Analysis
-
max time kernel
211s -
max time network
219s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 01:33
Behavioral task
behavioral1
Sample
3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe
Resource
win7-20221111-en
General
-
Target
3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe
-
Size
280KB
-
MD5
06be18d854c8c6a2733db1469520d665
-
SHA1
a30cc7275ae6e1dd785962b77a5e7b93d3cebb8d
-
SHA256
3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4
-
SHA512
5bc214f20157549321d6b6d3ace2c8d561b1a1cd3db850b3398f52a7ac7024b9ce716be6939c34dc2e1c53eafd0ca57febd4bc601b86dc52f7dc0734620b89c9
-
SSDEEP
6144:cvXDhyuTZH8du/SvNgl515vPHWQCBhRNnv6axAu3B3CXj3ks:c/DhyuKE515vPpCHRNnvBOu31+
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1916-132-0x0000000000400000-0x00000000004DD000-memory.dmp upx behavioral2/memory/1916-134-0x0000000000400000-0x00000000004DD000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7729E040-054E-4E23-B08E-24DFD713CE1B} 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7729E040-054E-4E23-B08E-24DFD713CE1B}\Noexplorer = "1" 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D7D16E04-F8D4-4528-A1DF-63D8551F47F6} 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 17 IoCs
Processes:
3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7729E040-054E-4E23-B08E-24DFD713CE1B}\InprocServer32\ThreadingModel = "Apartment" 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7729E040-054E-4E23-B08E-24DFD713CE1B} 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D7D16E04-F8D4-4528-A1DF-63D8551F47F6}\InprocServer32 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7729E040-054E-4E23-B08E-24DFD713CE1B} 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7D16E04-F8D4-4528-A1DF-63D8551F47F6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\Windows8.dll" 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7D16E04-F8D4-4528-A1DF-63D8551F47F6}\ = "MS" 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7D16E04-F8D4-4528-A1DF-63D8551F47F6}\InprocServer32 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D7D16E04-F8D4-4528-A1DF-63D8551F47F6} 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7729E040-054E-4E23-B08E-24DFD713CE1B}\InprocServer32 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7729E040-054E-4E23-B08E-24DFD713CE1B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\1.dll" 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7729E040-054E-4E23-B08E-24DFD713CE1B}\ = "MS" 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7729E040-054E-4E23-B08E-24DFD713CE1B}\ 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7D16E04-F8D4-4528-A1DF-63D8551F47F6}\ 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7D16E04-F8D4-4528-A1DF-63D8551F47F6}\InprocServer32\ThreadingModel = "Apartment" 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7D16E04-F8D4-4528-A1DF-63D8551F47F6} 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7729E040-054E-4E23-B08E-24DFD713CE1B}\InprocServer32 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 4696 msedge.exe 4696 msedge.exe 3552 msedge.exe 3552 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 3552 msedge.exe 3552 msedge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exemsedge.exedescription pid process target process PID 1916 wrote to memory of 3552 1916 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe msedge.exe PID 1916 wrote to memory of 3552 1916 3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe msedge.exe PID 3552 wrote to memory of 3380 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3380 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 2188 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4696 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4696 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 4088 3552 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe"C:\Users\Admin\AppData\Local\Temp\3c9773b0e8501577244f91e44afc5ee80cb3eafd9888e50ad9b8bcd1e7a933c4.exe"1⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.vibeflog.com/maggatinha/p/234104972⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84f7446f8,0x7ff84f744708,0x7ff84f7447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13519833424515282931,10777997098597614217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,13519833424515282931,10777997098597614217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,13519833424515282931,10777997098597614217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13519833424515282931,10777997098597614217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13519833424515282931,10777997098597614217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13519833424515282931,10777997098597614217,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5264 /prefetch:23⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\pipe\LOCAL\crashpad_3552_FOEITDQBSDMVSHFTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1796-145-0x0000000000000000-mapping.dmp
-
memory/1916-132-0x0000000000400000-0x00000000004DD000-memory.dmpFilesize
884KB
-
memory/1916-134-0x0000000000400000-0x00000000004DD000-memory.dmpFilesize
884KB
-
memory/2188-137-0x0000000000000000-mapping.dmp
-
memory/2632-143-0x0000000000000000-mapping.dmp
-
memory/3380-135-0x0000000000000000-mapping.dmp
-
memory/3480-146-0x0000000000000000-mapping.dmp
-
memory/3552-133-0x0000000000000000-mapping.dmp
-
memory/4088-141-0x0000000000000000-mapping.dmp
-
memory/4696-138-0x0000000000000000-mapping.dmp