created	C:\progra~1\ico\649911e34e054458af2818ed46c5e6dd$dpx$.tmp\0b65aa2b91b3f94485cb0103638c60cb.tmp	expand.exe
File opened for modification	C:\progra~1\ico\Film.ico	expand.exe
File opened for modification	C:\progra~1\ico\Taobao.ico	expand.exe
File opened for modification	C:\progra~1\ico\{3EF8CA7A-CE51-4FFE-A0A2-F69F5D9CB2B8}	expand.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe
4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe
4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe
4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe
2560	msedge.exe
2560	msedge.exe
3616	msedge.exe
3616	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe
4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 2720	4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe	85
PID 4496 wrote to memory of 2720	4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe	85
PID 4496 wrote to memory of 2720	4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe	85
PID 4496 wrote to memory of 1056	4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe	84
PID 4496 wrote to memory of 1056	4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe	84
PID 4496 wrote to memory of 1056	4496	86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe	84
PID 2720 wrote to memory of 760	2720	cmd.exe	87
PID 2720 wrote to memory of 760	2720	cmd.exe	87
PID 2720 wrote to memory of 760	2720	cmd.exe	87
PID 4640 wrote to memory of 3616	4640	explorer.exe	89
PID 4640 wrote to memory of 3616	4640	explorer.exe	89
PID 3616 wrote to memory of 2316	3616	msedge.exe	92
PID 3616 wrote to memory of 2316	3616	msedge.exe	92
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 1116	3616	msedge.exe	96
PID 3616 wrote to memory of 2560	3616	msedge.exe	97
PID 3616 wrote to memory of 2560	3616	msedge.exe	97
PID 3616 wrote to memory of 1072	3616	msedge.exe	98
PID 3616 wrote to memory of 1072	3616	msedge.exe	98
PID 3616 wrote to memory of 1072	3616	msedge.exe	98
PID 3616 wrote to memory of 1072	3616	msedge.exe	98
PID 3616 wrote to memory of 1072	3616	msedge.exe	98
PID 3616 wrote to memory of 1072	3616	msedge.exe	98
PID 3616 wrote to memory of 1072	3616	msedge.exe	98
PID 3616 wrote to memory of 1072	3616	msedge.exe	98
PID 3616 wrote to memory of 1072	3616	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe
"C:\Users\Admin\AppData\Local\Temp\86c3a5d1bd1ded33b6feea53e5312021a2215d86af3af8a95513632d68460692.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.v258.net/list/list16.html?mmm
  2⤵
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\U88qr.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\progra~1\ico"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:760

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.v258.net/list/list16.html?mmm
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9625146f8,0x7ff962514708,0x7ff962514718
    3⤵
    PID:2316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,343054718642548992,17102082558278762357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
    3⤵
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,343054718642548992,17102082558278762357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,343054718642548992,17102082558278762357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
    3⤵
    PID:1072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,343054718642548992,17102082558278762357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:1512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,343054718642548992,17102082558278762357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
    3⤵
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,343054718642548992,17102082558278762357,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,343054718642548992,17102082558278762357,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5304 /prefetch:8
    3⤵
    PID:2368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,343054718642548992,17102082558278762357,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
    3⤵
    PID:1904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,343054718642548992,17102082558278762357,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
    3⤵
    PID:1128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\U88qr.bat

Filesize
98B

MD5
ada787702460241a372c495dc53dbdcf

SHA1
da7d65ec9541fe9ed13b3531f38202f83b0ac96d

SHA256
0d0f600f95192d2d602dbda346c4e08745295f331f5a0349deae21705367b850

SHA512
c86091735b855691c89c7946145591dec6a6a6a36a2438d392587a9cc1f2d85c1ebe44fcff1cc9d94271a24ebbc2ca38639577a6f5c592e9e10517da26572708

Download Submit
\??\c:\users\admin\appdata\local\temp\ico.cab

Filesize
20KB

MD5
1319e9998cedc513c68fa6d590b6ad63

SHA1
ae95b333e88a13886994f320f5dfb4856168a710

SHA256
9a5b18efe243fbe9b9b0be3674a24080e9210436986988f3f85a4007905083bb

SHA512
d4052a899c6c310296e2f5fdf6c2031c22d2644be620cb34ddcc6b59789d82a6462daaeb34466c568be48ee975c4a5ab43143eab0792312a6cd0d49f9fbd8d3f

Download Submit
memory/4496-138-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4496-134-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download