Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
26-11-2022 08:38
General
-
Target
48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d.exe
-
Size
259KB
-
MD5
a20d46664d06744d2515d69eeff57508
-
SHA1
7c1dd71389b6661c36f7c0d64531d03c4e71fc29
-
SHA256
48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d
-
SHA512
60bf71e7b80e447e2a9197ff365805d8e5e257b3f4f3787b6fb9940a9d40f710d5880f1910689d5f8cbe79cbbb1f4478afc6aa3eb134b61b3b741c4ab1e268cf
-
SSDEEP
1536:ltPixznncp3vKONOI0Z/IY9Vt1jFmyBoI9uAnBSGFeXA9jJbZjwSrSMLDhKOzxf2:bPixnncpSONDyRTkwQAbOCzNx/TtOLf
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d.exe"C:\Users\Admin\AppData\Local\Temp\48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d.exe":ZONE.identifier & exit2⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d.exe"C:\Users\Admin\AppData\Local\Temp\48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://steamcommunity-a.akamaihd.net/economy/image/fWFc82js0fmoRAP-qOIPu5THSWqfSmTELLqcUywGkijVjZYMUrsm1j-9xgEObwgfEh_nvjlWhNzZCveCDfIBj98xqodQ2CZknz5wOuqzNQhlZxDWBLJYUOwF9QnTDyY27fhvXdC-44QKKE644ZyUMuF-NY4eHJWEWv6Hbgys6E0-g6JZfZONqCK-3ivtaDwJDRHp-j0MhqbZ7VLOXRkn/360fx360f3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x40,0x104,0x7ff9c90046f8,0x7ff9c9004708,0x7ff9c90047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff686155460,0x7ff686155470,0x7ff6861554805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3172 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,16035087034878773523,17340781957866630390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1884 /prefetch:84⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d.exe.logFilesize
400B
MD50a9b4592cd49c3c21f6767c2dabda92f
SHA1f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA5126b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307
-
C:\Users\Admin\AppData\Local\Temp\48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d.exeFilesize
259KB
MD5a20d46664d06744d2515d69eeff57508
SHA17c1dd71389b6661c36f7c0d64531d03c4e71fc29
SHA25648d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d
SHA51260bf71e7b80e447e2a9197ff365805d8e5e257b3f4f3787b6fb9940a9d40f710d5880f1910689d5f8cbe79cbbb1f4478afc6aa3eb134b61b3b741c4ab1e268cf
-
C:\Users\Admin\AppData\Local\Temp\48d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d.exeFilesize
259KB
MD5a20d46664d06744d2515d69eeff57508
SHA17c1dd71389b6661c36f7c0d64531d03c4e71fc29
SHA25648d192ac7197e3fcb1aa8d6b46a0cab2d41343e1630a190d4ca433b4eecddd3d
SHA51260bf71e7b80e447e2a9197ff365805d8e5e257b3f4f3787b6fb9940a9d40f710d5880f1910689d5f8cbe79cbbb1f4478afc6aa3eb134b61b3b741c4ab1e268cf
-
\??\pipe\LOCAL\crashpad_3920_HRKJUJAXQAYBOHTPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/780-157-0x0000000000000000-mapping.dmp
-
memory/996-139-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/996-132-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/1044-170-0x0000000000000000-mapping.dmp
-
memory/1184-142-0x0000000000000000-mapping.dmp
-
memory/1536-173-0x0000000000000000-mapping.dmp
-
memory/2428-165-0x0000000000000000-mapping.dmp
-
memory/2732-153-0x0000000000000000-mapping.dmp
-
memory/2876-146-0x0000000000000000-mapping.dmp
-
memory/2956-161-0x0000000000000000-mapping.dmp
-
memory/3524-155-0x0000000000000000-mapping.dmp
-
memory/3652-159-0x0000000000000000-mapping.dmp
-
memory/3656-168-0x0000000000000000-mapping.dmp
-
memory/3672-133-0x0000000000000000-mapping.dmp
-
memory/3792-135-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3792-138-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/3792-134-0x0000000000000000-mapping.dmp
-
memory/3792-143-0x0000000074FD0000-0x0000000075581000-memory.dmpFilesize
5.7MB
-
memory/3844-149-0x0000000000000000-mapping.dmp
-
memory/3920-140-0x0000000000000000-mapping.dmp
-
memory/3964-145-0x0000000000000000-mapping.dmp
-
memory/4112-151-0x0000000000000000-mapping.dmp
-
memory/4396-175-0x0000000000000000-mapping.dmp
-
memory/4404-166-0x0000000000000000-mapping.dmp
-
memory/4428-164-0x0000000000000000-mapping.dmp
-
memory/4748-172-0x0000000000000000-mapping.dmp
-
memory/5092-163-0x0000000000000000-mapping.dmp